MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4be0303c5df5d86338efc4ccaed9ee98db9183c14db6a65a44b5f0ac7a1c240e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4be0303c5df5d86338efc4ccaed9ee98db9183c14db6a65a44b5f0ac7a1c240e
SHA3-384 hash: 2c0cb9a2b9cbf47265d9d4034429b7d1ab0dc1689a190d60594c9d28a8f20e9f3d893f9e7aa784b6bdf91929864b4f57
SHA1 hash: 04de68500613f4aee9bfc182b40aedad99012ce1
MD5 hash: abeb1486befa841dcb4c02181bcb13b8
humanhash: purple-thirteen-avocado-triple
File name:SecuriteInfo.com.Win64.CrypterX-gen.381.20116
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'674'752 bytes
First seen:2023-01-19 07:33:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:Yg2nkeyV4oWtOsl+7Fbsn9rqgs7d+YTNgh0Y0G4ENTW:mkJWcp700k0eNi
Threatray 970 similar samples on MalwareBazaar
TLSH T1567538243DFB5019B173FEA69FD8B8AADA6FB733370764591061038A0713981DE9193E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
343644.eml
Verdict:
No threats detected
Analysis date:
2023-01-19 06:04:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d46b557-2e11-41f3-9828-485c57de9ad7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354371/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.381.20116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a service
Loading a system driver
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Forced shutdown of a system process
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63c8f26ce4e81283f94e7593/reports/10cf6628-fe40-4dd8-aaea-380f2d07198c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e30b6a3d-d479-43e9-8f65-89e0695f15f0
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154428
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 787160 Sample: SecuriteInfo.com.Win64.Cryp... Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 37 checkip.dyndns.org 2->37 39 checkip.dyndns.com 2->39 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 10 other signatures 2->61 7 SecuriteInfo.com.Win64.CrypterX-gen.381.20116.exe 5 4 2->7         started        11 SecuriteInfo.com.Win64.CrypterX-gen.381.20116.exe 3 2->11         started        13 SecuriteInfo.com.Win64.CrypterX-gen.381.20116.exe 3 2->13         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 7->29 dropped 31 SecuriteInfo.com.W...n.381.20116.exe.log, CSV 7->31 dropped 63 Uses cmd line tools excessively to alter registry or file data 7->63 65 Creates autostart registry keys with suspicious names 7->65 67 Writes to foreign memory regions 7->67 69 Sample is not signed and drops a device driver 7->69 15 jsc.exe 15 2 7->15         started        19 svchost.exe 7->19         started        21 CasPol.exe 7->21         started        27 23 other processes 7->27 33 C:\Windows\Temp\nsowsm4d.inf, Windows 11->33 dropped 71 Injects a PE file into a foreign processes 11->71 23 cmstp.exe 8 7 11->23         started        25 ServiceModelReg.exe 11->25         started        35 C:\Windows\Temp\lvj42mhv.inf, Windows 13->35 dropped signatures6 process7 dnsIp8 41 checkip.dyndns.com 158.101.44.242, 49714, 80 ORACLE-BMC-31898US United States 15->41 43 checkip.dyndns.org 15->43 45 May check the online IP address of the machine 15->45 47 Tries to steal Mail credentials (via file / registry access) 15->47 49 Tries to harvest and steal ftp login credentials 15->49 51 Tries to harvest and steal browser information (history, passwords, etc) 15->51 53 Changes security center settings (notifications, updates, antivirus, firewall) 19->53 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4be0303c5df5d86338efc4ccaed9ee98db9183c14db6a65a44b5f0ac7a1c240e/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 05:38:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpqdapc56xmggohpytgk5wpotdnzda6bjw3kmwsewxyky6q4eqha._file
Verdict:
malicious
Similar samples:
446abdfdd249bca6964b7dc14013be5d833360b0eba026a6303c3132fc797bc0
SnakeKeylogger
67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea
SnakeKeylogger
7bf2c0637653a1da45dc1c1277e1cc8573b6060688e071be9b347480e858a5c6
SnakeKeylogger
7ce366cf2cc3e1787d552e5603568e1ce96496aacef73df9676b9a3fafe660db
SnakeKeylogger
b0500e38803ac3ca6b3fde965b1c03bfcae5cbe3a4a01a199d161e1371ced34d
SnakeKeylogger
bcba671f1e3e1f7ab80f59d5c1cb280bfec3ca519b37820af0bb720fb5d7a8b9
SnakeKeylogger
de232478760fe7e38a80ac8b6fd94b66d3d8983c88e922272f88fd0ceb5669fd
SnakeKeylogger
e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d
SnakeKeylogger
eb5ec9cf758bd526db090f9290d323201911b4181c3bfeb3ebd1f1af8be19285
SnakeKeylogger
+ 960 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence stealer
Link:
https://tria.ge/reports/230119-jd44hacd3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Uses the VBS compiler for execution
Sets service image path in registry
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5486243913:AAG6Jm7sGsjD2aGDej_Ex1CsQwqX0Sb4YT0/sendMessage?chat_id=1760125104
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7f0dcb45-0d52-48e3-8f86-2e25bac71ecb
Unpacked files
SH256 hash:
4be0303c5df5d86338efc4ccaed9ee98db9183c14db6a65a44b5f0ac7a1c240e
MD5 hash:
abeb1486befa841dcb4c02181bcb13b8
SHA1 hash:
04de68500613f4aee9bfc182b40aedad99012ce1
Link:
https://www.unpac.me/results/c6ba8c5b-cb2a-41d5-a2bf-070688c9f25b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4be0303c5df5d86338efc4ccaed9ee98db9183c14db6a65a44b5f0ac7a1c240e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354371/

Comments