MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
SHA3-384 hash: 6afd51ac19c95e57b43816d02eb252464d65f7439f5ab35b9a43395370059c71c908849a1c771268c02b24c42544ee8e
SHA1 hash: 066a458315c10ba6aa827958ec79627007daccf6
MD5 hash: 4eac3586289f9081f51432e739f3b240
humanhash: edward-paris-mountain-bluebird
File name:docyo20230925.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:841'216 bytes
First seen:2023-09-26 13:51:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:1X5KAkazacwCw8RdFK0W3fDkqgy9nEsY:1X5KEacxdRLI3rkqpNQ
Threatray 179 similar samples on MalwareBazaar
TLSH T19605AE61942864B9C3BB023B5613D64069B45F4EB51FAF2E6017BFE23BFE7C22405D62
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f4e0696de0f4f0 (3 x SnakeKeylogger, 3 x AgentTesla, 1 x Loki)
Reporter JAMESWT_WT
Tags:exe payorderreceipt-info SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
docyo20230925.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 13:59:48 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/52c98bfb-9e4d-4a3d-affe-0bc7f8105e3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451281/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.20409.3043.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Restart of the analyzed sample
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Running batch commands
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/6512e203ac6222a2be1569d0/reports/395108d9-d9f1-47f1-b2b3-8e0cb2cd8d49/overview
Verdict:
Malicious
Labled as:
Ser.Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fabeaa99-9140-4377-b87c-49c961f0ce40
Result
Threat name:
Redline Clipper, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314563
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Redline Clipper
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1314563 Sample: docyo20230925.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 73 product-secured.com 2->73 75 ftp.product-secured.com 2->75 77 2 other IPs or domains 2->77 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 10 other signatures 2->89 9 docyo20230925.exe 4 2->9         started        13 svchost.exe 2->13         started        15 avast.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 69 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->69 dropped 105 Drops PE files with benign system names 9->105 19 svchost.exe 2 9->19         started        22 cmd.exe 2 9->22         started        24 docyo20230925.exe 15 4 9->24         started        31 3 other processes 9->31 107 Antivirus detection for dropped file 13->107 109 Multi AV Scanner detection for dropped file 13->109 111 Machine Learning detection for dropped file 13->111 27 svchost.exe 13->27         started        29 cmd.exe 13->29         started        34 2 other processes 13->34 36 4 other processes 15->36 113 Injects a PE file into a foreign processes 17->113 38 4 other processes 17->38 signatures6 process7 dnsIp8 91 Multi AV Scanner detection for dropped file 19->91 93 Machine Learning detection for dropped file 19->93 40 cmd.exe 2 19->40         started        43 cmd.exe 1 19->43         started        47 2 other processes 19->47 95 Uses schtasks.exe or at.exe to add and modify task schedules 22->95 97 Drops PE files with benign system names 22->97 45 conhost.exe 22->45         started        79 product-secured.com 179.43.183.46, 21, 49417, 49703 PLI-ASCH Panama 24->79 81 checkip.dyndns.com 158.101.44.242, 49701, 49702, 80 ORACLE-BMC-31898US United States 24->81 99 System process connects to network (likely due to code injection or exploit) 27->99 101 Tries to steal Mail credentials (via file / registry access) 27->101 103 Tries to harvest and steal browser information (history, passwords, etc) 27->103 49 2 other processes 29->49 71 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 31->71 dropped 51 3 other processes 31->51 53 2 other processes 34->53 55 4 other processes 36->55 57 4 other processes 38->57 file9 signatures10 process11 file12 67 C:\Users\user\AppData\Roaming\...\avast.exe, PE32 40->67 dropped 59 conhost.exe 40->59         started        61 conhost.exe 43->61         started        63 schtasks.exe 43->63         started        65 conhost.exe 47->65         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 13:50:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o76jqdbmr6kbf2cd3a6ljoai47p4tnczvkt7de3lpwj3y42xx65q._file
Verdict:
malicious
Similar samples:
26e4c2040af6ee16a1794c86220f5249743ec9c9ceee933645331c1e54ebcca6
SnakeKeylogger
3f8a355ce6dd6d2703dcb44bad8134df383496f1f5db5c7c5b4c613cdb32aa0b
SnakeKeylogger
4f09e1857f411cee21a8f8b56535dcf67937ec013873c180215c6420856b4e17
SnakeKeylogger
7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1
SnakeKeylogger
8d9a8f9de34a75aeba8164f658881f4c142690b58c8cf30486f18574a8e14185
SnakeKeylogger
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c
SnakeKeylogger
b07ba32d65a7a6c5998e443c6fa47a7ee00e4c97be7c318bd583351c73777876
SnakeKeylogger
b68d46be4a85016270a6cb5d11295225ae4fab655eada32344422edad43c155b
SnakeKeylogger
be0189e9af3e8929a3f23d2077ed2a5162e4e7801386cf637d1e449a35eb0671
SnakeKeylogger
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6
SnakeKeylogger
+ 169 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230926-q6dkkshg2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/8d0232b8-9236-48d4-9c6f-a7b1b620a0de/
SH256 hash:
169b55a90537d6120bfb08a1ea69bbbf633ac44ac9e01a0e4f05076e1078c5da
MD5 hash:
5eae9e50b8291459a38dceb9540cf79a
SHA1 hash:
459c2a147b3e82ddae352252a461c331057d68be
Link:
https://www.unpac.me/results/8d0232b8-9236-48d4-9c6f-a7b1b620a0de/
SH256 hash:
dbbdb38daabcc69c6749ae839970d238744552ffff32fb717765ede78991241f
MD5 hash:
dec4ea90d4ce99f23c7589b1484313e2
SHA1 hash:
2e754372a372c19a45b829c9d5f9641bfcff9472
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8d0232b8-9236-48d4-9c6f-a7b1b620a0de/
Parent samples :
65a1ad88ce43b266d8efac2fd115bacc6dc29c312c4e49ea1076e8dcb8ecc50f
77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
SH256 hash:
77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
MD5 hash:
4eac3586289f9081f51432e739f3b240
SHA1 hash:
066a458315c10ba6aa827958ec79627007daccf6
Link:
https://www.unpac.me/results/8d0232b8-9236-48d4-9c6f-a7b1b620a0de/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77fc980c2c8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/451281/
  
URLhaus
https://urlhaus.abuse.ch/url/2714262/
  
Delivery method
Distributed via web download

Comments