MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 763d2ce91937159318d0b38f99ac1e32312648e1ea552a91ec153002f5930a24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 763d2ce91937159318d0b38f99ac1e32312648e1ea552a91ec153002f5930a24
SHA3-384 hash: 781ee2f74f25429d0f62e3cdc6c8f317048bc36b5731daff12492be0b6e9621e103c085ab78226eeb1c6d52f94210720
SHA1 hash: d6c9aa18eab751ee940c19420b4f585fa3eac515
MD5 hash: c7e5f76f0dcef4ba013f603f684611a0
humanhash: chicken-victor-robert-march
File name:SecuriteInfo.com.Scr.Malcodegdn30.16766.6628
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:792'064 bytes
First seen:2022-04-14 09:35:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:PLzfNGNUVko9xHWzDOVQlWg1OhTxcOMFQ6CREMOYGTIJiWyBKvki3mEKV3xNXgzg:XFT95WXZSxcOM64FlCixivmJ3Pso
Threatray 3'081 similar samples on MalwareBazaar
TLSH T1CFF4F000F1D86EE1D03983F55838E40053BA775B196DCA4A7DFAB4CB4A717C2662AF4B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Scr.Malcodegdn30.16766.6628
Verdict:
Malicious activity
Analysis date:
2022-04-14 09:36:01 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/430e4c7c-8cea-4597-b643-41369cd3e54e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263634/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.16766.6628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6257eacb482f2f41caad19cc/reports/fb074afe-58ce-4306-b00c-a83a08f83b06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5533795-9bc9-4f9b-8782-31933a6b6f10
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976702
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609189 Sample: SecuriteInfo.com.Scr.Malcod... Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 12 other signatures 2->43 7 SecuriteInfo.com.Scr.Malcodegdn30.16766.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\AeZJpZGZ.exe, PE32 7->23 dropped 25 C:\Users\...\AeZJpZGZ.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpE0E4.tmp, XML 7->27 dropped 29 SecuriteInfo.com.S...gdn30.16766.exe.log, ASCII 7->29 dropped 45 May check the online IP address of the machine 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 11 SecuriteInfo.com.Scr.Malcodegdn30.16766.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.com 132.226.247.73, 49785, 80 UTMEMUS United States 11->31 33 checkip.dyndns.org 11->33 35 2 other IPs or domains 11->35 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/763d2ce91937159318d0b38f99ac1e32312648e1ea552a91ec153002f5930a24/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 07:42:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oy6sz2izg4kzgggqwohztla6giysmshb5jksvepmcuyaf5mtbisa._file
Verdict:
malicious
Similar samples:
09e10d6e7d4745804ef69895329fe82ce878d7d5faca934e8e8caf45d0bb54ab
SnakeKeylogger
3142524efdca29ed19bfb8261b38bad549c427aaee7cb6aa0ac035845b880d0c
SnakeKeylogger
3a2776b0688e824317664a1b3d1f7f441b0a97f03300fc73cf317b8ec81bc6c5
SnakeKeylogger
4faf777c10dd803bf568dae9a4d27f4db2fcfeb54df64fa37b0c883fb0f029ca
SnakeKeylogger
7fb2552e90c099f748e7c3a2ba045570ddc81d921b4df26bd47cb956baadd22a
SnakeKeylogger
e020049e283e4e07cbd95282a737359f5ea5a496237ddfa729b74ebfeb52ef1c
SnakeKeylogger
e7dfeb8a4bd102659d50b7ea9c25b821d2a8b6cd2ee4d302e4b888748888530e
SnakeKeylogger
ef0e235d8f6267b667679f5f610e45b1baf341225237830c06646c6d6198386f
SnakeKeylogger
f7353cdc68a1352a965b80f93498cf274c730dd8968483e215f38e19acac5041
SnakeKeylogger
+ 3'071 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/220414-lkb3eaahfm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5273661172:AAGhrHqROij-z7aU4uqWZI9J7kUGBthLGqE/sendMessage?chat_id=1856108848
Unpacked files
SH256 hash:
4749083c8ec1f42475896f2d292bacf019626895f15a23a51bff50a42c3b1ea0
MD5 hash:
24eacd69785653dedab89f403bf28ae0
SHA1 hash:
fbfc2312ba6b63176bcd3a3c26c54c8399bc9de2
Link:
https://www.unpac.me/results/65c52505-e4bf-433c-a82b-ad75196165b8/
SH256 hash:
a91ab6e9de362f35e49ee9d39f020929e8143dc3ee39a518aa8850e262cb04eb
MD5 hash:
6160ad13f4bc6b596d39b1473ba4b0b8
SHA1 hash:
955fde5b08928bd5496282a52fa879ab19de68e4
Link:
https://www.unpac.me/results/65c52505-e4bf-433c-a82b-ad75196165b8/
SH256 hash:
120af468c979fa03eadf644a76d75efb51ee5d995d5db58b93e691cea1f25b94
MD5 hash:
b34febcac0a523961fc6994fe6d2ffd1
SHA1 hash:
76e6e6cd4fff83c6a252699d432d567da2c57355
Link:
https://www.unpac.me/results/65c52505-e4bf-433c-a82b-ad75196165b8/
SH256 hash:
c14ea4bdd27d729f044bf4e83e0bdb1e1cfcc92c987036fdbc439283c1022211
MD5 hash:
0587f7540c5eefae2bb042a11ff155d5
SHA1 hash:
24ca734b95fe93790c053f748791de56e66ebc1e
Link:
https://www.unpac.me/results/65c52505-e4bf-433c-a82b-ad75196165b8/
SH256 hash:
763d2ce91937159318d0b38f99ac1e32312648e1ea552a91ec153002f5930a24
MD5 hash:
c7e5f76f0dcef4ba013f603f684611a0
SHA1 hash:
d6c9aa18eab751ee940c19420b4f585fa3eac515
Link:
https://www.unpac.me/results/65c52505-e4bf-433c-a82b-ad75196165b8/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/763d2ce91937/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/763d2ce91937159318d0b38f99ac1e32312648e1ea552a91ec153002f5930a24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263634/

Comments