MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71502ec97fe97e6d1699f4ceed785c3b1dc7ccfefea401a55409154a4428b649. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71502ec97fe97e6d1699f4ceed785c3b1dc7ccfefea401a55409154a4428b649
SHA3-384 hash: 66acb2025ae5a9fe52043fa0d05a9c43f19cac28846b956ab1ee3a02c9f4339f27340b5bfb231d48f5d0c726d5a2fd40
SHA1 hash: c62566fff9a9fd74c09c74955897263a24d7172e
MD5 hash: 1a567a3403ef8f73a27c36a55d57f147
humanhash: fifteen-five-black-monkey
File name:cryyyyyy.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:5'632 bytes
First seen:2021-09-28 09:21:02 UTC
Last seen:2021-10-04 09:15:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 96:Jpt6lBCrnPgZ8bMEhX9n35VnZUgVnzNt:KkgS35XRL
Threatray 1'133 similar samples on MalwareBazaar
TLSH T136C193119BE88739F6B38B799CB793016174FB21892BCB1D25C0121E6D223548E62FB2
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cryyyyyy.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 09:25:41 UTC
Tags:
trojan snakekeylogger keylogger evasion
Link:
https://app.any.run/tasks/bd5aa832-ddf7-4533-a16c-4a7c8f83a863

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192581/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EHH.genEldorado.19658.8902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7bcdf30-37b5-4a1e-9356-320f5d90e8e3
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860190
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492626 Sample: cryyyyyy.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 32 okurmakina.com.tr 2->32 34 mail.okurmakina.com.tr 2->34 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 7 other signatures 2->64 7 cryyyyyy.exe 15 3 2->7         started        12 cryyyyyy.exe 2 2->12         started        14 cryyyyyy.exe 2 2->14         started        signatures3 process4 dnsIp5 36 cdn.discordapp.com 162.159.130.233, 443, 49732 CLOUDFLARENETUS United States 7->36 48 3 other IPs or domains 7->48 24 C:\Users\user\AppData\...\cryyyyyy.exe.log, ASCII 7->24 dropped 66 Writes to foreign memory regions 7->66 68 Allocates memory in foreign processes 7->68 70 Injects a PE file into a foreign processes 7->70 16 RegAsm.exe 15 2 7->16         started        38 162.159.134.233, 443, 49741, 49744 CLOUDFLARENETUS United States 12->38 40 145.14.144.31, 443, 49739 AWEXUS Netherlands 12->40 42 hwidlocksystem.000webhostapp.com 12->42 20 RegAsm.exe 12->20         started        44 145.14.144.124, 443, 49743 AWEXUS Netherlands 14->44 46 hwidlocksystem.000webhostapp.com 14->46 22 RegAsm.exe 14->22         started        file6 signatures7 process8 dnsIp9 26 okurmakina.com.tr 80.253.246.41, 49740, 49745, 49746 ONLINENETTR Turkey 16->26 28 mail.okurmakina.com.tr 16->28 30 3 other IPs or domains 16->30 50 May check the online IP address of the machine 16->50 52 Tries to steal Mail credentials (via file access) 16->52 54 Tries to harvest and steal ftp login credentials 16->54 56 Tries to harvest and steal browser information (history, passwords, etc) 16->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71502ec97fe97e6d1699f4ceed785c3b1dc7ccfefea401a55409154a4428b649/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 09:22:12 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofic5sl75f7g2fuz6tho26c4hmo4pth672sadjkubekuurbiwzeq._file
Verdict:
malicious
Similar samples:
185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803
SnakeKeylogger
62488642461ae96d137e5f3a8cadecc900975889cc9f2c8b94894ba0cf1204c6
SnakeKeylogger
69419ba7304d09433d838fb5676eb82348f1e9cf44e4c52680eeec31c28931fd
SnakeKeylogger
91e8763b50b0155b4984134d95d36fb9d92bca3a5db8d37bb75ff8faf88dbc63
SnakeKeylogger
a015aa57b2e361f3b8e160f62783aa8dcc602a6798031bcb5112d77890d0b4fa
SnakeKeylogger
d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a
SnakeKeylogger
dc157362e9c0469b3d8909770c5879a1e5cbaa6ae5e0d8203c536cbce6131901
SnakeKeylogger
e419efc94e3209360dcacc40d27f3b45983940b490e89b5085226c172016eb2b
SnakeKeylogger
f77b168fb3327ee43fbe2c0e8d0f2d3ae51ef165571576989186f6ed93177559
SnakeKeylogger
f8ade39a8a4d146876556bcd93a09dc4b2f1ffe5adb33cf25f633171ba1f66f4
SnakeKeylogger
+ 1'123 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210928-lbdjwabch2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Snake Keylogger
Unpacked files
SH256 hash:
71502ec97fe97e6d1699f4ceed785c3b1dc7ccfefea401a55409154a4428b649
MD5 hash:
1a567a3403ef8f73a27c36a55d57f147
SHA1 hash:
c62566fff9a9fd74c09c74955897263a24d7172e
Link:
https://www.unpac.me/results/cef63c40-8e18-4864-b684-31901057fa8d/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/71502ec97fe9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71502ec97fe97e6d1699f4ceed785c3b1dc7ccfefea401a55409154a4428b649

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 71502ec97fe97e6d1699f4ceed785c3b1dc7ccfefea401a55409154a4428b649

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192581/

Comments