MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c45ec77a89c54e994367060a66936855966242073989b3ffbc30ebb49cb9cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments 1

SHA256 hash:	9c45ec77a89c54e994367060a66936855966242073989b3ffbc30ebb49cb9cdd
SHA3-384 hash:	11e5d1daa0517ca885df34526790d1b755da2a99f4d97bc40c313e81ca13e943f0e66ad67f21e9987de3cdfc40892c7f
SHA1 hash:	b2dadc3113e2b722ec7a854682f700ccb174e79b
MD5 hash:	288f4c34cb160d5d19bf6253bb3edbd2
humanhash:	snake-solar-lactose-foxtrot
File name:	288f4c34cb160d5d19bf6253bb3edbd2
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	375'296 bytes
First seen:	2021-11-15 09:20:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:VZWvG81afI2u03rPgQIU1h5w3MmKl2niLgdPDPKk+YRQ75hXQu7q6iK:i2u0EQIUn8iLgdbKk+YRQ75lQcq6iK
Threatray	1'659 similar samples on MalwareBazaar
TLSH	T1E7848E077717455AE414ABB8EFB77B211320B9BA99720707D2E13D2E601F7EA3AC0716
File icon (PE):
dhash icon	c89c9c92b2f2c2c0 (5 x SnakeKeylogger)
Reporter	zbetcheckin
Tags:	32 exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/205865/

Detection(s):

Win.Dropper.Generic-7113183-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Searching for the window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/619226803edf00a722d513e8/reports/275974b7-de3b-4f00-b0b8-6d7bdbdce0c0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c32ca98a-3871-4b74-91ca-4aca4dbbdac3

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/889255

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Creates an undocumented autostart registry key

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/9c45ec77a89c54e994367060a66936855966242073989b3ffbc30ebb49cb9cdd/

Threat name:

ByteCode-MSIL.Trojan.Seraph

Status:

Malicious

First seen:

2021-11-15 09:21:08 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Verdict:

malicious

SnakeKeylogger

11f9fb92c34ae4431fd9715fc67b82ea29489135316105606cffe05944f3c476

SnakeKeylogger

12abc910bd5a6a05cdc8f1c94cc6a1968581850612c404267d63e77852cb4a90

SnakeKeylogger

222543cf9b75b95cc7c6e6f8252d2c205da8c9ec8d9c9587c19f1350b79f9dd3

SnakeKeylogger

2dae35b2c81440f320d907e58c7f331b08eff44f9803c796ea7deb1c53b5e145

SnakeKeylogger

3582856a25a8c10ed96e2ba53528ce32672f94e16cb93fb8160cc91be519e9d5

SnakeKeylogger

39a4ef63eed3420e394a7b9c0afd387ec27c4f70e1d293d2fe596ff3bf5ccd53

SnakeKeylogger

8e2a4b1e4cbecbe4f157cc6edda64c32b856fb53cb3c265c4d49175d597b7541

SnakeKeylogger

a82999d77adbff10ef701a595d165547fb73bf055dcae9b65d261e4d09c47654

SnakeKeylogger

b182edb787d497eeed41880c81331d9dee8ddfa00813672bc77f7b09a2528981

SnakeKeylogger

+ 1'649 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211115-latjpshgd4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

a57fb89b1319ef4a5fc527c7698038d8a666e905790d29f9c436038676c8ddca

MD5 hash:

0e4fc60d00d8c6dd03eeeb7e048ca693

SHA1 hash:

9ea5e6192f39f09eb20bffe7697634ac070c8ba3

Link:

https://www.unpac.me/results/e2fcd551-3612-48bf-89b0-29bd586cc711/

SH256 hash:

ad1ef18ad6151b727be568d66ca521b7573dd8c950e830b877ac242f7c369520

MD5 hash:

208a1b54413d0c980b620cdd8e5a2a97

SHA1 hash:

9b9d95c30a26538cb427e07b40e570a71d3aa919

Link:

https://www.unpac.me/results/e2fcd551-3612-48bf-89b0-29bd586cc711/

SH256 hash:

aec2b5cfade003a93c4bb230c7412289756ce8e619f7f5a78c4aa766dd3ce00c

MD5 hash:

3be12e58591b3a0f41a30fedb380727f

SHA1 hash:

5d6c67e8cf8c074944e5f565c885e62ae96099fa

Link:

https://www.unpac.me/results/e2fcd551-3612-48bf-89b0-29bd586cc711/

SH256 hash:

9c45ec77a89c54e994367060a66936855966242073989b3ffbc30ebb49cb9cdd

MD5 hash:

288f4c34cb160d5d19bf6253bb3edbd2

SHA1 hash:

b2dadc3113e2b722ec7a854682f700ccb174e79b

Link:

https://www.unpac.me/results/e2fcd551-3612-48bf-89b0-29bd586cc711/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9c45ec77a89c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research