MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73875929249b6d42c502bd5117b0ac0934bf8936922042843f87d6cc02bd6b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73875929249b6d42c502bd5117b0ac0934bf8936922042843f87d6cc02bd6b90
SHA3-384 hash: 4f323f5ca93453f53fe5f88a96e2b99aa5d00cc6a416518cf097caf6437461fb6620b25932585af697c86c4235847693
SHA1 hash: e0fc13a4fa9fc53acb8470f60134bae96eb48c05
MD5 hash: becc9c4709bbee070275cd42acfc02c9
humanhash: berlin-cold-equal-undress
File name:becc9c4709bbee070275cd42acfc02c9.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:298'496 bytes
First seen:2021-06-07 15:13:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:TKskEXLXnSeEmhCLNdcXQsaYZMXFukHkKPbeUgmeVbazCj8KxqI8QetSB4jDy2Y5:eHpmkYXQsa1EfNNtV8FSdTe2
Threatray 232 similar samples on MalwareBazaar
TLSH 1C54BEA2030DCDDCF29A4778442C9B6209563F660DC64DCD9A9DBEF02CB26DE519E07E
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
becc9c4709bbee070275cd42acfc02c9.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 15:34:11 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/0aecf436-ea6d-4ef1-abbe-e4b28e660f9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165064/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.29910.17718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798225
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430635 Sample: l8t6t9C5Mi.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 5 other signatures 2->36 6 l8t6t9C5Mi.exe 11 2->6         started        process3 file4 16 C:\Users\user\AppData\Roaming\...\firef0x.exe, PE32 6->16 dropped 18 C:\Users\user\AppData\...\l8t6t9C5Mi.exe, PE32 6->18 dropped 20 C:\Users\user\...\firef0x.exe:Zone.Identifier, ASCII 6->20 dropped 22 2 other malicious files 6->22 dropped 38 Creates an undocumented autostart registry key 6->38 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 44 Injects a PE file into a foreign processes 6->44 10 l8t6t9C5Mi.exe 15 2 6->10         started        14 l8t6t9C5Mi.exe 6->14         started        signatures5 process6 dnsIp7 24 checkip.dyndns.org 10->24 26 checkip.dyndns.com 162.88.193.70, 49717, 49718, 49720 DYNDNSUS United States 10->26 28 2 other IPs or domains 10->28 46 Tries to steal Mail credentials (via file access) 10->46 48 Tries to harvest and steal ftp login credentials 10->48 50 Tries to harvest and steal browser information (history, passwords, etc) 10->50 52 Multi AV Scanner detection for dropped file 14->52 54 May check the online IP address of the machine 14->54 56 Machine Learning detection for dropped file 14->56 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73875929249b6d42c502bd5117b0ac0934bf8936922042843f87d6cc02bd6b90/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 09:04:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 29 (68.97%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oodvskjetnwufricxvirpmfmbe2l7cjwsiqefbb7q7lmyav5noia._file
Verdict:
unknown
Similar samples:
012cf160ecfb1550f8b2805d6741e42f0e289cc8c22081e5c7c35cd5c287db42
SnakeKeylogger
065e4f8a0bf0a3ef92a9b4d4868f298b6a497572753550dab0546489f7028971
SnakeKeylogger
0d8c817d2d6d9def564058b156fcf2b24896aeeeed1970f7fc67866415079de6
SnakeKeylogger
37172eaa937f4e3b441590622a40d7090ba0faf2391cc0e4d25aa63417ee2b08
SnakeKeylogger
4197e9badf45fc7e95887c019da1b600984fe4ec12cbea51bf82dfb78b625c7c
SnakeKeylogger
546b14e45dad5ac436d7c928dc8e325082eacf2bd329a6f21648f37a37fe507d
SnakeKeylogger
b2f7371dbc4fb27739f11a5fbf9aa878f118d1f8659025422bc614e7c5b60ff6
SnakeKeylogger
bb13a7a8fdc0b1a0c91de3c6dade1fd0e5b29cf74cc842d809c73a2a88c26854
SnakeKeylogger
e630c1d94550061dccd1da06e50b378915870ce4630d646696e9b62fc1e9a8ff
SnakeKeylogger
f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec
SnakeKeylogger
+ 222 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210607-6z4dz73bna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
8d48c2f19f530a27a909343145dc4905378165da67d3e8878b8a99aa39cb5c34
MD5 hash:
d1fa583b1ee482374b5987410928f9a6
SHA1 hash:
30fce635f1c91cd5ef241621a613f54992c44324
Link:
https://www.unpac.me/results/3c4d473d-a885-4678-8cff-d5cd776d4047/
SH256 hash:
f056e36b1528493a6a251a3674991682bc2b9a1ffd2d0a6c82750653d0d8b9bd
MD5 hash:
9d64b1fc4bef50473b8ae5933b297f34
SHA1 hash:
5719b2f715834980d86243f075847afe17a7b306
Link:
https://www.unpac.me/results/3c4d473d-a885-4678-8cff-d5cd776d4047/
SH256 hash:
2159ff1126e478d3d6f54107571c729e299001cd678ece1d01671ab2b612b1d4
MD5 hash:
61330001e65d1aa497bf575d4fa3c001
SHA1 hash:
a293cdd9e458baa26c7c9030a3099546e5ee3244
Link:
https://www.unpac.me/results/3c4d473d-a885-4678-8cff-d5cd776d4047/
SH256 hash:
73875929249b6d42c502bd5117b0ac0934bf8936922042843f87d6cc02bd6b90
MD5 hash:
becc9c4709bbee070275cd42acfc02c9
SHA1 hash:
e0fc13a4fa9fc53acb8470f60134bae96eb48c05
Link:
https://www.unpac.me/results/3c4d473d-a885-4678-8cff-d5cd776d4047/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73875929249b6d42c502bd5117b0ac0934bf8936922042843f87d6cc02bd6b90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 73875929249b6d42c502bd5117b0ac0934bf8936922042843f87d6cc02bd6b90

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335659/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165064/

Comments