MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f8726a70210acce4b0c90d578efa854799a5bf7bceb8d2fb10854b83f2f0db3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	5f8726a70210acce4b0c90d578efa854799a5bf7bceb8d2fb10854b83f2f0db3
SHA3-384 hash:	91a44f9be9b9f150f2e96b592f93a9fbdbdfcf61155d3d6f7f37232bc05aa75b564c8b4dfb6496dfc30b67737249169c
SHA1 hash:	27b627a50d34b9639d6bb26820b32e6456a820c1
MD5 hash:	d2d8e8905d69011b34b177964e22c8e2
humanhash:	cold-jersey-robert-xray
File name:	SecuriteInfo.com.Scr.Malcodegdn30.14543.19096
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	886'272 bytes
First seen:	2021-08-09 02:49:10 UTC
Last seen:	2021-08-09 12:18:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:4xApTtMHOtc7BwmNCyBfssh3rBNgprFVMi2vgmreIHK7z7zKboASYF:OApTrtcNd4MfVFiB92hKvzKbog
Threatray	591 similar samples on MalwareBazaar
TLSH	T1E515D0662BE88A17E27937741574F27206F5BD863D31D24E6DD13C9B3BB6B808A60313
dhash icon	70e0f8eaeae8f870 (17 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Scr.Malcodegdn30.14543.19096

Verdict:

Malicious activity

Analysis date:

2021-08-09 02:50:06 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/175d5c6b-16c1-4100-b857-cde37fc88d19

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177342/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.14543.19096.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4e7e7f1-50bb-4565-9446-0001901ce4eb

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/828929

Signature

.NET source code references suspicious native API functions

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f8726a70210acce4b0c90d578efa854799a5bf7bceb8d2fb10854b83f2f0db3/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2021-08-09 02:00:08 UTC

AV detection:

5 of 46 (10.87%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6dsnjycccwm4symsdkxr35ikr4zuw7xxtvy2l5rbbklqpzpbwzq._file

Verdict:

malicious

SnakeKeylogger

578aa3607cb34fde024d099b916e61c0a767d952312a2e8c9276f3167a65ad14

SnakeKeylogger

5c76aef388b4a8cdd706e882c0e441389c8730c36d17450d80e566d81095cac0

SnakeKeylogger

69950e3903237ab9d6441a23af192268cf49da8e1034f77990833a60738090a6

SnakeKeylogger

b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SnakeKeylogger

b5e1daebfb2aa234328dc9776a1ecc77dd2726a7709c353c0265d8b1f4803f1c

SnakeKeylogger

b9acd58a25a9493713c0b5a3be62db4338de550aad1b23054d4be3de0c1b0c46

SnakeKeylogger

c4e1ba047b2fa0d07de6a124e882025489d5ff95e2a2cef31c4526199636f3cd

SnakeKeylogger

dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659

SnakeKeylogger

e0c5194ec5dd17f0a5f77c156e99deafdee0c6e25b5c54c4bedc7bc5420f3a1d

SnakeKeylogger

+ 581 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210809-azd2saxw5n/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

fb4cd566831fe3ee6c4793396fbf70a481c8044029ce2a461060706bad0ba697

MD5 hash:

f6feb58332aacb0ea6fc4c6cb70c98d3

SHA1 hash:

c90d6d282e678054951ea86787ed49a012683fe8

Link:

https://www.unpac.me/results/2c123b12-c2c9-4950-96de-43c7c2ded77c/

SH256 hash:

ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc

MD5 hash:

6057ce35bd926dd6d49dedfa9cc18372

SHA1 hash:

1f4e44e1740ffbd91129ac3a37d22845bc52c158

Link:

https://www.unpac.me/results/2c123b12-c2c9-4950-96de-43c7c2ded77c/

SH256 hash:

1e92b069417f077cd1b2758f1a43599d5c003e18d8647517b40ab8bdd034f6b7

MD5 hash:

58427ebecef1b95e06c1fe988bdd3728

SHA1 hash:

0c89e14e8eb2a9c2838814aa87eab091f1ea7b3c

Link:

https://www.unpac.me/results/2c123b12-c2c9-4950-96de-43c7c2ded77c/

SH256 hash:

5f8726a70210acce4b0c90d578efa854799a5bf7bceb8d2fb10854b83f2f0db3

MD5 hash:

d2d8e8905d69011b34b177964e22c8e2

SHA1 hash:

27b627a50d34b9639d6bb26820b32e6456a820c1

Link:

https://www.unpac.me/results/2c123b12-c2c9-4950-96de-43c7c2ded77c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f8726a70210acce4b0c90d578efa854799a5bf7bceb8d2fb10854b83f2f0db3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177342/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample