MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 499619c6bc43585013dd421ef88cf14830c85a28bc3ce3984bcf62a24f6d59fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	499619c6bc43585013dd421ef88cf14830c85a28bc3ce3984bcf62a24f6d59fc
SHA3-384 hash:	043f7c096165b298daed745f3d8c27d87d4dd93f4f3cd699c96d6e2575ab14c3435a4751d5a76a01a4750347071089a8
SHA1 hash:	ddc0497585e60aa3bb95453be1ac1e82425d9b38
MD5 hash:	ad76b9dfa5917952e3168986e670f683
humanhash:	winter-hotel-kilo-seventeen
File name:	New Order Inquiry No.96883,pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	501'616 bytes
First seen:	2021-10-12 06:57:44 UTC
Last seen:	2021-10-12 13:19:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:88LxBVFEg4x6f+WmGOYJ12CKRP+IWZRL0gZCPPnTr1TSvKsa5bcwJ:JFEg4xB+Id+/7LwnT7Xbc+
Threatray	1'349 similar samples on MalwareBazaar
TLSH	T1BEB4A003A82D88B2EF38A33E40154CD9A1F51D5C16D9B61A47B8BD3DD97C4225E1FE2E
File icon (PE):
dhash icon	68c6a6ce96a28acc (28 x AgentTesla, 5 x SnakeKeylogger, 1 x KeyBase)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Order Inquiry No.96883,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-10-12 07:50:07 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/fcb39f94-3cb1-4952-bcb1-faa3bf7e999a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/196781/

Detection(s):

Win.Malware.Noon-9829285-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Launching a service

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61653203fd35fe780c3a02aa/reports/430d7eb2-1aeb-4410-a215-7b6b100cc411/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7053eef7-65a6-4133-8c7f-02524c7632ea

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868342

Signature

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/499619c6bc43585013dd421ef88cf14830c85a28bc3ce3984bcf62a24f6d59fc/

Threat name:

Win32.Infostealer.Bulz

Status:

Malicious

First seen:

2021-10-12 01:43:22 UTC

AV detection:

12 of 45 (26.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jglbtrv4inmfae65iipprdhrjaymqwrixq6ohgclz5rket3nlh6a._file

Verdict:

malicious

SnakeKeylogger

0bbc06390e3dfc9e44bda66fbc1e08ef13cf3d0b0b49ae4e72305a840a352511

SnakeKeylogger

0ff8a0051138905969d6c762ab6bfb707348312de90884d4647c4168a501edbc

SnakeKeylogger

2e826b4ff8b272db629c4983e9edd53656cc4a2e9d24178ebd2b6a8890d1e864

SnakeKeylogger

44b5209fadd63026c1f4c7f1d1a6b9f49aa76f8597579773a0bc0010bada5853

SnakeKeylogger

7010546f9366fc5ff5ec208985159b5aeddc897e3dd0f811a6835c5debd96d55

SnakeKeylogger

9f4b51cee424229e92578fad70eb45c09b6bd101f326d6e41852756e473f7747

SnakeKeylogger

e47294fb83f7abeec9f8e81cf403f70a35c3422252ea3e818066426fc75c5b6e

SnakeKeylogger

ec86c4d1a1d0390b9c161f21933953d99e1f03ea5722e1c4fa4c758c117b6bd1

SnakeKeylogger

+ 1'339 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211012-hrjt2sbfc4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

499619c6bc43585013dd421ef88cf14830c85a28bc3ce3984bcf62a24f6d59fc

MD5 hash:

ad76b9dfa5917952e3168986e670f683

SHA1 hash:

ddc0497585e60aa3bb95453be1ac1e82425d9b38

Link:

https://www.unpac.me/results/c9252853-e0ab-43d9-a579-6759608a3094/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/499619c6bc43/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/499619c6bc43585013dd421ef88cf14830c85a28bc3ce3984bcf62a24f6d59fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196781/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample