MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95d05b28faf6e06c64aa285895e2a1110fbda019b06e190b60dcd14d60221a8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95d05b28faf6e06c64aa285895e2a1110fbda019b06e190b60dcd14d60221a8f
SHA3-384 hash: 8351f4bb4ef5523dc1c3a4a6e1904a23f44563b481daec40975df5e002abd8d7dd8098327b25f1c40ebddf1b1d270300
SHA1 hash: af056016fdab7a3c0b34b30dc9ef9702910a95e6
MD5 hash: 53c98bd8c3c41bf4b6ef4f43dcf24895
humanhash: queen-lima-sink-winter
File name:CV LOPEZ.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:654'336 bytes
First seen:2021-08-03 13:25:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:L/QgN4ubEGLBBBBBBBBBBBXBBBBBBBBBBBs61p+wMicgTOSsS9gF1KhtG4L+Bkzf:bBNS61p+wMgZsS9LK4Lm00LQdAlc
Threatray 16 similar samples on MalwareBazaar
TLSH T1D0D49D123AFB554DF3B79FF60FC8B4AE4AEAE5B3A609F0B53952070143619818C52736
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CV LOPEZ.exe
Verdict:
Malicious activity
Analysis date:
2021-08-03 13:26:25 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/9015e523-a77a-4385-a575-730485b8694d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176062/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.977.30634.31197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58ab22ae-fdae-4579-9a5b-9ee5dd1c0b57
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826215
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458633 Sample: CV LOPEZ.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 7 other signatures 2->34 7 CV LOPEZ.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\...\TjZfgkHfUd.exe, PE32 7->20 dropped 22 C:\Users\...\TjZfgkHfUd.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmpCE7F.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\CV LOPEZ.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 CV LOPEZ.exe 7->12         started        14 CV LOPEZ.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95d05b28faf6e06c64aa285895e2a1110fbda019b06e190b60dcd14d60221a8f/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 04:26:59 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxifwkh263qgyzfkfbmjlyvbceh33iazwbxbsc3a3tiu2ybcdkhq._file
Verdict:
unknown
Similar samples:
338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab
SnakeKeylogger
441cfed8f57c89ce355e5ba64417bf5b6dc409ac122936da28be46227cea0b8e
SnakeKeylogger
56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3
SnakeKeylogger
7ad6ca0be762e10394e0854478b16e2488117b63b772d69ad6cd699f9e2a092e
SnakeKeylogger
94dc3ceb75323f7b1bff7355da2d28804d4df36fa98a1335211101ef94bb2dda
SnakeKeylogger
988ec5d9bc02691882a3180947ee76fabc3629413f79a2e4768b9adb58ba432c
SnakeKeylogger
b01e5b6141f0e4c548007910ef1a52d01aa5402e8cc8751b8ad7571a9ee76d00
SnakeKeylogger
e1cfd08ac642d3a0ea5b37efee371f39889edf4a147ef0b63d643d6f25767c9e
SnakeKeylogger
e3c270600328928f0c6576743fd759ca88b86abb024ae180549c3a5be0e7e41e
SnakeKeylogger
ec020ddc20a07b93afa94a9a3b95b8244bd9a8c8527742cd35957e4c91ca4604
SnakeKeylogger
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210803-5p3c5y9gta/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
c30c6599b72d6c0d4bdbd79b1f117c6ad2f010224dd830fefc736b5f1e0472c0
MD5 hash:
71d0425402331beecfa28c6f63213178
SHA1 hash:
ebcac0f3ec8b646526fb660715ce3ee4381d8299
Link:
https://www.unpac.me/results/fc8a5ed8-042c-4124-85c8-20a674c41f9d/
SH256 hash:
111549fba23f6124b48a1cefe288eac3f35d2ef71cdef03e806283dfcc66b6a8
MD5 hash:
e9054f4014dfecd8d77edd15779b91ed
SHA1 hash:
cc964b02c712a3164a03c11a4713bb3f0d302fdf
Link:
https://www.unpac.me/results/fc8a5ed8-042c-4124-85c8-20a674c41f9d/
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/fc8a5ed8-042c-4124-85c8-20a674c41f9d/
SH256 hash:
95d05b28faf6e06c64aa285895e2a1110fbda019b06e190b60dcd14d60221a8f
MD5 hash:
53c98bd8c3c41bf4b6ef4f43dcf24895
SHA1 hash:
af056016fdab7a3c0b34b30dc9ef9702910a95e6
Link:
https://www.unpac.me/results/fc8a5ed8-042c-4124-85c8-20a674c41f9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/95d05b28faf6e06c64aa285895e2a1110fbda019b06e190b60dcd14d60221a8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 95d05b28faf6e06c64aa285895e2a1110fbda019b06e190b60dcd14d60221a8f

(this sample)

  
Dropped by
null
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/176062/

Comments