MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01
SHA3-384 hash:	0b7f29cc230f62e54c095777a6ed67f5b6fcb5d549fa8ae3cb6217f0ef5984ffbf109acdd37101c1508e030250237a06
SHA1 hash:	f36beee2e825c9992e067b240624a2d70032e4b7
MD5 hash:	9dbc63b24668b897334c66f4badcfcf5
humanhash:	failed-two-monkey-indigo
File name:	swift transfer_20-04-22.xlsx.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	97'792 bytes
First seen:	2022-05-04 11:18:44 UTC
Last seen:	2022-05-07 06:56:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	384:S8U4gh1S5J5vhvZkx9QjWYHZ0q6YgyH/JF9Ev4tWd9iVW:S8U4gccx6B1tH/JF9EvF
Threatray	3'741 similar samples on MalwareBazaar
TLSH	T1D5A33AA7DAC751BBD465063F692252B35E60C36D819E091A35B13F03F8335CE71A1F8A
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	2325492533333432 (3 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

swift transfer_20-04-22.xlsx.exe

Verdict:

Malicious activity

Analysis date:

2022-05-04 11:20:26 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/9deb9411-4715-4ba0-88b1-635b3c1e95f8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/268607/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file in the %AppData% subdirectories

Creating a file

Sending an HTTP GET request

Reading critical registry keys

Enabling autorun by creating a file

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/627261272b32b1c37c922255/reports/33e9abde-0930-461b-9de2-9dfb37a7bc82/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/258207db-8a56-4d9f-9e3f-0f1e8d7aa83f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/987682

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-05-04 10:15:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqknnstxha72li3sj7vlc6zbpoiaffnl65zrdkgir447665qf4aq._file

Verdict:

malicious

SnakeKeylogger

2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0

SnakeKeylogger

347fa0ad9e11712fe0628c2454141d6fec8e995acbe7fe7461e6dbf94f2838ce

SnakeKeylogger

4cd4c4540af16c17295a26f0e5395bcbf7066adc6b820e67af9405fa155e6579

SnakeKeylogger

4f7d1f1df60c29fe9eff2e75f317a316c9ddc9afe569624a466670cf396b8d61

SnakeKeylogger

8d210f06f267f917e5d73113eaa2bb0fe911562241170d00a2d3ab5d97408ce5

SnakeKeylogger

af6761761d63b5fa1ba73fdee96ca1b5f3d56c8a82fec3221a6ffe247699433d

SnakeKeylogger

bb6040957b0f9134f1fe01c6cc7183cd57614da5da0ae9efd225317d26e902d5

SnakeKeylogger

+ 3'731 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/220504-netrdadfe6/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01

MD5 hash:

9dbc63b24668b897334c66f4badcfcf5

SHA1 hash:

f36beee2e825c9992e067b240624a2d70032e4b7

Link:

https://www.unpac.me/results/882dcc99-a8b8-42e0-a5d1-784416ce0093/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c14d6ca7738/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Discord_Attachments_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research