MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 14 File information Comments

SHA256 hash:	6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96
SHA3-384 hash:	769724b4414b137e0c27e0b3dccab627b19ddf82075de5740d0ed9f56e452b2a180c01f04b0a85ce6979317c1a37cf0c
SHA1 hash:	8eeb3056f47f309ad4406674f697e6ce9218b5af
MD5 hash:	a1d640a8696f12bda8457ef6dd4a97cb
humanhash:	grey-july-five-three
File name:	SecuriteInfo.com.Win32.PWSX-gen.19982.23217
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	423'424 bytes
First seen:	2023-10-16 11:50:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:Jf8zGBIKD2SJMzodRpUZNFvzsB8TPCUnEi38UIRZdk6ceh9X3P9lRc:N8zGfD2S+j5sB8uU21k6ceXm
Threatray	5'772 similar samples on MalwareBazaar
TLSH	T1C094BE8626FCDA9AF43A17F19272A308132E7E1FE19CE5512EC636C590B1BC18D15EC7
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	80a8a0acac808880 (1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/454847/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19982.23217.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Sending a custom TCP request

Creating a window

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed remcos

Link:

https://www.filescan.io/uploads/652d23a7e66ef03f1779b068/reports/a7118561-05f8-492a-89ba-fe077e74a94b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1b2208c-2555-4538-b9f2-507d64ba397c

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1326447

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96/

Threat name:

ByteCode-MSIL.Trojan.SnakeStealer

Status:

Malicious

First seen:

2023-10-16 11:51:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nt3jhowrnl4kofqbjvo37f4nz6wr2ood4b42yob4jpiiodkyhsla._file

Verdict:

malicious

SnakeKeylogger

3e6e127fca912f8729025ec259e391805ff42648fa75c34f9ccc6551cb7fba55

SnakeKeylogger

41ccb4c165200571b2d10047d7e25c85e7a270c2bb6c3438c7f8edce7dc2fc9c

SnakeKeylogger

62c1d71fff5293071772735f75960544716be3c3ee5996c6889f3ef3b4e7bcec

SnakeKeylogger

6caab57198e2e3cc5833f0b578e193c99230595f66ab98eb00f0fdae7d8c2c8a

SnakeKeylogger

765daa6202872b486382897bb06f4e17522fc29173677ea38e6e3451c5fb5d3e

SnakeKeylogger

afea8e29447ebe85480428e2ad947457d515968694dcb5d721886ad1d5945459

SnakeKeylogger

b9d4088106a3a557fb5d909c8c5b921971704d7b764306ee4190cefd9b8d89b0

SnakeKeylogger

bd38a5ec8fe7f50647e8d16d119058656f5099d99ef1713081add04dcea453fa

SnakeKeylogger

eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9

SnakeKeylogger

+ 5'762 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/231016-nz5z5sfh86/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

0ef854fb0220a7bcbb00f68383bd145a05458cf71c462792bf6def2955c0ecf6

MD5 hash:

fcf3f887753615b27b69ce3d7ae1e515

SHA1 hash:

ce4218ac69530f36d3fa1a2bead32cb86f2cf324

Detections:

snake_keylogger

win_404keylogger_g1

Link:

https://www.unpac.me/results/d569e4b7-759d-4d87-9296-bc4591ae16c4/

SH256 hash:

2df81b7a7580dd8099502f1caaf6ecf3af80d9b04ffe32cf2ac7834d944cc1f2

MD5 hash:

4cfae6afed1c1626499592c0d6711f93

SHA1 hash:

9f41bbd487e22867d3942e0db7a394ae00a69009

Link:

https://www.unpac.me/results/d569e4b7-759d-4d87-9296-bc4591ae16c4/

SH256 hash:

b5e0be18a86c8ccb34f27ec1726ba855d2bd82610a1f5cc1e13980078e09e0cc

MD5 hash:

5cf35f902ce3132a145cd929f7584b6a

SHA1 hash:

45e6f1f3eb8c1b87e156e64cd3dabfff96c32a66

Link:

https://www.unpac.me/results/d569e4b7-759d-4d87-9296-bc4591ae16c4/

SH256 hash:

6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96

MD5 hash:

a1d640a8696f12bda8457ef6dd4a97cb

SHA1 hash:

8eeb3056f47f309ad4406674f697e6ce9218b5af

Link:

https://www.unpac.me/results/d569e4b7-759d-4d87-9296-bc4591ae16c4/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6cf693bad16a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/454847/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample