MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 691cadca061e29068534972b98fb0a23ab002241eda53bf756ac21fb83b51a63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 691cadca061e29068534972b98fb0a23ab002241eda53bf756ac21fb83b51a63
SHA3-384 hash: 238fe3ae7c250b243c5392dd2b1c33cd81862ad9aa27225b8ced5e9565552d707a34cfef148ae21ea05df9250537740b
SHA1 hash: 7f52fdba06bcce76a0630a33d55e6e04c4e6e438
MD5 hash: 0b28fcec6aa92f1f82d76d4872608462
humanhash: charlie-five-four-kansas
File name:0b28fcec6aa92f1f82d76d4872608462.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'272'960 bytes
First seen:2021-02-15 19:57:53 UTC
Last seen:2021-02-15 21:49:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:FlxhGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzZvwKD3ZvEVhpfNcNCHFb/LE:FAzHSvi7AYaf+dk+gzFopuC9LE
Threatray 15 similar samples on MalwareBazaar
TLSH C445F1226A62CB55C83A5D36C41EC0F953F86E1A28A0C38F788D7B533A71D4F77C8965
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO00004423.doc
Verdict:
Malicious activity
Analysis date:
2021-02-15 08:12:02 UTC
Tags:
ole-embedded exploit CVE-2017-11882 loader evasion trojan
Link:
https://app.any.run/tasks/11000a8f-775c-46ca-a567-b944961aa077

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117234/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608396
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/691cadca061e29068534972b98fb0a23ab002241eda53bf756ac21fb83b51a63/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 08:41:01 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=neok3sqgdyuqnbjus4vzr6ykeovqaisb5wstx52wvqq7xa5vdjrq._file
Verdict:
unknown
Similar samples:
0672e1e0fdcf5ce94a55e35855458ae01f17124ad09219673a526c0ae1aeec57
SnakeKeylogger
237f8b4365da5b034b1f6a0f9761dc8f472670a48de278636ca4751475e6f750
SnakeKeylogger
442e74649ae6be0b2f84e73917c8ef704ca9aaa15d7922d0807731a15f3ce019
SnakeKeylogger
8b2c21c13d38bbf20fd65e3a6b840315e14d60c0dc7e131104a5ea8b73699953
SnakeKeylogger
b8a9e94c8bbe43c7684e509ae89eb4d74b28a7fb3d5504c559f555c1e453bdd7
SnakeKeylogger
c42f604b88f970d7f871de38dc87f4a2b9d53c8806139cd3e6aa0193110d5e63
SnakeKeylogger
c576c8589cb5ac244855f2ba2bc67c4445729e19140302ef781a2c27c8a3eabe
SnakeKeylogger
ed21e9b47bc6e3343b98a6a69795c35c0b9ed34d9963a65e5df0afdcfdad9820
SnakeKeylogger
eee7f4dd424733c57b1fe3712d215129f3494536bf6277d1811417c8a0a1baae
SnakeKeylogger
fb8928337f3d9931fe26b1b891793360a61c93ef63af683621ea88f1707e9695
SnakeKeylogger
+ 5 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210215-kqgmtjhb7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
691cadca061e29068534972b98fb0a23ab002241eda53bf756ac21fb83b51a63
MD5 hash:
0b28fcec6aa92f1f82d76d4872608462
SHA1 hash:
7f52fdba06bcce76a0630a33d55e6e04c4e6e438
Link:
https://www.unpac.me/results/49737e31-d282-408a-a0f1-d59915cafc37/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/691cadca061e29068534972b98fb0a23ab002241eda53bf756ac21fb83b51a63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 691cadca061e29068534972b98fb0a23ab002241eda53bf756ac21fb83b51a63

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1010868/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117234/

Comments