MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c532264a75ba3c9c5205753eb35b9f331ab42100fd61ba05516ea03f3afc70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c532264a75ba3c9c5205753eb35b9f331ab42100fd61ba05516ea03f3afc70
SHA3-384 hash: daaa743d34c28b4ed2e4a29e174e7b54b0c4cc357103dfbe74f184c882e81ecdf477631f38c3b5dcae1920632631f04c
SHA1 hash: 32b0d02bdd30c8649d4f8676aeef23cbe4f19019
MD5 hash: 427e21ef958ea63e6a12ce4d8d5a3e55
humanhash: timing-winter-nevada-beer
File name:IMG_5023075401.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:359'736 bytes
First seen:2021-04-26 05:50:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:srQpD+pMEja8V6Tb/uV9q8Nrw6WCSYuXiTqfLG8k8L67T5egZoKpxaWoiF7O86Rx:x8ETb/cjMiTqjVkV9oIjom7OvRRG
Threatray 13 similar samples on MalwareBazaar
TLSH B6748138BDFF6A85C610CE3A26AD715A56E19C58CE8B437BE0D472A47F30CC81A4651F
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_Order List 5023075401.doc
Verdict:
Malicious activity
Analysis date:
2021-04-26 05:22:38 UTC
Tags:
ole-embedded generated-doc exploit CVE-2017-11882
Link:
https://app.any.run/tasks/18c7eed5-7a85-48d2-8c9b-5d8f97185fc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144184/
Detection(s):
SecuriteInfo.com.Artemis427E21EF958E.4320.4964.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697493
Signature
Creates an undocumented autostart registry key
Found malware configuration
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Costura Assembly Loader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c532264a75ba3c9c5205753eb35b9f331ab42100fd61ba05516ea03f3afc70/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 04:54:49 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdctejskow5dzhcsav2t5m23t4zrvnbbad6wdoqfkfxkapz27rya._file
Verdict:
unknown
Similar samples:
21b77d4e21e77ad60d74b7782506a1e793749e2ca1aaad4ce72105e410eb815c
SnakeKeylogger
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
SnakeKeylogger
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
SnakeKeylogger
804d01bb3f46132f943b3d3434299e5fa3e3dc8cb4c9072444c4b700bb3b3a8c
SnakeKeylogger
aa16652092b758c610542231b70a45feb163bdc9d49dba95889cc565da7eb8cb
SnakeKeylogger
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
SnakeKeylogger
bbd4dd21dde67a96ac02aa9795ce662fa36d4edb90d13f2ffbdeee0d4aea5050
SnakeKeylogger
cdc4491bd85d6a8ad99aa707be5cb333b1a4409b179521718a8da9040984ecad
SnakeKeylogger
d855e36c9867a82537b931f11bf4ed02d05eb2194471e953546cf4fc1cd3a999
SnakeKeylogger
f3ef20b4447a5e1cde6ec9f62b17181027cca796d781b120aa49f2e1aeddd2e5
SnakeKeylogger
+ 3 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210426-hdvaenhmwj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
ebb4c7a8527658d4f02f6242d0a4a518e5881ac4b89ee7036cc8464214a66811
MD5 hash:
9766c14be8e0d0a3e027c63fa097b55b
SHA1 hash:
c96561c8f8aa14db919676b8e84bccb581436db7
Link:
https://www.unpac.me/results/f0a5fb06-1bfd-4f4a-8385-a6017b51f5a9/
SH256 hash:
0a304c1e5ac6a624ac5aa1a96833142a6fdef79b8ce3750e9932f72b92523f1e
MD5 hash:
64ae637b2ece80d24d3847b82d3d2128
SHA1 hash:
ad45b567ef5ea59e192333998c05098e901b31fc
Link:
https://www.unpac.me/results/f0a5fb06-1bfd-4f4a-8385-a6017b51f5a9/
SH256 hash:
27dee579436cc1acc08182b3af20d2d118dd192abc6b1b822cc642680667e96d
MD5 hash:
068e7bdf93213382dda48cd15a15879b
SHA1 hash:
7d7a831bbbed15d573202801d1178316c85d3def
Link:
https://www.unpac.me/results/f0a5fb06-1bfd-4f4a-8385-a6017b51f5a9/
SH256 hash:
88c532264a75ba3c9c5205753eb35b9f331ab42100fd61ba05516ea03f3afc70
MD5 hash:
427e21ef958ea63e6a12ce4d8d5a3e55
SHA1 hash:
32b0d02bdd30c8649d4f8676aeef23cbe4f19019
Link:
https://www.unpac.me/results/f0a5fb06-1bfd-4f4a-8385-a6017b51f5a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88c532264a75ba3c9c5205753eb35b9f331ab42100fd61ba05516ea03f3afc70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 88c532264a75ba3c9c5205753eb35b9f331ab42100fd61ba05516ea03f3afc70

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1169742/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144184/

Comments