MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
SHA3-384 hash: fc94a6d52e054a00144742a1612d162f3bce2102ebd0c190cbb82f68bfcdcb76696dea1fc36d54e8571fe4b9006f33ba
SHA1 hash: d2283e04226200cf6dd206c91363f7a1d99d3a55
MD5 hash: 043b35de131306c1ede0fe6117551c60
humanhash: montana-music-bluebird-double
File name:b51175581d84bf44fdbadff6a71ecc7c4cec821be778d0cbc7eb9a6417e8ff96_dump.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:208'384 bytes
First seen:2024-07-29 22:44:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 3072:7DKW1LgppLRHMY0TBfJvjcTp5XJ5g9kzZ3Yd+Ne0LHohq77bYf:7DKW1Lgbdl0TBBvjc/T91Ykw0LIhabg
TLSH T1B014BE2071C0C2B2C4B7013045E6CB799A7974724B6A95D7B7DD2BBA6F213E1A3362CD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter ukycircle
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b51175581d84bf44fdbadff6a71ecc7c4cec821be778d0cbc7eb9a6417e8ff96_dump.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 22:45:00 UTC
Tags:
evasion snake keylogger telegram stealer smtp
Link:
https://app.any.run/tasks/c7a7ec8d-fc4c-4f12-ad1f-5915fbd8061b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a81b70c06bd32e596e6525
Tags:
Discovery Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Creating a window
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed redline
Link:
https://www.filescan.io/uploads/66a81b6f78d5c73fb1c8cea6/reports/83535a22-1fab-4967-ac81-29b99f27f3c5/overview
Verdict:
Malicious
Labled as:
Dump:Generic.MSIL.PasswordStealerA
Link:
https://www.hybrid-analysis.com/sample/579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9200e6ac-82a6-4f0b-9319-0091fcfe6375
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484379
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d/
Threat name:
Win32.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 22:45:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6ohcshufqe3cm72mfrejs2es4buvxzxb6hhes6rvgx52dd6abgq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240729-2pdd2avakn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a3185b78-67d3-45d1-b046-f122a7f73f9d
Unpacked files
SH256 hash:
7d03c245636ceeed78c6bb08041c65594c93449c145b451d0c465c7b227169bc
MD5 hash:
364c5f5d4b83f462ec6f3fb4fadecd38
SHA1 hash:
bdfe9fe04786b15d5e901357cb1f0e06b545a370
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Link:
https://www.unpac.me/results/a54d0d47-7210-4e5d-a001-60f740f1d3c5/
Parent samples :
6bfb0f467d70e67c4d5406c39a7b4ce5ce0b81b0c8318d51a078b77bddcdd275
b51175581d84bf44fdbadff6a71ecc7c4cec821be778d0cbc7eb9a6417e8ff96
579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
3f2a538487752f1c35b02c32e9bf2d14d84da017076bd8c66a7185d4de32baf7
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
76a1146953eeb963c6eae47e2c22729d21199ef5d5e2d68f09bee651792d89e7
6a5fb55dd9dff7b874d54775cc1c1c9dfba6d99665d21a3630a1958c0ba7a547
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419
cc74dce37e3eb30eb01e92d8413871cfbbf614e12730af6f8dc0f55cadb11aa6
29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
cafdcfc0ee408a001adca96acdfc8192ca25f26dba266e4c4d6c35cd6bc0df67
7fe8eb1d71fbf75851d70673fa7e5d90c95c643437be3b5b0a7e104439263684
ee4be32b511a342b4a82953fdd12d66d042342b28b508ba4612dddef54b7d3c5
5bad9df94dcc60bb8e5c4137f2d1026c84787aed707ec9e95f5e6f05e70e290b
0812c989fb4ccd9ecc95deacd727da799b88ae487e0edd4dcee900429a420065
b43ad962fd2871e8d704ed4b44f719dee7793e90387563292fe48744d86a4e54
0bbc0a1fa2a101549dc68f2a9c087b5c9ce88957163a83425457a88fbfc4c1de
fc657851d2b6c7d93e46364069b6a96e8f1b927b9e6e9a8066aaf51060a957f8
49b3a5b9adc10281015d59ca3b9439cd1201712133895cb848d33c66c8fbb1bc
c6755c9510ba4df19d3a59b8112844e667ac84aa30d629e414b5612df243ecfc
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
86f02fd88dc04b311ec6ae30fc2e4fc8be6884f24654a5103b7fb85f7631f99c
c52ce3f8d1b53883d52c55a97e6d33cb52a85725bb8edfb9f0e043f3b45a53a6
57be4ec7980a2d28a02541067688d47feecf59e71fdb022aa93fe84c04429c55
SH256 hash:
473a07e2c14fc6cc6e5283357864b25e024e4657a12cff08f6f82a5043407224
MD5 hash:
827ee3875416d184a7a59c24e52d9cb2
SHA1 hash:
353639c78a9bf5b62ff865e0897b8c4c8a31625f
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Link:
https://www.unpac.me/results/a54d0d47-7210-4e5d-a001-60f740f1d3c5/
Parent samples :
6bfb0f467d70e67c4d5406c39a7b4ce5ce0b81b0c8318d51a078b77bddcdd275
b51175581d84bf44fdbadff6a71ecc7c4cec821be778d0cbc7eb9a6417e8ff96
579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
3f2a538487752f1c35b02c32e9bf2d14d84da017076bd8c66a7185d4de32baf7
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
76a1146953eeb963c6eae47e2c22729d21199ef5d5e2d68f09bee651792d89e7
6a5fb55dd9dff7b874d54775cc1c1c9dfba6d99665d21a3630a1958c0ba7a547
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419
cc74dce37e3eb30eb01e92d8413871cfbbf614e12730af6f8dc0f55cadb11aa6
29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
cafdcfc0ee408a001adca96acdfc8192ca25f26dba266e4c4d6c35cd6bc0df67
7fe8eb1d71fbf75851d70673fa7e5d90c95c643437be3b5b0a7e104439263684
ee4be32b511a342b4a82953fdd12d66d042342b28b508ba4612dddef54b7d3c5
5bad9df94dcc60bb8e5c4137f2d1026c84787aed707ec9e95f5e6f05e70e290b
0812c989fb4ccd9ecc95deacd727da799b88ae487e0edd4dcee900429a420065
b43ad962fd2871e8d704ed4b44f719dee7793e90387563292fe48744d86a4e54
0bbc0a1fa2a101549dc68f2a9c087b5c9ce88957163a83425457a88fbfc4c1de
fc657851d2b6c7d93e46364069b6a96e8f1b927b9e6e9a8066aaf51060a957f8
49b3a5b9adc10281015d59ca3b9439cd1201712133895cb848d33c66c8fbb1bc
c6755c9510ba4df19d3a59b8112844e667ac84aa30d629e414b5612df243ecfc
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
86f02fd88dc04b311ec6ae30fc2e4fc8be6884f24654a5103b7fb85f7631f99c
c52ce3f8d1b53883d52c55a97e6d33cb52a85725bb8edfb9f0e043f3b45a53a6
57be4ec7980a2d28a02541067688d47feecf59e71fdb022aa93fe84c04429c55
SH256 hash:
579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
MD5 hash:
043b35de131306c1ede0fe6117551c60
SHA1 hash:
d2283e04226200cf6dd206c91363f7a1d99d3a55
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a54d0d47-7210-4e5d-a001-60f740f1d3c5/
Parent samples :
6bfb0f467d70e67c4d5406c39a7b4ce5ce0b81b0c8318d51a078b77bddcdd275
b51175581d84bf44fdbadff6a71ecc7c4cec821be778d0cbc7eb9a6417e8ff96
579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
3f2a538487752f1c35b02c32e9bf2d14d84da017076bd8c66a7185d4de32baf7
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
76a1146953eeb963c6eae47e2c22729d21199ef5d5e2d68f09bee651792d89e7
6a5fb55dd9dff7b874d54775cc1c1c9dfba6d99665d21a3630a1958c0ba7a547
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419
cc74dce37e3eb30eb01e92d8413871cfbbf614e12730af6f8dc0f55cadb11aa6
29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
cafdcfc0ee408a001adca96acdfc8192ca25f26dba266e4c4d6c35cd6bc0df67
7fe8eb1d71fbf75851d70673fa7e5d90c95c643437be3b5b0a7e104439263684
ee4be32b511a342b4a82953fdd12d66d042342b28b508ba4612dddef54b7d3c5
5bad9df94dcc60bb8e5c4137f2d1026c84787aed707ec9e95f5e6f05e70e290b
0812c989fb4ccd9ecc95deacd727da799b88ae487e0edd4dcee900429a420065
b43ad962fd2871e8d704ed4b44f719dee7793e90387563292fe48744d86a4e54
0bbc0a1fa2a101549dc68f2a9c087b5c9ce88957163a83425457a88fbfc4c1de
fc657851d2b6c7d93e46364069b6a96e8f1b927b9e6e9a8066aaf51060a957f8
49b3a5b9adc10281015d59ca3b9439cd1201712133895cb848d33c66c8fbb1bc
c6755c9510ba4df19d3a59b8112844e667ac84aa30d629e414b5612df243ecfc
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
86f02fd88dc04b311ec6ae30fc2e4fc8be6884f24654a5103b7fb85f7631f99c
c52ce3f8d1b53883d52c55a97e6d33cb52a85725bb8edfb9f0e043f3b45a53a6
57be4ec7980a2d28a02541067688d47feecf59e71fdb022aa93fe84c04429c55
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/579c7148f42c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/579c7148f42c09b133fa616244cb4497034adf370f8e724bd1a9afdd0c7e004d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments