MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0
SHA3-384 hash: 0d9a996998d04ec8990f3118bc4b37315b98095300ae47d3a90d5f6ca015a14a460efe26451f3ce0a33ad437fa7547a6
SHA1 hash: 4bf9d3822fa16a2d0236148579ca731691b6a04a
MD5 hash: 996f359f5dd7179ac1c3a50d6337935d
humanhash: music-nineteen-sierra-black
File name:996f359f5dd7179ac1c3a50d6337935d.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:870'912 bytes
First seen:2021-07-12 08:40:41 UTC
Last seen:2021-07-12 09:58:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ORnV8bzQqmNsBODXyqU/7sDXmqPcUVtyP1PaYgEuzvrRPObRNzHfX4nr+ccB:IqbgNsBcyqbrUUy9Pa0g+
Threatray 201 similar samples on MalwareBazaar
TLSH T128055A9836302D9EC912C9759DA49C30F721EC63078796A370873DBBB9FD6968E043B5
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 110739914MCH.doc
Verdict:
Malicious activity
Analysis date:
2021-07-12 06:22:55 UTC
Tags:
ole-embedded loader evasion trojan
Link:
https://app.any.run/tasks/bf42793f-9e15-4262-9847-8887f883d823

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170984/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.36446.2108.8313.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a87384f-9161-465a-afc7-48a0057d76ef
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814640
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-12 02:03:27 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
18143a1b4315ecaad0f887b3ae467aaffcb85e5eafa8502a8c179151746af7cc
SnakeKeylogger
333b05f9732e8516f6c557115b9f88b53b13f9b0d473d58ad33f0bdf4b937fe9
SnakeKeylogger
456a207ab8eb1c3504c9e187d3a9bfab0509212acb329f1c820c1aa4b977e584
SnakeKeylogger
71d43dd5594e4d74bc9c4e79f13089f1f8938831f8155c49025d634cb9ab2423
SnakeKeylogger
af9106047d3438d552b682513293bba89c20d49ecce9d535b9e136b91f640a7b
SnakeKeylogger
d935261d62e1721db7f65671dc26c56c532b98d8b3335fce23455b2404a39ed2
SnakeKeylogger
f99002091475b0c5f423e2d9efe182de66019616c5fda6205efc3d9bd2f5ff45
SnakeKeylogger
+ 191 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210712-da46kvbj1a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1703140104:AAE3Szc_iHGBeJ3wEbwNfKbwlIo-yu5Meus/sendMessage?chat_id=1755939698
Unpacked files
SH256 hash:
9b85c6bb673aae94163dbe7edf017f12953f0a325e71de72b38b666ecd902213
MD5 hash:
714958633b93631f22032aa9164b74cd
SHA1 hash:
77bc8569dca48043b32b2029bc30ac31c45c110b
Link:
https://www.unpac.me/results/6e166806-d8b3-434b-8c53-cc064b216908/
SH256 hash:
0bd1b299e3409cd1981db9e55031058a7290162e446df066598ea2839e53e942
MD5 hash:
66213d302a8052fc3e3e98d1f606efa2
SHA1 hash:
3e26a52fdc324722928f04563a0ab9640e4310b1
Link:
https://www.unpac.me/results/6e166806-d8b3-434b-8c53-cc064b216908/
SH256 hash:
607a02a79ca239e57bbbc95bdbb1193c53edd521582775269eaa35dd9a7565c1
MD5 hash:
d38a076e64d5c1ba2969228235c79426
SHA1 hash:
363deac250f0270ffdf74e75567b3a545b67b2ff
Link:
https://www.unpac.me/results/6e166806-d8b3-434b-8c53-cc064b216908/
SH256 hash:
8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0
MD5 hash:
996f359f5dd7179ac1c3a50d6337935d
SHA1 hash:
4bf9d3822fa16a2d0236148579ca731691b6a04a
Link:
https://www.unpac.me/results/6e166806-d8b3-434b-8c53-cc064b216908/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1431625/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1435773/
Cape
Cape
https://www.capesandbox.com/analysis/170984/

Comments