MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e
SHA3-384 hash: f75f2a50f52e5c72169811e2013f6cd673bd8528e5ac302050ab9f7492386d9d8833187b40ea2c7452f9dcde8f2d9b4e
SHA1 hash: f7ebb1550e6450e5d6d429ac36026fe0b016a706
MD5 hash: c78cd345bff52bfbf2dcf485e1ba8837
humanhash: mexico-south-golf-bluebird
File name:IMG_056029741000.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:429'568 bytes
First seen:2021-07-07 15:06:07 UTC
Last seen:2021-07-07 15:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:l9qn1wgXrJCOWyGV6QVsCjqpm+8TRU253IZTc/:Hk2g7JCOpksCjwm+8TRU2WZo
Threatray 137 similar samples on MalwareBazaar
TLSH FB942286A301E6BAC7D976B6488BE0181E7E9D45C516EAD7956C3FAF3C7E302039013C
Reporter cocaman
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_056029741000.exe
Verdict:
Malicious activity
Analysis date:
2021-07-07 15:09:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8bd8f0ac-4594-4433-9e56-2d3815b71a9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170218/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.29010.2288.24204.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfb6c1cf-d30d-424b-b52a-331058945110
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812958
Signature
.NET source code references suspicious native API functions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445370 Sample: IMG_056029741000.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 35 smtp.yandex.com 2->35 37 checkip.dyndns.org 2->37 39 3 other IPs or domains 2->39 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 69 5 other signatures 2->69 7 IMG_056029741000.exe 1 7 2->7         started        11 office.exe 5 2->11         started        13 office.exe 2 2->13         started        signatures3 67 May check the online IP address of the machine 35->67 process4 file5 23 C:\Users\user\AppData\Roaming\...\office.exe, PE32 7->23 dropped 25 C:\Users\user\...\IMG_056029741000.exe, PE32 7->25 dropped 27 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 7->27 dropped 33 2 other malicious files 7->33 dropped 71 Writes to foreign memory regions 7->71 73 Injects a PE file into a foreign processes 7->73 15 IMG_056029741000.exe 15 2 7->15         started        29 C:\Users\user\AppData\Local\Temp\office.exe, PE32 11->29 dropped 31 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 11->31 dropped 19 office.exe 14 2 11->19         started        21 office.exe 13->21         started        signatures6 process7 dnsIp8 41 checkip.dyndns.org 15->41 43 smtp.yandex.ru 77.88.21.158, 49752, 49753, 49754 YANDEXRU Russian Federation 15->43 49 4 other IPs or domains 15->49 45 checkip.dyndns.org 19->45 47 131.186.113.70, 49771, 49772, 49776 DYNDNSUS United States 19->47 51 Multi AV Scanner detection for dropped file 19->51 53 May check the online IP address of the machine 19->53 55 Tries to steal Mail credentials (via file access) 19->55 59 2 other signatures 19->59 57 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->57 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 03:57:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oek6kqie2apyhskwcoesnddibaxtwigzhp7bi2nf5dpgctz525ha._file
Verdict:
malicious
Similar samples:
12fd71647d0ddc3a5619975288f310047162f1258765d337efaee411c9f7e7f4
SnakeKeylogger
2ee555b4d69513eed39976e0fb0e6a6165d20c30e8a4dcc1e55ea7e001dc1127
SnakeKeylogger
656a20e4d32cb66812ef2230416b3f3ee94ebcc37eb0d6111ce40116618a3cc7
SnakeKeylogger
83fef9d67405ca7975e04fc8c66e7d298809f90260d1b287f709a3bae49f502e
SnakeKeylogger
ad7d85c64078132c44de7e086537044fcab08ac86844798ceba10a758c3af4af
SnakeKeylogger
bdbba0c991f70ccddad27da903e5e689a6e762ac23ab78ffea10f389f55045c3
SnakeKeylogger
d09500f30f90dcdf6caac545bff9663876dc3a7de445d618e947ba64a5f4966b
SnakeKeylogger
e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611
SnakeKeylogger
e8bc94b0faea9886f1fa39e0e9f609f2f266b3d7d812faad4b2ae9904b170b00
SnakeKeylogger
f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
SnakeKeylogger
+ 127 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210707-xz261c7s5a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
0a63a3a15b71869a893a192082dd4aa33a6b65c10418c5931bb90477b9497895
MD5 hash:
045060aaf1be40fe3d667b1c735447da
SHA1 hash:
2315857899432a1b9c2fe2283443f6fab59e5fc8
Link:
https://www.unpac.me/results/44d241a9-2948-4ccb-ba67-f928d19b7734/
SH256 hash:
ba7f1497e76bc1911b561adeaeebb17d2e68a6d6377fe66d2000283183a559ae
MD5 hash:
e11c4cd9ee51240172fb1979c7f5f37b
SHA1 hash:
cfa94b2cd7aeaeb0f40166a23cd33ff93e5239ff
Link:
https://www.unpac.me/results/44d241a9-2948-4ccb-ba67-f928d19b7734/
SH256 hash:
b20c971d1b5793ff4df8e0de2b4bf91e0b2537677121c959a2aa8c206995f520
MD5 hash:
abb8b31d5085352fab057a20c3758e4e
SHA1 hash:
268aca84b4707c2b280c9ae71a0013569e350e9c
Link:
https://www.unpac.me/results/44d241a9-2948-4ccb-ba67-f928d19b7734/
SH256 hash:
7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e
MD5 hash:
c78cd345bff52bfbf2dcf485e1ba8837
SHA1 hash:
f7ebb1550e6450e5d6d429ac36026fe0b016a706
Link:
https://www.unpac.me/results/44d241a9-2948-4ccb-ba67-f928d19b7734/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

uue 23e91abfddaa3f52f22f4768119dfeb13b0f659b1d97078912dace317afb38c1

SnakeKeylogger

Executable exe 7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 23e91abfddaa3f52f22f4768119dfeb13b0f659b1d97078912dace317afb38c1
Cape
Cape
https://www.capesandbox.com/analysis/170218/
  
URLhaus
https://urlhaus.abuse.ch/url/1434058/

Comments