MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 767ff6709f5ea14af565b50baca9c574d1ec22eb0ddfd8468b64adf7a4ea6ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	767ff6709f5ea14af565b50baca9c574d1ec22eb0ddfd8468b64adf7a4ea6ca4
SHA3-384 hash:	7e1d0ad853005d112bd52db920ff485e75ec3d5e906246e0cadaebd83ec6d33351f6ec3b84504e448d53362eeff7722e
SHA1 hash:	9623da573c768ee895aef71572f19cc2c8ded61a
MD5 hash:	0a518c0c5bca90ed3a980a53543304ba
humanhash:	orange-nevada-red-diet
File name:	IMG_6037_020120.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	366'904 bytes
First seen:	2021-04-26 10:56:31 UTC
Last seen:	2021-04-26 11:42:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:p4qbWN98/JUrIhVLX5JVK/lSKLojX8rrE2G:Pc9kUrYTJVK/spXe4N
Threatray	2 similar samples on MalwareBazaar
TLSH	B5749178FDFF6A85C251DE3A666C705A56E19C08CE8B837BE0D472A47E30CC81A4651F
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG_6037_020120.exe

Verdict:

No threats detected

Analysis date:

2021-04-26 10:59:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/808e484c-ddb3-4dca-b515-37359995081a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/144308/

Detection(s):

SecuriteInfo.com.Variant.Bulz.449427.14897.27934.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/697789

Signature

.NET source code contains potential unpacker

Creates an undocumented autostart registry key

Found malware configuration

Initial sample is a PE file and has a suspicious name

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Yara detected Costura Assembly Loader

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/767ff6709f5ea14af565b50baca9c574d1ec22eb0ddfd8468b64adf7a4ea6ca4/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2021-04-26 10:57:09 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oz77m4e7l2quv5lfwuf2zkofoti6yixlbxp5qrulmsw7pjhknssa._file

Verdict:

unknown

SnakeKeylogger

8ad095b5f3cbe5651719b70347c94f489a4a14d72a4535c68f9829fe8d0ec738

SnakeKeylogger

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210426-d99gxtlda6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

ebb4c7a8527658d4f02f6242d0a4a518e5881ac4b89ee7036cc8464214a66811

MD5 hash:

9766c14be8e0d0a3e027c63fa097b55b

SHA1 hash:

c96561c8f8aa14db919676b8e84bccb581436db7

Link:

https://www.unpac.me/results/e913b901-b3f6-4bdd-a169-3a3e04548f15/

SH256 hash:

4402267764e4d9d7dea43be918c382815bd4cf19195c9b011aaae11ba4938bd1

MD5 hash:

b34980695ce6d311c7aa7f54a6c610e0

SHA1 hash:

a9f2508c700954fe9dc541e95762110737f6299a

Link:

https://www.unpac.me/results/e913b901-b3f6-4bdd-a169-3a3e04548f15/

SH256 hash:

e927adb10ab5016fcd9bf875dacc21533045901228571847db0d0f32c2c87a40

MD5 hash:

092df548573e2b28b98c447b55eed033

SHA1 hash:

50e91e874765ff191addbe0cd1b552f423e7ddcb

Link:

https://www.unpac.me/results/e913b901-b3f6-4bdd-a169-3a3e04548f15/

SH256 hash:

767ff6709f5ea14af565b50baca9c574d1ec22eb0ddfd8468b64adf7a4ea6ca4

MD5 hash:

0a518c0c5bca90ed3a980a53543304ba

SHA1 hash:

9623da573c768ee895aef71572f19cc2c8ded61a

Link:

https://www.unpac.me/results/e913b901-b3f6-4bdd-a169-3a3e04548f15/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.28

Link:

https://yomi.yoroi.company/submissions/767ff6709f5ea14af565b50baca9c574d1ec22eb0ddfd8468b64adf7a4ea6ca4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/144308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample