MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e
SHA3-384 hash: d4e6e5e2720db7e24a1e682ffc204d6b1b555d9c330915f0176632c8f84bb10bb3a095ebfb181117a024df88f8feed0a
SHA1 hash: dbb04915d6304a1177c5dbf788394906efdc0382
MD5 hash: 390e1fc36ec17c75eb891d3b27034db9
humanhash: venus-five-washington-seventeen
File name:IFWtqNos9JR5osy.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:957'952 bytes
First seen:2021-07-12 10:59:32 UTC
Last seen:2021-07-12 11:55:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:J1hHR98O/XyuuDXeokRWi0XIDOTzxY+mz6t3K:btRW8iuuDXeo8k4izxY+Dt
Threatray 212 similar samples on MalwareBazaar
TLSH T17B154B1823BCD205F53AFBB4DF24A6A48FD67D66D635D14F2DC03A4A3432E80A972536
Reporter cocaman
Tags:exe SnakeKeylogger SWIFT

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IFWtqNos9JR5osy.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 11:01:47 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/a73708b5-de38-4212-b3da-d4ba3934c246

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171044/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6895.21874.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7ec9fcc-30eb-4955-8db6-781c92d7a9ba
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814759
Signature
.NET source code references suspicious native API functions
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447170 Sample: IFWtqNos9JR5osy.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Snake Keylogger 2->39 41 3 other signatures 2->41 7 IFWtqNos9JR5osy.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\gUuNSPHAQVg.exe, PE32 7->21 dropped 23 C:\Users\...\gUuNSPHAQVg.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpD122.tmp, XML 7->25 dropped 27 C:\Users\user\...\IFWtqNos9JR5osy.exe.log, ASCII 7->27 dropped 43 May check the online IP address of the machine 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Injects a PE file into a foreign processes 7->47 49 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 7->49 11 IFWtqNos9JR5osy.exe 15 6 7->11         started        15 schtasks.exe 1 7->15         started        17 IFWtqNos9JR5osy.exe 7->17         started        signatures5 process6 dnsIp7 29 mail.greentrading.com.pk 192.185.164.148, 26, 49745, 49746 UNIFIEDLAYER-AS-1US United States 11->29 31 checkip.dyndns.org 11->31 33 2 other IPs or domains 11->33 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 19 conhost.exe 15->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 10:32:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsx336hgzllxnlmzhsr33vdq6x6h275b4kct35ed7fisaqbcsq7a._file
Verdict:
malicious
Similar samples:
2ee555b4d69513eed39976e0fb0e6a6165d20c30e8a4dcc1e55ea7e001dc1127
SnakeKeylogger
7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e
SnakeKeylogger
83fef9d67405ca7975e04fc8c66e7d298809f90260d1b287f709a3bae49f502e
SnakeKeylogger
bdbba0c991f70ccddad27da903e5e689a6e762ac23ab78ffea10f389f55045c3
SnakeKeylogger
d09500f30f90dcdf6caac545bff9663876dc3a7de445d618e947ba64a5f4966b
SnakeKeylogger
e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611
SnakeKeylogger
e8bc94b0faea9886f1fa39e0e9f609f2f266b3d7d812faad4b2ae9904b170b00
SnakeKeylogger
f33029e24b91f8df78503087ef57d1bedc4609c665119139de5fa908286fd74c
SnakeKeylogger
f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
SnakeKeylogger
+ 202 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210712-w7tek7v726/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/24883e25-6d5f-4d7f-a5a7-3ff971c90182/
SH256 hash:
51f2685ef6f0b1bbf6df7a9a3c48030f2d9556330fae8015a907024a54ea2356
MD5 hash:
fcfd5c99b2784052442827b4a5d5ee88
SHA1 hash:
e90153130369d6d41c1ccfa787d059fa384e9276
Link:
https://www.unpac.me/results/24883e25-6d5f-4d7f-a5a7-3ff971c90182/
SH256 hash:
c8fed40e3b9d8503d5cb3b19ec8aa034c70fdb3892f00a4d8d13ed2ad2a019bc
MD5 hash:
27699f71d7eb08a73480cc004fe4c565
SHA1 hash:
b0877f32082280acfe3c5cce0ddd2bb5bcda36d6
Link:
https://www.unpac.me/results/24883e25-6d5f-4d7f-a5a7-3ff971c90182/
SH256 hash:
85b3727f9285694f3c16660e1bc7dec7de8f6ac18aff1a09b695e4ba2a488eb0
MD5 hash:
afb03ea060bed94ddcf3b325dfc51de0
SHA1 hash:
2483a1c31ab3183387c3c4ef763d98d6320649f4
Link:
https://www.unpac.me/results/24883e25-6d5f-4d7f-a5a7-3ff971c90182/
SH256 hash:
8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e
MD5 hash:
390e1fc36ec17c75eb891d3b27034db9
SHA1 hash:
dbb04915d6304a1177c5dbf788394906efdc0382
Link:
https://www.unpac.me/results/24883e25-6d5f-4d7f-a5a7-3ff971c90182/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 55d5d477ff66a54025b8d2eb23b75d8574ad9915a219fbaffd6679945a620148

SnakeKeylogger

Executable exe 8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 55d5d477ff66a54025b8d2eb23b75d8574ad9915a219fbaffd6679945a620148
Cape
Cape
https://www.capesandbox.com/analysis/171044/

Comments