MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e465bbc2fe0c1a5cd112367facfb57b11f10c9cad8fa10514d73a977cb636cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	6e465bbc2fe0c1a5cd112367facfb57b11f10c9cad8fa10514d73a977cb636cf
SHA3-384 hash:	a290ddbee066b1f3b1bd3183c50d7e4c71417947546aad91fb7903fb11e74e6a846e69edeff217039d3ad7d4053805b6
SHA1 hash:	1b40d3632d62ff05ad93aa9e02cfef4e0b3d1cb6
MD5 hash:	a413ad7ac1514409f8c5c84487ae57fc
humanhash:	indigo-india-winner-high
File name:	a413ad7ac1514409f8c5c84487ae57fc.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	130'048 bytes
First seen:	2022-10-11 06:35:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:uzRJAs3QPzWJ3H6gfzO4Nb8NRwBl2FbY:slN7Jbnyb
Threatray	4'479 similar samples on MalwareBazaar
TLSH	T10AD3081D3BFC8800E5FF8A7315B19211D7B5F862091ACD1D5AC1F9592A7CA90CE1AFA3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318773/

Detection(s):

Win.Malware.Snake-9953539-0

Win.Packed.Msilperseus-9956591-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cmd.exe evasive hacktool stealer stealer

Link:

https://www.filescan.io/uploads/63450ed6b321c2e8ff63edad/reports/581e48f1-b0fc-4b19-8267-18f83ce9939d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3b2525fa-74ec-4572-9ff0-1c85c0170f66

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1087687

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

404keylogger

Link:

https://mwdb.cert.pl/sample/6e465bbc2fe0c1a5cd112367facfb57b11f10c9cad8fa10514d73a977cb636cf/

Threat name:

ByteCode-MSIL.Infostealer.Mintluks

Status:

Malicious

First seen:

2022-10-07 15:11:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nzdfxpbp4da2ltirent7vt5vpmi7cde4vwh2cbiu245jo7fwg3hq._file

Verdict:

malicious

SnakeKeylogger

64ef1f3617be869ae5492ff2fb24a461ffef5000cb22a081d85e767ff6ff7f5f

SnakeKeylogger

6f50e2e2e8aa71712037f52d18526729f0aff68865f075b7d620db1ff35fb9b9

SnakeKeylogger

815c6080309b5634b566d02344c04b3578d87c9f5502d3467a3cd4b7711ad2c8

SnakeKeylogger

90280c7a3af8de5451e55f58d30d64572df9c0431471bb084292d202263126f8

SnakeKeylogger

96a016bd56788ea8881e423f3d718318d84ee3007c7980617bc17cb078192037

SnakeKeylogger

9a1e8fcd1d400339ca39f030a49bac8062c5bf9e0d025727964b475c59094531

SnakeKeylogger

dc5bccc49bb0d66f7a484994101b62f0ec97e389ceed90dafdcba519e71aebbe

SnakeKeylogger

+ 4'469 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221011-hcx35aada7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5741d937-add4-4a5b-b5f4-e524b03a3cce

Unpacked files

SH256 hash:

6e465bbc2fe0c1a5cd112367facfb57b11f10c9cad8fa10514d73a977cb636cf

MD5 hash:

a413ad7ac1514409f8c5c84487ae57fc

SHA1 hash:

1b40d3632d62ff05ad93aa9e02cfef4e0b3d1cb6

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/4f00b874-5066-4d33-a1cc-682c62b6ffae/

Parent samples :

161a834887fbcd4334a80bbfe0f12135c141e785a33074994c5a4c1058c6a2af
187a0f84977a9d61db5edf2dbce59a19e6230d5515c7f03e3ff4ee6708625801
50aa5db985f95593f86305ab4d8b662964037c6ba02f269b307754f715706d1d
07e31a5e8c561c60b4a1768f68bd0699db9e5b185f03d6170d735e2b92da1f4e
2e7e24e750feec58b36081d802f9940ef63a7f926d5b95b103f6636dfc6a1195
a1033dfe29833b0ec5157f522f3e77de26462376efa1e6492d212ea767fbfced
6e465bbc2fe0c1a5cd112367facfb57b11f10c9cad8fa10514d73a977cb636cf
f9c997cdd5a607373967acf37e275d11081b7c9b95cd2b0b7def35b015433a8d

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6e465bbc2fe0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/6e465bbc2fe0c1a5cd112367facfb57b11f10c9cad8fa10514d73a977cb636cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/318773/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample