MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4578c32120731e26e084a3cfd4c2e1819e41de86e1b13cbb417cb70c3dbf6932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4578c32120731e26e084a3cfd4c2e1819e41de86e1b13cbb417cb70c3dbf6932
SHA3-384 hash: 80116b2ba6e00b602cc1225efe86ef942ae34b60a7330b77e0d219464af33962cd60e8bcbdc870df42136d70fbdad7d4
SHA1 hash: 0323e5b82ac54e64e8a94bb8de4d7180af0012c2
MD5 hash: b0cde20fb8c42f6667da6b80156c6daa
humanhash: purple-low-friend-hotel
File name:b0cde20fb8c42f6667da6b80156c6daa.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'049'088 bytes
First seen:2021-07-29 08:40:08 UTC
Last seen:2021-07-29 10:11:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+3fzR31Hrx7dXhRAf5/dyoRoDoyoNow5L9AYXJL/bjH0B9CavIBQ+4:uxxRa5/dy64Ja3aYXpDjH0B9bB+4
Threatray 842 similar samples on MalwareBazaar
TLSH T119259D25B6C4DA1AE11E93368EDF50204BFCF9113572B7686EF123F94524FA1D8702EA
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b0cde20fb8c42f6667da6b80156c6daa.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 10:14:38 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/53021c97-df00-4dcd-abdb-7901ba24d5ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174934/
Detection(s):
SecuriteInfo.com.ArtemisB0CDE20FB8C4.9824.6529.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9774716f-10d4-4bc8-9a5d-1fad0ac20d64
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823665
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 03:35:18 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iv4mgijaompcnyeeuph5jqxbqgpedxug4gytzo2bps3qypn7neza._file
Verdict:
malicious
Similar samples:
3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79
SnakeKeylogger
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
SnakeKeylogger
72b38e37d119820ef038c7051360d5c7e1e1507bb98a7be19eea089379d0d793
SnakeKeylogger
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
SnakeKeylogger
7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7
SnakeKeylogger
9fbdcf044aba61ae6c0678b5f83fc4bd8b589ba3a4fd12a5bef53e2ead494eed
SnakeKeylogger
a50383b6ad4661cdf8d6b2acdba251a846999e4533761488fcf9e8e5abc8a11f
SnakeKeylogger
a8f581b584bdf1bc08a22728c89aab6a460419115166aea4154f5de4e685a1e2
SnakeKeylogger
b234fd2b368732a6c68a39b2d0c4386764e089a3f0bd74e595c73b40bc0c1c7d
SnakeKeylogger
e18238936a0fd8123a5e4f3ac03e9f31e314e7620bbda7b65540da64668bcf20
SnakeKeylogger
+ 832 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210729-qyn3fkb4t6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
CustAttr .NET packer
Snake Keylogger
Unpacked files
SH256 hash:
4d6059bed77ebadb70092bd7a51de904ebb17ac822e22a08ee4c09352ae1e1c2
MD5 hash:
b0e4b1137e65d45c44f2a11575569aec
SHA1 hash:
d15be341c460239832bfae095e37850bd97015ce
Link:
https://www.unpac.me/results/cad5ef23-c2d7-4ef3-90ba-f35985fb6d60/
SH256 hash:
4217ced27aba3313562023a2e9537e07a50528475ed50e4982f3476fd6bd3d30
MD5 hash:
a6ec7a56b45dbbf87baf6c7327358f14
SHA1 hash:
96ad632a49b3513ca702beb9ddd8b19e0348eb81
Link:
https://www.unpac.me/results/cad5ef23-c2d7-4ef3-90ba-f35985fb6d60/
SH256 hash:
19141fb119378ce5537061929837657c9b2dd359df228eb6f47c99a2fb7222d0
MD5 hash:
d5905448d2ced788e9b4e36e1fcea1c1
SHA1 hash:
5611e48de0d3012428207e7230f49f570ff673b8
Link:
https://www.unpac.me/results/cad5ef23-c2d7-4ef3-90ba-f35985fb6d60/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/cad5ef23-c2d7-4ef3-90ba-f35985fb6d60/
SH256 hash:
4578c32120731e26e084a3cfd4c2e1819e41de86e1b13cbb417cb70c3dbf6932
MD5 hash:
b0cde20fb8c42f6667da6b80156c6daa
SHA1 hash:
0323e5b82ac54e64e8a94bb8de4d7180af0012c2
Link:
https://www.unpac.me/results/cad5ef23-c2d7-4ef3-90ba-f35985fb6d60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/4578c32120731e26e084a3cfd4c2e1819e41de86e1b13cbb417cb70c3dbf6932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICOIUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 4578c32120731e26e084a3cfd4c2e1819e41de86e1b13cbb417cb70c3dbf6932

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/174934/
  
URLhaus
https://urlhaus.abuse.ch/url/1484210/
  
Delivery method
Distributed via web download

Comments