MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75bec6ea2a9492e026b800661496ce7c3342f3d61ed0cb0e66689cbac574f4aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	75bec6ea2a9492e026b800661496ce7c3342f3d61ed0cb0e66689cbac574f4aa
SHA3-384 hash:	bd4a7a36ce5467dbd567f52e95cbc6d3f7a806db2618eb779f20f801c366fec6e7b7bb056c04830ae6e7fb65dab17bb4
SHA1 hash:	78389cb09a80b125a67e21a6395a19679fffb809
MD5 hash:	fa7a9e1778cf4bd99b7f57b2de1f9e09
humanhash:	comet-six-hotel-sink
File name:	SecuriteInfo.com.Trojan.PackedNET.738.26226.15024
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	739'328 bytes
First seen:	2022-09-19 08:58:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:0wPSHGVI/ULARMut6YIjYfe6QSzB4aFnekGvkndS2u:2m3Azt6cfefta45vadu
Threatray	421 similar samples on MalwareBazaar
TLSH	T1F7F4BF141779CA0BC86DA538D8D2E3711EAC5DD5936FC24B48DC3CA7F63A39868913E2
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.738.26226.15024

Verdict:

Malicious activity

Analysis date:

2022-09-19 08:59:24 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/f5d41387-3bc4-4390-9c75-dffc2861f52b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311265/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.738.26226.15024.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63282fef0dc9845be85ca7fe/reports/02e29098-1591-4851-9f49-47c0fd4906ab/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93be6dde-afa4-479a-b88b-e9bedce1089a

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1072838

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/75bec6ea2a9492e026b800661496ce7c3342f3d61ed0cb0e66689cbac574f4aa/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-09-19 08:59:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ow7mn2rkssjoajvyabtbjfwopqzuf46wd3imwdtgncolvrlu6sva._file

Verdict:

malicious

SnakeKeylogger

62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec

SnakeKeylogger

a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

SnakeKeylogger

bed584b2fd812270f30bffea36dec6db7a464f353f06bbf06252300e51ac4f76

SnakeKeylogger

f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203

SnakeKeylogger

fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048

SnakeKeylogger

+ 411 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/220919-kxqkwsdedk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5668568295:AAH9FBPsUuJJmN0iOv2LEcbUxztf6vGGSZY/sendMessage?chat_id=5602554873

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ab384853-80e8-44ec-af8d-5da7e6b08acc

Unpacked files

SH256 hash:

02ac80dc7a48cb43934e5b32f19d84e25e29f368a745a351bc5fadc7182f7dd7

MD5 hash:

2a3a9885d8671723a27089bbdbeea5c7

SHA1 hash:

6a6e5285021fd205beaf7adc123ec7ef295042ad

Link:

https://www.unpac.me/results/f62de6b2-c20f-4033-92ae-cf1c7b91d148/

SH256 hash:

1920d9c0d49be8e7cd65c777239274a68b0a17400e3021f3ceabb2bbb71d04d2

MD5 hash:

9efefc49ad5612451d5b63f3c82c38fe

SHA1 hash:

4978ffbad6d8ec970d974cb9a6373ed1b35bc13e

Link:

https://www.unpac.me/results/f62de6b2-c20f-4033-92ae-cf1c7b91d148/

SH256 hash:

44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc

MD5 hash:

d012ba9057bf67c7f29871326f2af919

SHA1 hash:

1d5b8b512b37f0e1900496b578117082929654c7

Link:

https://www.unpac.me/results/f62de6b2-c20f-4033-92ae-cf1c7b91d148/

SH256 hash:

46ebb875e491a781781953c5aa11f17676711c768677b7319920b2dd34e23fdd

MD5 hash:

22612cb0dd07d10d1decb33c17f36bfd

SHA1 hash:

1118fa20a6a92727b7ba2914acfcd378ec5c9380

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/f62de6b2-c20f-4033-92ae-cf1c7b91d148/

Parent samples :

75bec6ea2a9492e026b800661496ce7c3342f3d61ed0cb0e66689cbac574f4aa
0e2b262e58157798302c717a398a69a308895c6edc7afa3de8191683bfcc456a

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/f62de6b2-c20f-4033-92ae-cf1c7b91d148/

SH256 hash:

75bec6ea2a9492e026b800661496ce7c3342f3d61ed0cb0e66689cbac574f4aa

MD5 hash:

fa7a9e1778cf4bd99b7f57b2de1f9e09

SHA1 hash:

78389cb09a80b125a67e21a6395a19679fffb809

Link:

https://www.unpac.me/results/f62de6b2-c20f-4033-92ae-cf1c7b91d148/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/75bec6ea2a94/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/75bec6ea2a9492e026b800661496ce7c3342f3d61ed0cb0e66689cbac574f4aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311265/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample