MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 13 File information Comments 1

SHA256 hash:	4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a
SHA3-384 hash:	5e1fa2ebb396566123cbb6820ab6c2cc18ce087d1d17e95160bb53a4ce33319cbd835049fc3f9921460c5a7a3ca4da11
SHA1 hash:	34eb58e97090994204024ead2c9f40d4bb7241a4
MD5 hash:	ce112e3ef15aacdb9e3cfa111a8ff801
humanhash:	thirteen-saturn-magazine-paris
File name:	ce112e3ef15aacdb9e3cfa111a8ff801
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	825'856 bytes
First seen:	2022-12-23 05:39:15 UTC
Last seen:	2022-12-23 07:28:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:qgf+mDXttarruVBDUJvnVhHNUGKXppw3LQDMW/d+t8u4QQIqApkrD9+psMLtLH80:eUpwbAMWAJpyD9gLH80
TLSH	T17005DF1713882960F5B3153E569B3FC98470EA4F69A6EFAC0523EC37F4E12965DC4E0A
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://208.67.105.179/mrjohnzx.exe

Verdict:

Malicious activity

Analysis date:

2022-12-23 03:16:25 UTC

Tags:

loader evasion trojan

Link:

https://app.any.run/tasks/9bc022c5-9f24-46f0-9ff6-6c58be90bb15

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64452002.28432.60.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63a53f35779e491a53b2f104/reports/97150069-7ab5-4cea-a142-3aae4caad0fc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a130ab5-dca4-4fe7-8c47-1fb32988a6ef

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1139857

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2022-12-22 17:34:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jryftxg77oc4ni6k3gzddzyta67p5wxxdqah44enc7jbsaiu2i5a._file

Verdict:

malicious

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221223-gcwpmafh97/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa

MD5 hash:

6c3fdb2b5d93cf814ea1b6ca05a0efcf

SHA1 hash:

f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5

Link:

https://www.unpac.me/results/d6dc355a-a9fc-4c4a-a660-777ef79d7898/

SH256 hash:

f74d675d58b54dea4c5e3232001632e06c3e330307f9ca949dab311916f69527

MD5 hash:

5514f7b95d1542e70709f8ece620d0ea

SHA1 hash:

96e9219ecba17167a2b02039eb9db39d84d5fdaa

Link:

https://www.unpac.me/results/d6dc355a-a9fc-4c4a-a660-777ef79d7898/

SH256 hash:

f209cb24829023928971ee4d76800b16e97d971d1ba16791bc02f6946979624a

MD5 hash:

a48c94361fbe22bdeaae55da63e2b1cf

SHA1 hash:

574d1d17d55ec4eb0d5c452ceb747991d4eef0f6

Link:

https://www.unpac.me/results/d6dc355a-a9fc-4c4a-a660-777ef79d7898/

SH256 hash:

ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c

MD5 hash:

77ab42f4bbbf4565846eb8953192d71f

SHA1 hash:

3c662c756cc31867c0473716a74e777a65ced550

Link:

https://www.unpac.me/results/d6dc355a-a9fc-4c4a-a660-777ef79d7898/

SH256 hash:

fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc

MD5 hash:

a758f4b623ffce5221cd823e80fb2e9f

SHA1 hash:

1ecf53302a84cef68272b8841a2e02da510c6330

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/d6dc355a-a9fc-4c4a-a660-777ef79d7898/

Parent samples :

4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a
622cc8e52c54af2da4ff1c114f71c6949b3d0f900c83931a9141bc7f91937166
c311d7bb48a8076e141608660d414516d535948c93ff903969208adc8bd09c4b
2ee3a3b3bb2755d3dbd5a438bd7bd731201a16996a8aa249d50675e13a96131d
dab37a069356983008d299beaf6dd2dd5d8eae3f71c92410de37e64014942b7c
dd39b4b8ed5092bfd590f6a175d78a59ffebbafeee05b47d909b9321ac336d46
77a8dd63bb9b99da6daa8291b894e4a1dc05d8476abd943d728798760fb1422b
fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc

SH256 hash:

4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a

MD5 hash:

ce112e3ef15aacdb9e3cfa111a8ff801

SHA1 hash:

34eb58e97090994204024ead2c9f40d4bb7241a4

Link:

https://www.unpac.me/results/d6dc355a-a9fc-4c4a-a660-777ef79d7898/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c7059dcdffb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AsyncRat_Detection_Dec_2022 Create hunting rule
Author:	Potatech
Description:	AsyncRat

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_APIs Create hunting rule

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe 4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2482441/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-12-23 05:39:18 UTC

url : hxxp://208.67.105.179/mrjohnzx.exe