MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63314e978f8b297d2cbf0585f648bda443fdfafceb666541b2a6bbc23f2cc812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	63314e978f8b297d2cbf0585f648bda443fdfafceb666541b2a6bbc23f2cc812
SHA3-384 hash:	e388771ad00fcb2eef34dff191bfbfab06f9efa809d82ceb438feca1509df24656aae57197deb65e214d074461bc0f0f
SHA1 hash:	3d7bc7a33cbb5d9b5f57015def84e2375abf198b
MD5 hash:	c7336c601e5941078e3e0ceeafd33ef0
humanhash:	tennessee-purple-bakerloo-one
File name:	SWIFT COPY.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	998'400 bytes
First seen:	2022-08-15 15:33:35 UTC
Last seen:	2022-08-15 16:49:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:UBZgJHgxvBCPhaHDK0D+ETuuAqA/sxSAsjgFKuRk:UgAxvBmhOzD+EauA1m
TLSH	T1F025F1AF2D9C1615CD3A47B4ECAC118097F27DA63216E68E5CA330D7C5B239C4B68E17
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SWIFT COPY.exe

Verdict:

Malicious activity

Analysis date:

2022-08-15 15:47:04 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/8292abd1-55b3-4d9f-aa19-ad08cc59decb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/298718/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1449.17045.10772.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62fa678cf5935cafacf91749/reports/facb1cba-feb9-4afc-9ddf-23543801066c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/252585da-f115-44d5-a755-b40b6390bcec

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1051852

Signature

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63314e978f8b297d2cbf0585f648bda443fdfafceb666541b2a6bbc23f2cc812/

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2022-08-15 11:56:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mmyu5f4prmux2lf7awc7msf5urb736x45ntgkqnsu254epzmzaja._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection evasion keylogger spyware stealer

Link:

https://tria.ge/reports/220815-szrjzafcg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4

MD5 hash:

07e1f7163b7d8b6d80d83d1c819436ef

SHA1 hash:

ed7724c52e18b9810939327b803ca03837915836

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

Parent samples :

1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f

SH256 hash:

24681380a7c1258fc58c4d27b586b95b5fdaf7d2ef00833ae9ba64296af5fba4

MD5 hash:

cbcc0e1574ef1123bc8ca4027ac5d374

SHA1 hash:

9d46084ba75297ee4463a10e1c5c271f2c2a311e

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

SH256 hash:

c1c8fa56153804b1855e520134b0acfa0c2ddfe5ccae54e544bf7f2413decb19

MD5 hash:

b9a6dcbf85e59f70c25789cf9d2686b3

SHA1 hash:

a88c5636a8f9f9b48f5bd1c49001e326bba7bc13

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

SH256 hash:

6489760747ba7d7ace3f53f7f1d566dedb49f7fabdff710449f63865bb59335c

MD5 hash:

8fbde870a9304978682247f60ef285e0

SHA1 hash:

85c96d0fd146386c88516adc007e87d3a7620c99

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

SH256 hash:

8a7cd62e27a055101aed9451694e170487ed0089dae3e64f73baa8dc45f942fc

MD5 hash:

1a412d070848e3b19763b7c66cadfb20

SHA1 hash:

3780bb37d71cffa71377e0ec3e211736710c3fa0

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

SH256 hash:

1b72d49a5e3db7a7a157408ac93240c7e0316ed7f6ddd10befc1af7e4bf7f68c

MD5 hash:

9c1436a35d82492bd09b6d65e4eaf94a

SHA1 hash:

2177711310aef753f821b881a4ee7f64f3bc9ef8

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

SH256 hash:

63314e978f8b297d2cbf0585f648bda443fdfafceb666541b2a6bbc23f2cc812

MD5 hash:

c7336c601e5941078e3e0ceeafd33ef0

SHA1 hash:

3d7bc7a33cbb5d9b5f57015def84e2375abf198b

Link:

https://www.unpac.me/results/2fb5d074-d8d6-4199-8638-d9e90e674f29/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63314e978f8b297d2cbf0585f648bda443fdfafceb666541b2a6bbc23f2cc812

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298718/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample