MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9
SHA3-384 hash: 998f52698ad5fca8f8ab94cd8647597609f682a7cb7b616f5b7626163bd49c00f8a4bacf058a47fe9cd564b605186678
SHA1 hash: b5e9d05f8db3b081cd9c180ea16577f4d5a48cc3
MD5 hash: 0dd3274dc695112f7f33437d224b2674
humanhash: xray-quebec-orange-earth
File name:0dd3274dc695112f7f33437d224b2674.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:648'704 bytes
First seen:2023-02-01 14:30:23 UTC
Last seen:2023-02-01 16:51:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:ADvyIzh0wyOl4dmHWZ5K8TphT7nmrAJmEFWeh3ih9HnAYTx:6aIz2wyOl/HiNRJsEFBYTAwx
Threatray 10'601 similar samples on MalwareBazaar
TLSH T1DBD401AAC26DCCBBCB4A01FF427150496FB2097AF192D78D0EAFE52184CF781857159B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0dd3274dc695112f7f33437d224b2674.exe
Verdict:
Malicious activity
Analysis date:
2023-02-01 14:34:27 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/88aaec9f-5894-411b-b3f4-1dac7040123d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359035/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65255760.14617.31937.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Unknown
Threat level:
  0/10
Confidence:
75%
Link:
https://www.filescan.io/uploads/63da77a81c9cbf7d62552364/reports/1410582a-ce81-482e-be24-731d246c0e86/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfb9ff3e-9525-4731-b77f-34a9cb26fa10
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1163851
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-31 12:59:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nr6l6s2owluqu4etzqbxq2kczjbmrdam3uyds6yvgbjqy6wubluq._file
Verdict:
malicious
Similar samples:
4826ace8391d200aa066ceb967aad44fc540670826c59538aa0df039d2c2421c
SnakeKeylogger
4f5ea72df2ff98979013fbfe0781a01d8d487d886ebc5012e037f553527996d2
SnakeKeylogger
6a9d3a6f928c5a2a9ab9abe269027f3b987045fbb30803dd431ae2f56d5f859c
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
8878359c93d36d0849467e895c724bd5a171a4ac97f29217aca79645f3c57a40
SnakeKeylogger
8fc56654c730505dd97bbe04e8c9f688b7b9366eb1981e848fe3c829a553f40d
SnakeKeylogger
d943f08a35dc06253557151dbff927a9eb4c26f425d328cf612cb7e5211c3822
SnakeKeylogger
ef208a2f463e7c3b8ea5c01332d60d691018a27fb0baf080fb2b42bad34b1d07
SnakeKeylogger
+ 10'591 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230201-rvqlfabh91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/796f311c-a2ef-4001-8018-0b03fecd6007/
SH256 hash:
c7d009497cbd8944d18f820feaa7ce5a56b69e61228e79533771dc86a48cfbef
MD5 hash:
d4aefcc09e7d33383e2cf685c5dfe585
SHA1 hash:
e0a90da44fe3a766cd157866261229cd3a7f7e09
Link:
https://www.unpac.me/results/796f311c-a2ef-4001-8018-0b03fecd6007/
SH256 hash:
fe9438374d663d440bd3c202cbae2039ade8b09b04d3f5817fdb20a6d88b7d03
MD5 hash:
08b07fb8ba550a1b9e1fa53797d69dc6
SHA1 hash:
df095b38a7d8abc89c2def1a01cba53ea4e86362
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/796f311c-a2ef-4001-8018-0b03fecd6007/
Parent samples :
502e9eed478dfdedc334523b5f7f9b013a15dc7dab323be8484eac1420a0d483
7779ed77d9c37ea8c72f6afac3cd15f73e6f391e1ab6f755856de489fe76a10f
2491a675de02f6340ae18e2c96d2303132cf3f8fa98ebc168473555e19f8e8a8
03add028a0f16f8b27cb10a11dd8a2fc54536d8b8a21fa67282c8bc4dcaf1111
9b610ce7c1a9e3b0919a515ca56a58b2d1a2fc5950f367e9378fe1460bafcff6
dcff2f1adb183112521e7b484dc2fff1bf98316fcc38f4c06eb0e39c416fa3dc
6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9
9354b4508b68e4610346573ceee0b88a8c356f9683f9ea6bdce5d704b2723539
9cdb2d1ee24e1074a50d1d75ab57418d72d19b7e3fc8c33385e7329e81c24951
b2bb771a614c21fc44edd716d4c194efae9f63a63458ccc9b1554fee712acf2d
b5ada365f91b0aa56e72985137583a1d10b2d0eeeb7d4609b3e810213ee018d0
0720dd196a11abe5f77b1499faeffa7f2533fff67026337c11558324db3fc4e3
7dae4dd284890c7d471e62b8e9d18f60ef6d24aaa28e31dcd7805d55723b3844
2f7fa88382210dc974ad20d7dd204655d5321cb220f7507bfbe57577c767d66a
b03dd474944f447c9c3aa056fb2043a8fb6b00b9fab926faf7c8edf7daa8a35d
8d77e4bcebfa77845ac1775d6ea0dbb44c8e874bffac615c334ef984b9b71ace
87e41dc2adfc3158321d04fbc7809d2b51c10c8508a31ef928be87fd6bbdb9cf
ae1c76298164414736639b05b24e5c12078d7cffb85163b92cde019d943a62d5
5d2841d221d5f4b73591f9972ece12a9382fb40146caa6e8691eba12ae138049
d3ca1ae43635e0ce29ef504685bb4486750fef8644d24400313493a2087ccaa8
530d2fe4c0d4d3e34991cc1abb0cf12ff24f22d1cd3e49a23cf73cef6ab137b5
ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279
10369f870c49a428be944ab43876b365b7029abc4b2e34a3ee994f2a96c20abd
8c92fe975db6f552f522fbd9a8e542ae2e78cc0c21bb5e316b883b23e0084038
8fdd895977065b5248f16aded86e5128fe208b5ca2b6ecb858a9e03f2d88bc79
d8e945322322e348f8ccd15cd7eb464b39f45664d831aa368398e64461869d05
351c8d8b35c127e116e63eae43fb4aa24ceec9d4ca93f67e1b94dc7d271f205a
SH256 hash:
c4c08164828fb44f560d3280508c816f44a378565e14bde3211ab1c897964f2b
MD5 hash:
80497b16af4d98ea57895777fca8c3ea
SHA1 hash:
6e3e7e8fedb39f34aaa42b99d6f49035ff503d18
Link:
https://www.unpac.me/results/796f311c-a2ef-4001-8018-0b03fecd6007/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/796f311c-a2ef-4001-8018-0b03fecd6007/
SH256 hash:
6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9
MD5 hash:
0dd3274dc695112f7f33437d224b2674
SHA1 hash:
b5e9d05f8db3b081cd9c180ea16577f4d5a48cc3
Link:
https://www.unpac.me/results/796f311c-a2ef-4001-8018-0b03fecd6007/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c7cbf4b4eb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2263990/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/359035/

Comments