MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c
SHA3-384 hash: a27fccfdb391594e30608c7d4eba9928a7fec1f1e419b27fa98f63fda47c464d06bf6aaf4747322f198e102dfaf7dd16
SHA1 hash: 1c55d367223d7bdd9fb3cd45d2ce6411ddd97c78
MD5 hash: f096b9024bfafa8e3403a13125c0a6a5
humanhash: cardinal-foxtrot-batman-fillet
File name:f096b9024bfafa8e3403a13125c0a6a5
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:283'648 bytes
First seen:2021-07-07 18:45:06 UTC
Last seen:2021-07-07 19:44:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:WpBRbrWvs2eMBvPdCSHFXGBKqBcRjdPaAW0K0m9S:jRdPdCmFXGBDBOYlEm9
Threatray 126 similar samples on MalwareBazaar
TLSH T1A354125276AF8A71D056B1B5CCD397041931AF42AADED38F25483FEF7472B0A081A63D
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01130100370.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-07 12:47:07 UTC
Tags:
trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/fdc87f15-6725-40c7-bdff-c81e64624891

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170290/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.29101.13962.17305.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61eee69c-f4c1-4264-8748-a62a176e619a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813099
Signature
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445510 Sample: dXbE7245xj Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 37 netjul.xyz 2->37 39 freegeoip.app 2->39 59 Found malware configuration 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 3 other signatures 2->65 7 dXbE7245xj.exe 1 7 2->7         started        11 office.exe 5 2->11         started        13 office.exe 2 2->13         started        signatures3 process4 file5 25 C:\Users\user\AppData\Roaming\...\office.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\dXbE7245xj.exe, PE32 7->27 dropped 29 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 7->29 dropped 35 2 other malicious files 7->35 dropped 67 Writes to foreign memory regions 7->67 69 Injects a PE file into a foreign processes 7->69 15 dXbE7245xj.exe 15 2 7->15         started        31 C:\Users\user\AppData\Local\Temp\office.exe, PE32 11->31 dropped 33 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 11->33 dropped 19 office.exe 11->19         started        21 office.exe 2 11->21         started        23 office.exe 13->23         started        signatures6 process7 dnsIp8 41 netjul.xyz 104.219.248.46, 49748, 49749, 49750 NAMECHEAP-NETUS United States 15->41 43 checkip.dyndns.org 15->43 49 3 other IPs or domains 15->49 51 Multi AV Scanner detection for dropped file 15->51 53 May check the online IP address of the machine 15->53 55 Tries to steal Mail credentials (via file access) 15->55 57 3 other signatures 15->57 45 checkip.dyndns.org 21->45 47 checkip.dyndns.org 23->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 05:34:58 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jscaz6fy43733d6rcqhdep4jryrauqcxcq2tqngotcqqodf6jjga._file
Verdict:
malicious
Similar samples:
043c91c0f8bd07fdce3af1ccadf2afec896527684eacee91d78e7afe32173d51
SnakeKeylogger
3390c123938c77d21a6ae1dc750265427ea0fb5f5dd3571a9f2dcb069ee66812
SnakeKeylogger
3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e
SnakeKeylogger
4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2
SnakeKeylogger
500e5287dba2679bde2df8551de4a7066bf8fe9575d3bbd7d8051cec76c12501
SnakeKeylogger
59b7b6c0abf702ed3af7efb41f41378bf126fc718606ca3ff97db27e31f9b1d7
SnakeKeylogger
6e0bef23794d4e93ef917868ab89ce22bd27e35361e4e7d2f60ad3f82455e75e
SnakeKeylogger
7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e
SnakeKeylogger
9cf85e58b7cb62b39376e36ebc8fadf0c40f21ce98f36fa9016521a8158b4881
SnakeKeylogger
a3ca7c4385206990d3927c273f08e4daea47887567774da579337e0966593ae4
SnakeKeylogger
+ 116 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210707-szwj7cydzx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
023ba0319744add224f3048542f901f754730300805b279d87357fd67fba6d6a
MD5 hash:
27c9bb43a69cbff045c9ac0058c4f725
SHA1 hash:
92794ad995301b60fce21ae877a04e3c76ccac36
Link:
https://www.unpac.me/results/7c5835cd-39a8-4408-b88f-62c70fd797c6/
SH256 hash:
a6f8bc3de1120620e28f711f9e377dfd924a5a8197f78c13b29c39775364df79
MD5 hash:
1f8738b48744b398131e338c1448ca25
SHA1 hash:
3c5d27d4b8fafe1dcce8cab9db8f41c13953bcc4
Link:
https://www.unpac.me/results/7c5835cd-39a8-4408-b88f-62c70fd797c6/
SH256 hash:
00f59d88318fd12f819c68d4c52c9dcfd844b4031c65867c95d1f4fed9bd8607
MD5 hash:
1553798cb98cbc175da187b3c8654444
SHA1 hash:
0ce9a8894039d4896c4dcbd3b983abdad3bc4b15
Link:
https://www.unpac.me/results/7c5835cd-39a8-4408-b88f-62c70fd797c6/
SH256 hash:
4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c
MD5 hash:
f096b9024bfafa8e3403a13125c0a6a5
SHA1 hash:
1c55d367223d7bdd9fb3cd45d2ce6411ddd97c78
Link:
https://www.unpac.me/results/7c5835cd-39a8-4408-b88f-62c70fd797c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1434053/
Cape
Cape
https://www.capesandbox.com/analysis/170290/

Comments


Avatar
zbet commented on 2021-07-07 18:45:06 UTC

url : hxxp://lifestyledrinks.hu/wp-includes/cs2/01130100370.exe