MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7702ef79070ed9e1da8bdc52c5b5928b0bcada2eaa515488bd8e1a9967cb4a64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7702ef79070ed9e1da8bdc52c5b5928b0bcada2eaa515488bd8e1a9967cb4a64
SHA3-384 hash: 257c486d9531c048b54cd1755088c0fc1d5bef354ddd7832ef9ee51747ddeaf00e34f7b5d8c8e19bc1e2f4ebd3b6b279
SHA1 hash: af11a000ae8aef076a9b21dd05e3d3bef4c42387
MD5 hash: 885401de3dec428de16607d4413f808a
humanhash: spring-queen-batman-delta
File name:SPEC_T56738.pif
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:16'384 bytes
First seen:2022-06-15 18:12:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:v5MLLvbJVCSM1QWkpipTNCXpIQXa9ZUBWiS:v6b58Q9OcK9eM
Threatray 1'504 similar samples on MalwareBazaar
TLSH T179723BA6EBDC5533CAA40F7658631341437EEF01CA01EE1F68C9B52B2D537115AB37A2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0cce4e4b2f27898 (1 x CobianRAT, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe pif SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280261/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching the process to change network settings
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62aa216fc07f2e38a14a0c2f/reports/829f7e39-4225-4486-8ad4-20a27c287e19/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d626d400-0f80-429e-8abd-63e5d71f3067
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013908
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 646411 Sample: SPEC_T56738.pif Startdate: 15/06/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Capture Wi-Fi password 2->47 49 10 other signatures 2->49 8 SPEC_T56738.exe 15 7 2->8         started        process3 dnsIp4 35 cdn.discordapp.com 162.159.134.233, 443, 49769 CLOUDFLARENETUS United States 8->35 31 C:\Users\user\AppData\Roaming\...\Cgsec.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\SPEC_T56738.exe.log, ASCII 8->33 dropped 51 Creates an undocumented autostart registry key 8->51 13 MSBuild.exe 14 5 8->13         started        17 cmd.exe 1 8->17         started        19 powershell.exe 15 8->19         started        file5 signatures6 process7 dnsIp8 37 checkip.dyndns.com 158.101.44.242, 49780, 80 ORACLE-BMC-31898US United States 13->37 39 checkip.dyndns.org 13->39 41 api.telegram.org 149.154.167.220, 443, 49782, 49786 TELEGRAMRU United Kingdom 13->41 53 May check the online IP address of the machine 13->53 55 Tries to steal Mail credentials (via file / registry access) 13->55 57 Uses netsh to modify the Windows network and firewall settings 13->57 59 3 other signatures 13->59 21 netsh.exe 3 13->21         started        23 conhost.exe 17->23         started        25 timeout.exe 1 17->25         started        27 conhost.exe 19->27         started        signatures9 process10 process11 29 conhost.exe 21->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7702ef79070ed9e1da8bdc52c5b5928b0bcada2eaa515488bd8e1a9967cb4a64/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 12:58:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4bo66ihb3m6dwul3rjmlnmsrmf4vwrovjivjcf5rynjsz6ljjsa._file
Verdict:
malicious
Similar samples:
089d64094a0cbe3fc87733eaf8f49bb1d818948429fa80de8953b8ff2c667a6a
SnakeKeylogger
1c57865eee1285666f6fbc185980bbdcab91e96b7f906f7d51c7c95827e6d241
SnakeKeylogger
45b9f90bee542ccb1e839ba824246f94363e35610981b9620429beecfcedc66b
SnakeKeylogger
4f5c717b397608e6c58b8133b041e258b9d4446f4f8c286ae4b5f5c13bf2a404
SnakeKeylogger
8efe63d65c4c6ad604639045990b133113224de00e18fa330acb11980ddb6655
SnakeKeylogger
8f66ff28a6f980ec9211dec93dc22411b479a257238f8405c7e9e038c9b53223
SnakeKeylogger
900eb9594b34519d8935f2c4a627a365a4eb8f68fa5ec14b9eed9544c2e9551e
SnakeKeylogger
b43776e06bb69bbd5171248b0fc82bf9a6cf2641b94717d4ebd77b38333726dc
SnakeKeylogger
d20fa082b9fb505b6f694b65d21580dfcb62493cd84fdb2e080d42efa0df1c70
SnakeKeylogger
e4af6a6b4243bb6971be7edc28f16198ff88734d6a764dcddc6f5c6424309bd6
SnakeKeylogger
+ 1'494 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection
Link:
https://tria.ge/reports/220615-wtql9sddb3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Unpacked files
SH256 hash:
7702ef79070ed9e1da8bdc52c5b5928b0bcada2eaa515488bd8e1a9967cb4a64
MD5 hash:
885401de3dec428de16607d4413f808a
SHA1 hash:
af11a000ae8aef076a9b21dd05e3d3bef4c42387
Link:
https://www.unpac.me/results/9a3b8421-b664-4d81-bc3c-793bf87699e4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7702ef79070e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7702ef79070ed9e1da8bdc52c5b5928b0bcada2eaa515488bd8e1a9967cb4a64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research
Rule name:WhisperGateStage2
Create hunting rule
Author:Harish Kumar
Description:Yara Rule to Detect WhisperGateStage2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280261/

Comments