MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4abdf6f6ab56cd4035b7773b21618076bac8e095a2358c8d7efd5a5acf7806cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	4abdf6f6ab56cd4035b7773b21618076bac8e095a2358c8d7efd5a5acf7806cf
SHA3-384 hash:	ed9a952d6186e8206c0777d9e815d4a644256aa4911dd0448fb94a84b6abb01d3a3037c95995c9ac2f1dfc8d6a311326
SHA1 hash:	f358798928e1311d990692d137e07dbc33861552
MD5 hash:	69461cb3771e891e029bea2e9aa39cfb
humanhash:	may-leopard-monkey-yellow
File name:	YPJ-76577.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	448'079 bytes
First seen:	2021-11-23 08:25:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	12288:S84Tcckw5DlBHaxelwGYTXcqkCq14bv2Hy:S84Tcckw5fzlJkB
Threatray	1'989 similar samples on MalwareBazaar
TLSH	T1FE94893961E3E713E891393F0A69A56DB5E86D40AF170FD2E2905E5B27203F243C7396
File icon (PE):
dhash icon	d0d4f8e8c8d4ce2e (3 x SnakeKeylogger, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

YPJ-76577.exe

Verdict:

Malicious activity

Analysis date:

2021-11-23 11:27:54 UTC

Tags:

installer evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/57ff8ce7-6aef-419b-b2fe-6870beb7483c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Blocking the Windows Defender launch

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/619ca5a502c80febc2a6e525/reports/7226e450-d1f6-406a-b20a-6d96c9fe37eb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9f96bf88-5c74-4f46-a7a5-6b526abc23d3

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/894491

Signature

.NET source code references suspicious native API functions

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/4abdf6f6ab56cd4035b7773b21618076bac8e095a2358c8d7efd5a5acf7806cf/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2021-11-23 08:26:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 44 (47.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jk67n5vlk3guannxo45scymao25mryevui2yzdl67vnfvt3ya3hq._file

Verdict:

malicious

SnakeKeylogger

332eb007a5e9b3e603bcd8546505d6df1b480ab032f772f5a24730c4cc6edfc5

SnakeKeylogger

442c75d295ffbe050d255d30ffdf429ffcbfb1e4a1eac63b4e1e0f9570e29b2e

SnakeKeylogger

58437cda785ef34cb516d8377e55dffd6b623b0fdde44c8abda2eaff114bd391

SnakeKeylogger

765fa2e7b82c623817ae60faa7c21ff5cd5b06d242b2195a6644f73d4fab482f

SnakeKeylogger

7e64709cb86a58132d712f270d5672cd189bac61209b5ea91bda06ef57b27f38

SnakeKeylogger

b589f04785fac0dfce5097c419fb21254218106795bd3076d86d62edf792b996

SnakeKeylogger

df623c9ac537de8028b61717582bf71ee72949fc825da23c1167889454980f4b

SnakeKeylogger

f134314069aaa01fc01863ec536c8d47176522b1edd35b971a0d0ed4b3623b3b

SnakeKeylogger

fbaf75b59e30584c535cc0ad3464d8dd0f07b56fd94995d3c71b4adfee27e96c

SnakeKeylogger

+ 1'979 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211123-kbvygscff2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

4abdf6f6ab56cd4035b7773b21618076bac8e095a2358c8d7efd5a5acf7806cf

MD5 hash:

69461cb3771e891e029bea2e9aa39cfb

SHA1 hash:

f358798928e1311d990692d137e07dbc33861552

Link:

https://www.unpac.me/results/de5e5c42-9819-4250-b1a0-42ee72cbbbd2/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4abdf6f6ab56/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/4abdf6f6ab56cd4035b7773b21618076bac8e095a2358c8d7efd5a5acf7806cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/208549/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample