MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f
SHA3-384 hash:	96ed1e8b292ebebba3e9d3dd376dd493352c69b4d04d1d28faf274ba65660660aefc518b9e0352aef1e7a62abd4e1585
SHA1 hash:	5ca6e377a60b4d9a4dca1567eda2cb27563625ce
MD5 hash:	ad1ed82db0339586fb7d08b62b2ce4a1
humanhash:	diet-network-shade-hamper
File name:	SFGH09876433456789876-0098.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	539'795 bytes
First seen:	2023-02-01 08:26:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:/Ya6aIFqHlxukeDB/X/VAqcaO93FlosKzfWfamGnRILKQ997sXHbZ12klBQ/36+p:/YsQqqket//aq25KzfWymGCg6mBQAZkv
TLSH	T155B423607B95C027ECEA45B54E77D9EAF6EBB40305E4694A07600B88BDBF2006D5FB43
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	0xToxin
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SFGH09876433456789876-0098.exe

Verdict:

Malicious activity

Analysis date:

2023-02-01 08:29:37 UTC

Tags:

autoit

Link:

https://app.any.run/tasks/c271b101-5678-4f19-8bcd-f254ed5e5ba1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/358909/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/64428/overview

Behaviour

MalwareBazaar

Verdict:

No Threat

Threat level:

2/10

Confidence:

83%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63da225b1c9cbf7d62551166/reports/719aa397-b92a-4541-83e6-0a206059b85d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c8b80a11-070c-4287-9c94-8d3516657608

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1162999

Signature

.NET source code references suspicious native API functions

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f/

Threat name:

Win32.Packed.Nemesis

Status:

Malicious

First seen:

2023-02-01 08:27:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rrgo45um2ems6wovneakcznncva427cwpq423csm3c7orckxdnpq._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer upx

Link:

https://tria.ge/reports/230201-kcfvysce87/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

43c5b7fd6c525fc5240de6c1b81d83fa0f06ce28360cbaf808ca850aba486a0a

MD5 hash:

ed0e25afe683d6cd46844298e7c1ebb3

SHA1 hash:

0320580f8586bdca67cb1de49ba708e920871da6

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/1694367c-f7c8-4b1a-bf47-c2fa6a21cb0e/

SH256 hash:

326421d2307ec438181f32c586a648a1a36aaf9a2c7cc2407697535c5154f847

MD5 hash:

a9c770618a3d11583811d2f78505333f

SHA1 hash:

b3be70f2af3b3de5936acb2ead0f95cdeba71150

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/1694367c-f7c8-4b1a-bf47-c2fa6a21cb0e/

Parent samples :

46bfebe7ffd387d099666f45f5929e5db96cb5543b1991a29aa4c541c32f8542
8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f
f3b007849f67bec665e7d2055762802fd0d87fb1020fb7a2459306109c6ccf4f
5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
326421d2307ec438181f32c586a648a1a36aaf9a2c7cc2407697535c5154f847
4c922d132ec224cbbb1e367ed7fd10c7eb04f0d50007eae3ebe1b77866084c7b
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b
34b9ab12c430ce458e3b1236115b18ca267b7876f853aa3e353c2e4d63300b47
0cba5aa5d28e18f2fbdbe749950d645bac7037fdc138c3b75ee06120ced809ab
8050e8b876abe28d529d09660615dbef045d25037307db84c645c7ed515df089
c591ec47c2b8daa5036cb079a83f61d1e02bb9bb340723d3e6b9290f80e5f64f
e4725b74ef0918aa1d0a812227ae9bc593528841c61bfa4db312c35158d77592
15fdf335aa7b720d7ae187afe07af4de7ff71092dd06934e0f3f61b0b642bc39
bedbc46bb0550879158a1ed1a754614695bfe4bb8a86518fe75a4a087b1f329e
3cc1eefece073953c78de9ca7c56bd3bce3ebc5268cb708ed3531c00f3154c18
98536221ae4e88e5e4348cffe9d94364f4e985632eb18f59d7ff0d685ac3395a
fac3d893e2a1e4bb7bca111e12f5bc52f8fbde33d8dc16163ebc79253b19829a
0153ff636ce46ec97121df71b82e33f41f376af7417070c75d5a0b41cbba18b2
dc1fac12b351fb002bdb989e60717c36e2bd50c6c96b449fbffeb347c47622a5
9489bbf4b51b344c381683f04c60d7f6d73580af9b9e9b2b6dc395a0138f89f9
1e9975aa70df2b52041c743f18403e227dc5bef87084950bce1f101cdbdefdd0
4208a88c74cfe1d05b7d8ca52eb0de4188adfbe33eaba4c2813ead8d0e623019
5aea8925bd335299eb81aaa178cf00327ca0fc1e7ca4ffe2826a029e18b6f801
d06f8c0ba7041cb8739cbf7458c60c6c637f3159189ea668fa3df7200a4a82a6
8b05ac7b62b49b7336f6c71833e0e5b9589df9996244789ed0bb74fe2b2d4f16
e9ca300e5f48557e95213ca62c5db6b3484644a1c32f10eb5ff2c49be53c5919
005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
54492f6c2f298dd366978c41c40e603dc981e871d8fbbef854077652f787dde5
2cc05a83d9bae4890c799ba335dc05f97cae4eae5e4ca3a544db39bf12c66b04
b4b38d7d62a408e89a3c7c0157405cf65862ddb6a1fb23a931311a468d051890
e45030071efb40774095252901b94b14010a11daad0c3009e3bfe5a01c2fb869
946dd49393625df5156b51438635cb31a56ed40b440a8ccccce7b2c3cfb26a0e
8908ae87539b2b7e91a28201d9e760a9c646b89db43873ee9e0807e55c9e082b
cf236299167c0c88614c131ecdad1215151c1785aa07baa6426e6459bb3236e5

SH256 hash:

e439f02b72a882498d512689f380e1323c4d8342578fe8608e81061cf4a8aee1

MD5 hash:

3d90ab79b9719aded136b7cd437ebb21

SHA1 hash:

dbec6e868a293cb0bd58d35191b1423ab8942384

Link:

https://www.unpac.me/results/1694367c-f7c8-4b1a-bf47-c2fa6a21cb0e/

Parent samples :

90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
cc7cb2ebb12103aea621ec7962819aced4680b4322bc213a9257b36c8f2dab3e
cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c
22f34cc0b56ea1709b3af15b41b43fc40fca2b77debb8400108d3f517ee2ed4a
607e8a91c76f444784c2cbc1090cf8724d882d9861641a1f6e0de6b2b9401859
2de4a8c16d3643a3c58c63f4e7df2836919316635c05718dac1e474b6eb7fe29
ec61895ef8af01ff00970e46f7ba98c24bf9079d71e09d3c18576f1a9efc93c2
c1955052a26634f3571423dc64d3fd10c55fdb27f29eb3afd292787693ffcf91
4d4f7a1cb34d5309e1c82e7110209c974a08b3e82eaaf7799d7d9a3a176132ca
48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
08ec22dd1d931a9d4194d5e46bc42914e62227c11e9fedce2175fe6a53eb4f92
6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8
7e18e5fe9e980c48ad67cc2ce7423e818e15c1256e2ffe4ce85c5cfbd5b30877
5dbc3e721cd340dd80bfa7d0127d920f5f2630aa4b3b3ecfb8d2af9f28f0e208
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
b69687c4b9aa0c1599840ea90562d3833367e8095addfc725fc2b52fad6ee565

SH256 hash:

8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f

MD5 hash:

ad1ed82db0339586fb7d08b62b2ce4a1

SHA1 hash:

5ca6e377a60b4d9a4dca1567eda2cb27563625ce

Link:

https://www.unpac.me/results/1694367c-f7c8-4b1a-bf47-c2fa6a21cb0e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/358909/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample