MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899
SHA3-384 hash:	8d28e91e3983fdd9eff9bf080b8d04c6894bbedd78389428d61950e9cfb0b6a8051c6ffffd524b542326f279bb215575
SHA1 hash:	1ae825530cde200bf7613bb777a88403bb3ed32a
MD5 hash:	823dfca231f25263c8f4cad8ac81bbbd
humanhash:	california-romeo-washington-four
File name:	comprovativo.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	799'232 bytes
First seen:	2023-03-25 13:51:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:INcsqYIW/XiHuFBZoTXIfRu5DWBrPpZxfZQ3VbZtOK/cwc:g5/rFsck0pRZxYbPOeJ
Threatray	4'805 similar samples on MalwareBazaar
TLSH	T12205230B33978643DA3E4FB54423228003B5B7629C1BEBFD1EA251DD5DD2BB65102BA7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	cec6f4d8f8fce4dc (6 x AgentTesla, 2 x SnakeKeylogger, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

comprovativo.exe

Verdict:

Malicious activity

Analysis date:

2023-03-25 13:53:22 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/553ef6c2-94da-4c43-ba2e-7568fc9a2dd9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/377388/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw packed snakekeylogger

Link:

https://www.filescan.io/uploads/641efc82a6b4db3649e8cce6/reports/a879568c-de19-479b-8139-4f9729ba8b7e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b662498b-783c-43cf-9510-48e28443bf1e

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1201842

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-03-22 08:23:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6b42ki4zoxx5bwns377yvhm3lnu374xf5g5zmi4udg236lyrcmq._file

Verdict:

malicious

SnakeKeylogger

48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b

SnakeKeylogger

915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9

SnakeKeylogger

95f9e95d6c2b6dfe231ea90328fe3cf312e8026e32e4516bfa75b1e0475f8be7

SnakeKeylogger

b495e348fb0e0544e57737f46f9333a711eaca2cd531a5e8065e96bf274d8690

SnakeKeylogger

be97a51ffa2d24ac0f2eba8eb2bc3ed49057c873d16d8c6b893c84b8670c9a1f

SnakeKeylogger

c02af082fec5a80ac247da9294400c04f338c6b45c75b8d70d9c7e07c35e30b2

SnakeKeylogger

eebe1c81da57309a99fa8cf1a8ef2ef90af6072182ad6b8dd3ceb8a31500bd0c

SnakeKeylogger

f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a

SnakeKeylogger

+ 4'795 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230325-q6dkksch78/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

f63b21d355c8882bedcb7f7e5bc75f85f199593384667d1833e0327d64426d89

MD5 hash:

2408f312cc1bcac48624505fce69772e

SHA1 hash:

997209ceb0866a9f38ca88274063a4b363c4b749

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/dff572fb-51af-4b7c-b822-5de92a05bc39/

Parent samples :

48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b
f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a
7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899
eebe1c81da57309a99fa8cf1a8ef2ef90af6072182ad6b8dd3ceb8a31500bd0c
bc3244dd4f70ddd98c1a2ef63a56fd9dbea3efd25ad7510eb5ff24f178d6f2e7

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/dff572fb-51af-4b7c-b822-5de92a05bc39/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

67edd4325acc71120abc269e95beaa01d6df7b8d5333597d927085bd9a2170df

MD5 hash:

637e2681d92caa0d793982d80be35500

SHA1 hash:

65de9933869c0098a8c3f541d9eea0d69e429553

Link:

https://www.unpac.me/results/dff572fb-51af-4b7c-b822-5de92a05bc39/

SH256 hash:

74ad8f063d525c163cac54897b7bc16f6d55efe290c56b4fbe5cbda8a9d5a624

MD5 hash:

2c6d8075021fc7a028ea109ba99db453

SHA1 hash:

2230a29f072a7b7fb7661774fbb577d035811fa6

Link:

https://www.unpac.me/results/dff572fb-51af-4b7c-b822-5de92a05bc39/

SH256 hash:

e1feb16a5ef439b478f2915ad878921cdaadbb87d9992dc59f3c4fc5f2a4a74e

MD5 hash:

8bcc89128791f87bf51dee24c444b7f1

SHA1 hash:

1b0c7eaa9a7ab41c4b7adc69b59dbf915e950612

Link:

https://www.unpac.me/results/dff572fb-51af-4b7c-b822-5de92a05bc39/

SH256 hash:

7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899

MD5 hash:

823dfca231f25263c8f4cad8ac81bbbd

SHA1 hash:

1ae825530cde200bf7613bb777a88403bb3ed32a

Link:

https://www.unpac.me/results/dff572fb-51af-4b7c-b822-5de92a05bc39/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f83cd291ccb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/377388/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample