MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50
SHA3-384 hash:	01d219bac8236bc873c5a068e6f2e6284bdadbf53d23cf0fac143ebaff2251ee21d170fe262ae98f78113762dcb13989
SHA1 hash:	fd66a99d3ec26102417782c77972e56d41b588ac
MD5 hash:	e7720ec3068799c88b1457db3c346f80
humanhash:	nevada-eighteen-freddie-vermont
File name:	Swift Copy.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	446'464 bytes
First seen:	2021-11-24 17:20:51 UTC
Last seen:	2021-11-26 14:14:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:Ku2/T/Z90Ma/JoRPar67Fy1Sn3FzAZynZtOncIjKXdRNVRoQWQmXTFJC9W4TuJf:KuCMAyr6hOSn3Kw6GRDmXfST
Threatray	3'490 similar samples on MalwareBazaar
TLSH	T13C94022035B1E626C5B65FB6091020C02272F3563A21EB5F7CC9274EAD97F9B4712BB7
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Swift Copy.exe

Verdict:

Malicious activity

Analysis date:

2021-11-24 21:26:50 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/952c697c-d0ee-43e0-bda8-f0d9919816ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.5140.6076.22534.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/619e748502c80febc2a8500f/reports/5a1507c9-c978-4287-8df2-469d4ff6bfc3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a6a46250-7890-4d07-a170-e80f5305094e

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/895702

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-24 17:21:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 45 (62.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qjd3r6v7awgcw4mwi7vqdjo4b5znuxpvomhwcuuqt4jntti2v5ia._file

Verdict:

malicious

SnakeKeylogger

332eb007a5e9b3e603bcd8546505d6df1b480ab032f772f5a24730c4cc6edfc5

SnakeKeylogger

5ac0a81948f9bf3845025aefd2feef8718dc5449d514d14504fca5506afec718

SnakeKeylogger

609924bb2e3350f494553b8a7e91916766dae319d2b17550c8d97b403fc00794

SnakeKeylogger

76027f253ef7f7754a5813d939e23abaf53fe4bc4478d3f80bd09eada7419a49

SnakeKeylogger

7e64709cb86a58132d712f270d5672cd189bac61209b5ea91bda06ef57b27f38

SnakeKeylogger

c548dad95ac675b91f85bd61a65f9cb7c8b7c2eae15144fba8a3cb76a79d0a9f

SnakeKeylogger

c73a8629499a2e95adf6ec545b360f49d607fb8b737ab5a26020d54b37df8b8d

SnakeKeylogger

df623c9ac537de8028b61717582bf71ee72949fc825da23c1167889454980f4b

SnakeKeylogger

eb32a115d874dab8256fa421689972b524c7128e191990866455cf39c107bc9f

SnakeKeylogger

+ 3'480 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211124-vwz32sgeb2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

3cc9f3198ff0187592d192bd126c7f7eceec73b9ed297364b953dfae4a48d0c2

MD5 hash:

a998cad722f6a44579297774eaf04be5

SHA1 hash:

f107af564724c7227135d34c1b92f04001878a3a

Link:

https://www.unpac.me/results/9a40f2c1-90e1-43ac-947f-717879642ab8/

SH256 hash:

32666df6e6991ec001f918c6d3482e9ae55b22ddb9a09ddead4d129426ccaa3f

MD5 hash:

2ec7361ac794041d9ba0110d2656df8a

SHA1 hash:

b78229ed55843e88282bd01c0de4ca86794cf8d9

Link:

https://www.unpac.me/results/9a40f2c1-90e1-43ac-947f-717879642ab8/

SH256 hash:

302ac54c94e8bdb12b7fdaeef76e2b936e0294ea5b1ced38c6da51ef50c3067e

MD5 hash:

d1a58ca8f82c480763bfa3205e80b770

SHA1 hash:

7b23287d165b2dae07ead2625bd4e1e525d27a1b

Link:

https://www.unpac.me/results/9a40f2c1-90e1-43ac-947f-717879642ab8/

SH256 hash:

8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50

MD5 hash:

e7720ec3068799c88b1457db3c346f80

SHA1 hash:

fd66a99d3ec26102417782c77972e56d41b588ac

Link:

https://www.unpac.me/results/9a40f2c1-90e1-43ac-947f-717879642ab8/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/8247b8fabf05/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/209079/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample