MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9
SHA3-384 hash: 7cf44d0f18e88db00be9446d638d44e0d643ef47ca4f84085d3b4d39dde11737ae215de1654e1a8bcc2a3313745244a5
SHA1 hash: 6ba3166231d864a67ec024e2734658aa832bb6e9
MD5 hash: deeb0687eff91c877f15af6fe87b52f9
humanhash: white-sixteen-mike-don
File name:m9RGZGWavSniRdK.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:807'424 bytes
First seen:2022-09-14 17:51:14 UTC
Last seen:2022-10-02 12:16:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:NhlylSx18ydmmzV3MT6bL+EiNxsRSYHEQADqjJ5nyhZHlc/ZP26eixPPNaJVRbLi:78AmmSTIdiHsRTjryY
Threatray 79 similar samples on MalwareBazaar
TLSH T186053AAC359432FEC827D576DAA81CA8EA923477871F420B945711BCCE8D987EF141B3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 082018f272721820 (3 x SnakeKeylogger, 2 x AgentTesla, 2 x Formbook)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
6
# of downloads :
375
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310077/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.42183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632214ca1594be804f86bfbb/reports/0d38e4d2-da32-4f86-9a0d-ae758ed92970/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/93a0096a-d8b9-4b78-8b08-fca854a08881
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070447
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 10:45:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7n3kzokz6gtrrr4ilbk72vplhtllpzcm4e43z2uegojn7xdv74q._file
Verdict:
malicious
Similar samples:
087637191c81af5aa71843de168971c8cd48ba5f300b824cf4b9e39249f4bba5
SnakeKeylogger
1d54c7f11bb2f8ac095bf334f0d8025ae7b8299c483c62ad9604f22b92204814
SnakeKeylogger
300a0cb2e2f8cd20477c8e0699198f3bca2859e8e6a335c8f4874c83fd627b9f
SnakeKeylogger
34ff7d92c1c335d251ad12780ccc8fb3a10430fc20cfbb0ff55c40128ffe9a81
SnakeKeylogger
3cc658a1c719c4eec257c26a575c2942ef747f9ea9804e1d86c1076d364a4617
SnakeKeylogger
47d3beec8dd10da7bf293d1f1300c992e105d41bcfb317bbb318252759c2b020
SnakeKeylogger
8277159c5821b9c8c699fba65eb77532da18b0de22d6052d0fdc3377f9732fe4
SnakeKeylogger
bed584b2fd812270f30bffea36dec6db7a464f353f06bbf06252300e51ac4f76
SnakeKeylogger
+ 69 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger stealer
Link:
https://tria.ge/reports/220914-wfp4ksefgn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e4137f09-6d91-4525-827a-d71975cf60cb
Unpacked files
SH256 hash:
e85906c1484648b1ce5448c65f7b3abecf28847b7dc8e8741eb4fae52fb5a82a
MD5 hash:
3d1c9c81f775ad3779cebe8a880e5c1c
SHA1 hash:
d2c2b76fc22812b3de233b947c982242559b12de
Link:
https://www.unpac.me/results/c0ae7bf4-96c0-445b-abf7-1a3f6335c6c0/
SH256 hash:
67cdea20481dce5b5d810245d11e41d726b078a100997af40768aa66cfa56226
MD5 hash:
36b1c4435df8a7e24ed2f7867a16d5df
SHA1 hash:
b2ead7b5eed2ce00258c7611fe9ee1c0445a34e2
Link:
https://www.unpac.me/results/c0ae7bf4-96c0-445b-abf7-1a3f6335c6c0/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/c0ae7bf4-96c0-445b-abf7-1a3f6335c6c0/
SH256 hash:
4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9
MD5 hash:
deeb0687eff91c877f15af6fe87b52f9
SHA1 hash:
6ba3166231d864a67ec024e2734658aa832bb6e9
Link:
https://www.unpac.me/results/c0ae7bf4-96c0-445b-abf7-1a3f6335c6c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 694b2f1136b4a54dd52356de3d60437a9aaa9a6b4a6605fe021f023415d3a092

SnakeKeylogger

Executable exe 4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/310077/
  
Dropped by
SHA256 694b2f1136b4a54dd52356de3d60437a9aaa9a6b4a6605fe021f023415d3a092
  
Dropped by
MD5 91b06ddb0164a59347de9c6cb402cc80

Comments