MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9
SHA3-384 hash: c34297f905c6e5b2da360659266e27590965721b152ede813ae4e43aafe915632746eef90caa154505ea3ec55003b1d7
SHA1 hash: e149ee87ecffbebcc0752440276df0e9772f1524
MD5 hash: 24c3182fe7d5927f44671b2b5e04253a
humanhash: illinois-aspen-floor-rugby
File name:24c3182fe7d5927f44671b2b5e04253a
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:797'184 bytes
First seen:2022-09-19 10:17:44 UTC
Last seen:2022-10-07 12:29:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:XdjcbLrnYTj82uiBrEtEeS2x1SI9Uxc5ntzX0iWdOa+m9+h3GU:yUP8LilQEIASGc5nNX0iWdOa+m0lGU
Threatray 4'202 similar samples on MalwareBazaar
TLSH T10105D028127AC907C869A535C9C2F2715EF85EC1C36FC64B48D83D67F23B3D869923A5
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8a1332e8aacc4db2 (8 x Formbook, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24c3182fe7d5927f44671b2b5e04253a
Verdict:
Malicious activity
Analysis date:
2022-09-19 10:18:54 UTC
Tags:
trojan evasion snake
Link:
https://app.any.run/tasks/6088a43a-9bec-47db-97ed-203f47057cdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311287/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.19745.21903.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632842260c8f1d28a174adca/reports/130a37b8-b659-4c23-a55b-9ac188c3a553/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a288eef-2004-49c0-937e-0bd823a04988
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072881
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-19 10:18:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=prhgfmx72chsbluozvnvw4v7fs4e3cycy4ytf4ocx6yzbmsex2uq._file
Verdict:
malicious
Similar samples:
09aabf6102314020a70d0f9dcc600122ef1eb809c1c3ec9fd37e10380cc3e048
SnakeKeylogger
1f09f9e9d4ea093344c49438bdb3dc3f65f0183f3743c7994353a90e7969605d
SnakeKeylogger
1f5f9b2d9867afa54498f1b84493d49d0ee68f42ef0aa55e9f4ca21aabf898c3
SnakeKeylogger
2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f
SnakeKeylogger
5e5878e7c89a666a6f6c0f3ad414a7c3d47c85d8bab613343b531ef552127ee8
SnakeKeylogger
b87b92dec8cd199febbd1f3c70605cbd0af9acc260c054fbe0b7c807f8f130d7
SnakeKeylogger
c61fef7fcacfba05be6a0c2527cdde790b4a57dde45b53168fb6c415fcf2b174
SnakeKeylogger
f21713f098ba22b69b0303da4fe32dda9e1290f2d5986b9ff18cdd7de6f5d0ca
SnakeKeylogger
+ 4'192 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220919-mbyeqagccr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0808e085-b407-435f-a29e-94a0485ddb38
Unpacked files
SH256 hash:
c1f59c85a4b459d7ebd32cd5771315150b0249c43e799472246f1129085493d4
MD5 hash:
c9cd48fc84f29dfe8f7b256565b6ff19
SHA1 hash:
ac90f789b0894b5afe43d154e0b5744a1cbe0d59
Link:
https://www.unpac.me/results/267eb983-0115-4d68-9c55-a622986579a7/
SH256 hash:
f8ce416f4d4211f9352c9865cbd7ec7db34af73c493e7056d942d1500337dee7
MD5 hash:
64fec4ef6880f77e7c84413533f08fa6
SHA1 hash:
59aa4daf100829fef494e247a4224fa512a703df
Link:
https://www.unpac.me/results/267eb983-0115-4d68-9c55-a622986579a7/
SH256 hash:
8d1ce88458ef8180fe448d9920f918a03d185fb9aa89f26533935f355dc2543e
MD5 hash:
9f7f62e66529af1f1d764f5b2b697e06
SHA1 hash:
5076b986ca5ca2616736150be392263fd1e4d5ba
Link:
https://www.unpac.me/results/267eb983-0115-4d68-9c55-a622986579a7/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/267eb983-0115-4d68-9c55-a622986579a7/
SH256 hash:
098e485ccaf6a546cfc4ee09b5a0c71dc519f0856a7fa7c10aa63fdf5caa0573
MD5 hash:
f5cbe4dd04a9dca084f77991bae046a1
SHA1 hash:
030d6a59e2039a4734ad7539f4a27fea2b87d311
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/267eb983-0115-4d68-9c55-a622986579a7/
Parent samples :
722a3599f70c013fe933904f6b7e64e5a4c4db633dc1940fd1f58961de4c9e07
997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3
7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9
ae9ff33302c6861dbbdde05eb447b31fd3bcf4623bf2ee483f89b262f025204f
3d3d04e0b7d813c8a0a409488de8719baead684b8933341c5ae11665430c5536
fce934785376740013926628485b6419b7d4121f352141b64ca0086697d85e30
39abea1ed0ef8a5ec1da5e7f40879078658f66bf0a5ee1eb9e8669ce3e4b2e12
28aa1235f6c39d3a215b012550aba8702b6f1aac0b3e523882a73babe7b6f91e
SH256 hash:
7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9
MD5 hash:
24c3182fe7d5927f44671b2b5e04253a
SHA1 hash:
e149ee87ecffbebcc0752440276df0e9772f1524
Link:
https://www.unpac.me/results/267eb983-0115-4d68-9c55-a622986579a7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c4e62b2ffd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 7c4e62b2ffd08f20ae8ecd5b5b72bf2cb84d8b02c73132f1c2bfb190b244bea9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2307369/
Cape
Cape
https://www.capesandbox.com/analysis/311287/

Comments


Avatar
zbet commented on 2022-09-19 10:17:49 UTC

url : hxxp://192.3.141.148/dad/dad.exe