MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6
SHA3-384 hash: dbc339deca4f53e056090dffafb9d3318bcff8a09ccb24b0a6f95802fed535c2eda96201263c01f1518a93c86f1ccc0d
SHA1 hash: a7ed0dcf25f7da103f484840bece749b22d1e1d7
MD5 hash: f9ed1a27fe500e855fb838425b5f70ac
humanhash: pizza-purple-gee-pasta
File name:CHIKWA (2).exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:104'448 bytes
First seen:2021-02-01 07:44:22 UTC
Last seen:2021-02-01 09:45:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:ZgimfHrxC9a8WWl+CRppyh5okUaYc1V+h70Dz353Yh+xmccb3UKBl:ZgLr5vWA6pimczX53fmcQ7r
Threatray 90 similar samples on MalwareBazaar
TLSH 2AA31B4063E84A2AF4FB6F3E397369C11B36BA5235B6CA5C6554029F0852FD58E33B43
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CHIKWA (2).exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 07:49:35 UTC
Tags:
trojan evasion
Link:
https://app.any.run/tasks/b0ef8cd9-d183-4ccb-857b-6736120390e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114409/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595014
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346540 Sample: CHIKWA (2).exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Snake Keylogger 2->59 61 4 other signatures 2->61 6 CHIKWA (2).exe 18 5 2->6         started        11 CHIKWA (2).exe 2->11         started        13 CHIKWA (2).exe 2 2->13         started        15 3 other processes 2->15 process3 dnsIp4 53 193.239.147.103, 49732, 49743, 49747 DEDIPATH-LLCUS Brunei Darussalam 6->53 33 C:\Users\user\AppData\...\CHIKWA (2).exe, PE32 6->33 dropped 35 C:\Users\...\CHIKWA (2).exe:Zone.Identifier, ASCII 6->35 dropped 37 C:\Users\user\AppData\...\CHIKWA (2).exe.log, ASCII 6->37 dropped 67 Creates an undocumented autostart registry key 6->67 69 Injects a PE file into a foreign processes 6->69 17 CHIKWA (2).exe 2 6->17         started        71 Creates autostart registry keys with suspicious names 11->71 73 Creates multiple autostart registry keys 11->73 21 CHIKWA (2).exe 11->21         started        23 CHIKWA (2).exe 13->23         started        25 CHIKWA (2).exe 2 15->25         started        27 CHIKWA (2).exe 15->27         started        29 CHIKWA (2).exe 15->29         started        31 CHIKWA (2).exe 15->31         started        file5 signatures6 process7 dnsIp8 39 checkip.dyndns.org 17->39 47 2 other IPs or domains 17->47 63 Tries to steal Mail credentials (via file access) 17->63 65 Tries to harvest and steal browser information (history, passwords, etc) 17->65 49 2 other IPs or domains 21->49 41 checkip.dyndns.org 23->41 51 2 other IPs or domains 25->51 43 checkip.dyndns.org 27->43 45 checkip.dyndns.org 29->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-31 23:00:50 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=js3bqu2pzcvs3jfddfqtpevfzncw3e36maykgzd7553gnlw2563a._file
Verdict:
unknown
Similar samples:
0e264fd6c9f8b8d5f5765b8cb5e86eb2801a26d3891093954695c688c987b143
SnakeKeylogger
17aa5a0cb0427737ec1174e0b41084f4f14d605b693dba01b7d20306dffbbf64
SnakeKeylogger
69dcf72c5f8c1751c5b144899cd43d26c7a639748d4b9a6de53bd4e3a492da3b
SnakeKeylogger
6fcb3920982436b7b88307eef586e6a0bd01ba8014b0f216affea7d4b5e3a31c
SnakeKeylogger
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SnakeKeylogger
cfa46220d1b96e515eedbb82a0285229467f377ede30f732f7f6c48caba3ae1e
SnakeKeylogger
eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
SnakeKeylogger
f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765
SnakeKeylogger
fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
SnakeKeylogger
facf1bd37fa739f82bc10a7a6e7436b4871af89e3c8389270673e2dbb76200e4
SnakeKeylogger
+ 80 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210201-n7vth7tsda/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6
MD5 hash:
f9ed1a27fe500e855fb838425b5f70ac
SHA1 hash:
a7ed0dcf25f7da103f484840bece749b22d1e1d7
Link:
https://www.unpac.me/results/b5afa6ec-af39-4e7d-a1a7-f07da7de787d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114409/

Comments