MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860
SHA3-384 hash:	d283f0e8d9fc977855edb93a65f8d3a859c377449b457e4d3b717b6deb22a51381ce5be4487c3d4891ca33c56a0969d2
SHA1 hash:	5f808069589336be86d65ddd34d0301af0331e8b
MD5 hash:	97dda9477c75520715b9f892bb9dbcda
humanhash:	neptune-fruit-utah-sweet
File name:	Swift Copy.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	776'704 bytes
First seen:	2023-03-27 19:41:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:td7w9YO/R3rM52Wi/ODakc2MJR2Mh/SGLuYj26wH6Mulz4fr5TtiGELCAEgiV5xg:Dw9YOqg/ODFYR5tLDj261Mulqr5Tw3Vg
Threatray	140 similar samples on MalwareBazaar
TLSH	T177F41229B79AED02C6BC6A79C7D7012403B569875233C74B3FD9228625067F66C09BCF
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Swift Copy.exe

Verdict:

Malicious activity

Analysis date:

2023-03-27 19:43:30 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/a25d948f-7561-44ab-beed-81c876744678

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/377957/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6421f18a8f3f4544f6cc5b1c/reports/3d2350d4-9dda-44f5-b749-fd9a57c137bc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dadb55bb-13a0-4c37-aa80-6c76d4facebe

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1202935

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-27 14:48:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kmmgomnghjywqp7wm4vy7lkewlmn7fw5rqi3tal6wkrxiiwwlbqa._file

Verdict:

malicious

SnakeKeylogger

1c97bae25b133e2b28133eb17889f3f2f063faf1003f9d575d67d16414e9a6e9

SnakeKeylogger

285442f66366aab5b789ec12e4e484b345f4c3a5e3357841507ccb0d0049ac0e

SnakeKeylogger

385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f

SnakeKeylogger

777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1

SnakeKeylogger

7ce06c4227d8b111e23ea4af903379bef4211205ff6a6a582aa7c74149ec8b47

SnakeKeylogger

c4ac65ea4af1e9c789530885c0d2bb838b218553a1fb6e2a6c3a40258f3aafb0

SnakeKeylogger

fbca5195cab9ea8df36b6123fd0e23f2e1ca97cd0b61d6d40ecee6611f31c8ff

SnakeKeylogger

+ 130 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230327-yemyyafa27/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot6284958682:AAFqhG3qHKFjAq48ezySmL8vRDzlw2Jx9s8/sendMessage?chat_id=5636036075

Unpacked files

SH256 hash:

b896f958822ea1866c4faefe4d227d4dd77db74e3fd25a8b60f963b9b428c1ce

MD5 hash:

44d03b8ad8d71542249ca5eb393a13d5

SHA1 hash:

f21e9e8558e0835bae7c9708690bd4545cd2fd07

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

Parent samples :

61ece69c7d3abf50d508d618a236e3a864f784967362c61c074d5eb4b857cbfd
2dba0b58d60c5d50cfbfcae89e54cacf5e9d9f5d7a2cf654ca1e24f7544dbb47
ac6d957336c039f000748fa1491549e9416005c224eea1cf089aab0d91b10844
53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860
d2a9785bb59a18b2615a8bc600698418ffec3af79192b74cf2f0c1dd9efcadb6

SH256 hash:

fca417273fcd8554789415e2219fee88b223f2354d51c9c4f36ca6643fd8af8c

MD5 hash:

d2922c1ac5751c61ace0431989e2f6a5

SHA1 hash:

a5573b99f457d2de51acdd9744d235442f13d454

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

44a8c60b1704831c86b0954e316281bd893e87f7ba8bf800f803a64d7e4a35e5

MD5 hash:

fafe84ca57be873a39978ce78ab8fc0e

SHA1 hash:

8a68a63a53f56d23f4425619f8908bdb37c99bac

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

SH256 hash:

0f6a544c4eafd554ef49f10c3a74d0b83dfb79fb7c22aa7ad046d2448972f58f

MD5 hash:

b9935f9935da130459ea7e8483dfe5c9

SHA1 hash:

6fa4ba688f42844be4de5966be02f92e384f7fd7

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

SH256 hash:

6bf9d07d639521837124af321555cbcdc5997fead136195aed97e2744e4120b6

MD5 hash:

acfbc6c59006cabeaa982c5cf3b2975c

SHA1 hash:

03ef87ee97fb810723f8cf284c09755c08822eb0

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

SH256 hash:

53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860

MD5 hash:

97dda9477c75520715b9f892bb9dbcda

SHA1 hash:

5f808069589336be86d65ddd34d0301af0331e8b

Link:

https://www.unpac.me/results/72d7b02a-7136-4138-82cc-a9ab3196d9e3/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/53186731a63a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	XWorm_Hunter Create hunting rule
Author:	Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/377957/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample