MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7842e95d206e9be0b749d35de0e076b95fd59abbca814a3f0c60bbfdf104779c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7842e95d206e9be0b749d35de0e076b95fd59abbca814a3f0c60bbfdf104779c
SHA3-384 hash: 40e1c1a925ad33f74b1f630328da6aa8049a01cdef0558f37f1bccc2b157b0b492f420fe36a40c734f4f95c4facc61d9
SHA1 hash: 0b76fc2cf3cb369ebeccfeaeb1d74eaa5f6ed8f7
MD5 hash: ca419ceaab602ba376605c6d46df1e76
humanhash: robin-salami-muppet-don
File name:ca419ceaab602ba376605c6d46df1e76.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:3'030'096 bytes
First seen:2021-02-15 20:10:59 UTC
Last seen:2021-02-15 21:49:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:183ak6t03OUm04Nmcyud+XPEJTMihgdHj2XacIaUSq6EVDM4r0KaSGVxPItsa3jd:BO
Threatray 49 similar samples on MalwareBazaar
TLSH E2E5FD1E6DBF0BE42222D31EA6E3007A566EAD9CC75BD3B266A1D6CC1F039D0401BD75
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scan-021521DHL delivery.doc
Verdict:
Malicious activity
Analysis date:
2021-02-15 19:37:05 UTC
Tags:
opendir trojan exploit CVE-2017-11882 evasion loader
Link:
https://app.any.run/tasks/c34439ff-2c90-42ce-bfbc-2945dd4bad3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117237/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilCO.34804.4kX@aigWuDm.28031.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608417
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7842e95d206e9be0b749d35de0e076b95fd59abbca814a3f0c60bbfdf104779c/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 18:13:59 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbbosxjan2n6bn2j2no6bydwxfp5lgv3zkauupymmc5734ieo6oa._file
Verdict:
unknown
Similar samples:
39f32ed0f76d63794bcaa528441a491c132a7c110deace155bd314566a09c90c
SnakeKeylogger
420b0a14b0d994f9c1e2ee75a3bba5063f558a4bfbf22f8967c57de61912eff5
SnakeKeylogger
597ee35e9d572906a3b65d2eac0eea6c90741754e580fd98744a50c55c605e3e
SnakeKeylogger
8095f23a25042bf761d123fc385093ff150114b0e3bad6a8bd9244791e0aa00f
SnakeKeylogger
ae13c592c46eae874e953b34fb75421c515de16d29430d9decb986ea954c36aa
SnakeKeylogger
b045b7b993b005e1930ca50a9eb65df8b62ca29d1dfdbbb28ca6621384172908
SnakeKeylogger
b4a054c8b3781f276e07502c5cfd4064e2c0713f028ea5d94e0e4ed810036f01
SnakeKeylogger
d71df02bd84ee3f257322538a5bd3f664326f95af49322dca72bd1d0c3a59df6
SnakeKeylogger
d9f9b4cbf097f8f9e145b547f0725217016f5cdacbdf61e108f9e84981ce76f8
SnakeKeylogger
e2efc9d3d3132046d0567a2198ed10a65fb764b1091d399323f7029e0f22b73f
SnakeKeylogger
+ 39 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210215-fvf1sasekx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
36de6029ff8c3957846c04cd5f8cfdf3f6484c09fdb9e4f5ef043391cc0916db
MD5 hash:
5c52b5a25dc4e9ab48e32d7704f267f7
SHA1 hash:
80a8e0f60b884a4e2af286c971ad38a71096dad3
Link:
https://www.unpac.me/results/8335356a-dba8-47b4-89d3-9a98fd5898f2/
SH256 hash:
375d373db84abc1f0cb7d6248260d5cf205d24a23d742fc5d5884dd12513776f
MD5 hash:
57b1ae323bfbc2e8cf0a89d9953785fd
SHA1 hash:
dae5ef9ec3ae55e282618449f336911c3f58747c
Link:
https://www.unpac.me/results/8335356a-dba8-47b4-89d3-9a98fd5898f2/
SH256 hash:
7842e95d206e9be0b749d35de0e076b95fd59abbca814a3f0c60bbfdf104779c
MD5 hash:
ca419ceaab602ba376605c6d46df1e76
SHA1 hash:
0b76fc2cf3cb369ebeccfeaeb1d74eaa5f6ed8f7
Link:
https://www.unpac.me/results/8335356a-dba8-47b4-89d3-9a98fd5898f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7842e95d206e9be0b749d35de0e076b95fd59abbca814a3f0c60bbfdf104779c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 7842e95d206e9be0b749d35de0e076b95fd59abbca814a3f0c60bbfdf104779c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011559/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117237/

Comments