MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c4c8b12dbf0db3ab592dec00177954ae0c044852ee56037d238b490ef2eae1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c4c8b12dbf0db3ab592dec00177954ae0c044852ee56037d238b490ef2eae1f
SHA3-384 hash: 4c60395eeae4abff94b70c81c921c46e5e955cdf413eff127aeb16bfa63e29424d7f90eafffb87fd6af83bd490e00276
SHA1 hash: aa5072f6aebfe53d8f5eea79ad8afb368f199742
MD5 hash: 75f116e60057739a7640df718171801a
humanhash: moon-mockingbird-louisiana-sad
File name:RFQ file_pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'031'168 bytes
First seen:2021-02-22 06:37:06 UTC
Last seen:2021-02-22 15:08:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:SfJ9+kF3PmTq1FjkRW46fKSDZ1MAg0fb:gzY0lkeisZC0
Threatray 24 similar samples on MalwareBazaar
TLSH 7225AE026B88EFACE07EA7355024964E9BF5B512E325ED0F7DD621EF0D61F808751A23
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: mail.leisurepr.co.uk
Sending IP: 78.137.122.87
From: Madiha Rasheed <madha@technogroupllc.com>
Subject: REQUEST FOR QUOTATION!!
Attachment: RFQ file_pdf.gz (contains "RFQ file_pdf.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118182/
Detection(s):
SecuriteInfo.com.Win32.17064.15809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613648
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c4c8b12dbf0db3ab592dec00177954ae0c044852ee56037d238b490ef2eae1f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 06:08:17 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrgiwew36dntvnms33aac54vjlqmareff3swan6shc2jb3zovypq._file
Verdict:
malicious
Similar samples:
4fc219b61d4c1ec456ac76af0a82dcfde187dcab2b015a277c6ee96b04930091
SnakeKeylogger
5a0aa498e1f4e70b6447e6183926f91e39f162cb15f8bc97232ca5cd0ce5a625
SnakeKeylogger
8e4431d4a51d7fe22c1fba157abfbd47249cc0ef0abe980e099ff3002839c777
SnakeKeylogger
9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4
SnakeKeylogger
c2ccef24c19ee0890b6125f7de60b1e048dfa7da47766d1767e698e63ac08d83
SnakeKeylogger
cc84debcfc3e30a4b682bb53e028acb0a75d56607ab25b2418797f65a7e6efb7
SnakeKeylogger
e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d
SnakeKeylogger
e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b
SnakeKeylogger
e5ff1fccc213b922956415d980bbbf9318b17834761d629b23448ab14868812e
SnakeKeylogger
fc95c84eb428f263fef3220d512a2f602570f2acb41a46114244c30af48fd51b
SnakeKeylogger
+ 14 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger evasion keylogger spyware stealer
Link:
https://tria.ge/reports/210222-99la71ctp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/1a325924-0773-4f1a-a140-d97f28a26d5a/
SH256 hash:
8c4c8b12dbf0db3ab592dec00177954ae0c044852ee56037d238b490ef2eae1f
MD5 hash:
75f116e60057739a7640df718171801a
SHA1 hash:
aa5072f6aebfe53d8f5eea79ad8afb368f199742
Link:
https://www.unpac.me/results/1a325924-0773-4f1a-a140-d97f28a26d5a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz d13d32cd3382a8b141ef98577a7bb13faa1de094826055fe218e3de62599edb4

SnakeKeylogger

Executable exe 8c4c8b12dbf0db3ab592dec00177954ae0c044852ee56037d238b490ef2eae1f

(this sample)

  
Dropped by
MD5 8e2ccb6a06cc9d8d276dc41acbe08770
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118182/
  
Dropped by
SHA256 d13d32cd3382a8b141ef98577a7bb13faa1de094826055fe218e3de62599edb4

Comments