MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958
SHA3-384 hash: db1f6da772e4ba953390c4562a0bbae7664bc445a91c96dfdfa8200b55d6dfd8bca1bd250c6c0a9c0e20d9eafe642d19
SHA1 hash: c5bc31a85d93e3c15cae8e8bfdaf7293410d0508
MD5 hash: fc937a374db430c2158f214e09f7d2af
humanhash: march-moon-winner-berlin
File name:Doc-67789845678765670987654.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:302'733 bytes
First seen:2021-07-09 14:17:21 UTC
Last seen:2021-07-09 14:35:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:nMm4CCgXrLpe49bVecweXw5wXf5BQ1TnxfMTWvyACmntuixCwoQdW:nMwPrLpeWVe+dXf2TxfXZsIW
Threatray 188 similar samples on MalwareBazaar
TLSH T1265412E03739CABBED2359B24EB7A1BB6F6DD4263160C95B3311BB5E3417582601E350
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Virus heuristic.heuragen.1141442 RE PROOF OF PAYMENT.msg
Verdict:
Malicious activity
Analysis date:
2021-07-09 14:06:46 UTC
Tags:
trojan formbook stealer evasion
Link:
https://app.any.run/tasks/104f6dda-b958-484b-ac63-2bef1f372f34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170684/
Detection(s):
SecuriteInfo.com.Trojan.Nsis.Spy.Gen.1.223.16513.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b869c2a5-1fc2-4f33-bd34-0f655f1a5725
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814036
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446447 Sample: Doc-67789845678765670987654.exe Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for dropped file 2->70 72 7 other signatures 2->72 8 Doc-67789845678765670987654.exe 1 19 2->8         started        12 gosnksr.exe 15 2->12         started        14 gosnksr.exe 15 2->14         started        process3 file4 36 C:\Users\user\AppData\Roaming\...\gosnksr.exe, PE32 8->36 dropped 74 Writes to foreign memory regions 8->74 76 Maps a DLL or memory area into another process 8->76 16 MSBuild.exe 15 6 8->16         started        38 C:\Users\user\AppData\Local\...\qvpgvnyl.dll, PE32 12->38 dropped 20 MSBuild.exe 4 12->20         started        78 Multi AV Scanner detection for dropped file 14->78 80 Machine Learning detection for dropped file 14->80 22 MSBuild.exe 4 14->22         started        signatures5 process6 dnsIp7 40 smtp.azebal.com 16->40 42 checkip.dyndns.org 16->42 50 4 other IPs or domains 16->50 54 May check the online IP address of the machine 16->54 56 Tries to steal Mail credentials (via file access) 16->56 58 Uses netsh to modify the Windows network and firewall settings 16->58 24 netsh.exe 3 16->24         started        44 smtp.azebal.com 20->44 46 checkip.dyndns.org 20->46 60 Tries to harvest and steal ftp login credentials 20->60 62 Tries to harvest and steal browser information (history, passwords, etc) 20->62 64 Tries to harvest and steal WLAN passwords 20->64 26 netsh.exe 20->26         started        48 smtp.azebal.com 22->48 52 2 other IPs or domains 22->52 28 netsh.exe 3 22->28         started        signatures8 process9 process10 30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-09 12:25:07 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksnryoc5uarlpkkwvcezgnmsphifgit234af5lgib2jngqesdfma._file
Verdict:
malicious
Similar samples:
022e918d8b07b6bda3fc703e212db5d145fa5814f33ea2fa8a350e2be405a348
SnakeKeylogger
0a37b966b67a5ae6f09f284f453bf83944916dec7f8676be4a712cc92a3fc186
SnakeKeylogger
12fd71647d0ddc3a5619975288f310047162f1258765d337efaee411c9f7e7f4
SnakeKeylogger
19114d1f7709bcabb6ea19c9145267e114a403a690975c6eac5c8478ed278cf2
SnakeKeylogger
2ee555b4d69513eed39976e0fb0e6a6165d20c30e8a4dcc1e55ea7e001dc1127
SnakeKeylogger
42e71a6e0d1db101fe1fb3f5d8f067aea2fda52b24050dbadea6d8ebdddc4a81
SnakeKeylogger
7010546f9366fc5ff5ec208985159b5aeddc897e3dd0f811a6835c5debd96d55
SnakeKeylogger
c751f9d546d20216bdc996ecdcea6ee9f57771682879383621bff83a8229e384
SnakeKeylogger
e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611
SnakeKeylogger
f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
SnakeKeylogger
+ 178 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210709-8blvbadqax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
2aef74cef938f6a0b4c8ee1268447c20d8ddab21c751f8e27164e81947a5f206
MD5 hash:
664d958d44f75022bb4430eaef3fe3a1
SHA1 hash:
de79d56d5ec9f90fc034eaccbc51fc827603a7ca
Link:
https://www.unpac.me/results/be69538b-6572-4bef-b7d6-ea0407054c62/
SH256 hash:
53507efd5d899b51f2b869482d1766474f39b3d6205bf799da07b78a8f35b708
MD5 hash:
45380b612ba41f4fcb2b14047f07382e
SHA1 hash:
27361e8071fd1cfb25ed15a085a85ccf547d23ce
Link:
https://www.unpac.me/results/be69538b-6572-4bef-b7d6-ea0407054c62/
SH256 hash:
944ede2a18ba38f79069bb16852b8693d8a7c2e91fff99dbbc67d9b26b01b848
MD5 hash:
b0c0777231a5d75cc1866ec4b8c23954
SHA1 hash:
d34eab92be14ddb5d3c2f7f830b2857315551e88
Link:
https://www.unpac.me/results/be69538b-6572-4bef-b7d6-ea0407054c62/
SH256 hash:
549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958
MD5 hash:
fc937a374db430c2158f214e09f7d2af
SHA1 hash:
c5bc31a85d93e3c15cae8e8bfdaf7293410d0508
Link:
https://www.unpac.me/results/be69538b-6572-4bef-b7d6-ea0407054c62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICOIUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170684/

Comments