MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a
SHA3-384 hash:	5b4adf658a7bfee4e84c30e98bce430d411326087dc0e3df6a0e0e0aeb9a1e161b7a8e2b55f48c92cd60bd82f0d646d9
SHA1 hash:	c7d83f276fbcb0dc9c8a92baa940ac391439d2b9
MD5 hash:	624528955b48acdf320239f06b1312d2
humanhash:	pennsylvania-hotel-pip-colorado
File name:	Payment swift.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	688'128 bytes
First seen:	2022-09-30 13:12:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:EySiW0Yr50SAgFeZHjNl5+hbpadtZoKXTJ9AY22Eu8U+F:xWH0SFEl5+eeKXXXP8
Threatray	5'223 similar samples on MalwareBazaar
TLSH	T1E0E4DF361BEA8A0BD155B6B8D1D0D3F6A799CC11E567C2976BCA6C2FF08B079C760310
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/315181/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6336eb64c9e2f343543148ff/reports/0827241a-d483-4448-adca-a594ca8e8980/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b9f9884a-1d65-4a76-a4f7-e6aabaa7ebb5

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1080894

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-09-30 13:13:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ow6lahap6slknwylcwfos7qdqqfssfq5lshts3az76joi2czqefa._file

Verdict:

malicious

SnakeKeylogger

50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0

SnakeKeylogger

6069a9d373b71c1217c3415634dfadeed9cfa0baa4949d640fe515d92b5a8a27

SnakeKeylogger

658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0

SnakeKeylogger

7319a8d431cd1a967b517cd21b9aa7c0f86b1716e7e2492dd2e831a65406c460

SnakeKeylogger

7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5

SnakeKeylogger

a7f4f456189098240111b09c4a1564fa8d253bcbdec92f8696826717a88c9b56

SnakeKeylogger

f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01

SnakeKeylogger

f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d

SnakeKeylogger

+ 5'213 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220930-qf3f1sdfb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f3284f85-c89a-4d82-82c6-232fd015b8a0

Unpacked files

SH256 hash:

92b19371213c00a3555a2de8fac4e35a1ae59b9542f4d898e6fb6a542d72b70a

MD5 hash:

44462bbb72ac38395f4a8cc3b0ebe37c

SHA1 hash:

f07ee51d3ae3ddc891feabb0d9430be5a1c7407e

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/ce0383da-959f-4a17-a7f0-38f716a47c4f/

Parent samples :

d814971a8063856b595d17139a71755f921c2f40cb047022184c244d2b0fa52f
f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73
274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6
bc54750c4093359b19b8c4a698448757d2cd5b7b057d67304c676e3f6c58a9be
75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a
9559b033b86a453e358c4d4aa01dc753e302832d0f42e86ddf6a9f39ef3b92c9
4efde8646629538aa3d423e120a7b69dccec759f6d1761ad5b6ddae09b0fe04c

SH256 hash:

acc882f5a24cc926294fcffa91e9385458467dc919e952ed782f588beae58421

MD5 hash:

ea92b0d7e20ed755f22cb62218b6b765

SHA1 hash:

dc44327d3bf1600d6bf5d20e038e7a0505418955

Link:

https://www.unpac.me/results/ce0383da-959f-4a17-a7f0-38f716a47c4f/

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/ce0383da-959f-4a17-a7f0-38f716a47c4f/

SH256 hash:

88496abc2310238d672a3a1e663a9f9fe4f65425cb5c1025ab3641e21c573764

MD5 hash:

d1ba348b2ba9c996a20bc53149fef027

SHA1 hash:

56a6f7e10c71096c47c38033ac69b13ed3b59311

Link:

https://www.unpac.me/results/ce0383da-959f-4a17-a7f0-38f716a47c4f/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/ce0383da-959f-4a17-a7f0-38f716a47c4f/

SH256 hash:

75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a

MD5 hash:

624528955b48acdf320239f06b1312d2

SHA1 hash:

c7d83f276fbcb0dc9c8a92baa940ac391439d2b9

Link:

https://www.unpac.me/results/ce0383da-959f-4a17-a7f0-38f716a47c4f/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/75bcb01c0ff4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/315181/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample