MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash:	a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863
SHA3-384 hash:	e89c88047144829a4b597306719efc44cfb0421ba982b56a0916647f261e0d204061c04bb98ef75b708e6839bc4557c0
SHA1 hash:	8cf378b6f179d86fecc7b901ac5dc13c42f1243a
MD5 hash:	1a7548ae7ca26e31d439a246e8961c1c
humanhash:	double-eighteen-nuts-montana
File name:	cali_crypted.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	542'277 bytes
First seen:	2022-03-09 11:38:57 UTC
Last seen:	2022-03-09 13:35:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:2Gi9IsFru9rKf8CY4n1uErmunZnZaSDorfDZi85PjiwS8Hd8swxon85Ol7p9:ZsFrEtY133aLDZJ5Hbq485wn
Threatray	5'742 similar samples on MalwareBazaar
TLSH	T19BB45A86B6EB6812CD1635B0F2324971E1A0FDB14F58C932656C7E09B7F91ADC532F28
File icon (PE):
dhash icon	f0cc96969686ccf0 (1 x SnakeKeylogger)
Reporter	TeamDreier
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/248607/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.25418.13139.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/622891e0b94fb38cb446fe19/reports/cc4e8506-4535-4793-bbaa-7372fae08866/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5533dace-5e14-4ae9-93fa-55c02b81e7f8

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/953251

Signature

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-09 11:39:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ub6lxuxldjbte5ptnnrll6cqv27etaer4gjgywnafrknlpyljbrq._file

Verdict:

malicious

SnakeKeylogger

64c569a63e0262d98d31e5667735e104ffa325b7175d1d8f68fdffc3586a5575

SnakeKeylogger

69a6bc015f0c6d9b9608e566dec5827b33f1cdfa0ca4579cf225ca806ed29c72

SnakeKeylogger

6bfde0abeab045d2ea80c8f46415b00ac74911b23a98b6e72d66ce7fafdec5d6

SnakeKeylogger

7346882ce3dbb43ec5f3193fab1ef05854a9a6c08401b3aa7b4e3dc141d8b36b

SnakeKeylogger

8fe218b955266ea66ca10d94c9acea08f47c56cda69c7f93071ae83be18e9432

SnakeKeylogger

d82eefa0193afb698d4121a88c3f938b3806a33ace81b5338f2c42ede1f830bb

SnakeKeylogger

e054597432429808f39da637af678bc382026c3b241571ea9a4554d7ff96622d

SnakeKeylogger

e66733316645cfe338015951dd78b61886eab28d02e7d7b238946967eb62d53c

SnakeKeylogger

+ 5'732 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220309-nsaknabbgj/

Unpacked files

SH256 hash:

a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863

MD5 hash:

1a7548ae7ca26e31d439a246e8961c1c

SHA1 hash:

8cf378b6f179d86fecc7b901ac5dc13c42f1243a

Link:

https://www.unpac.me/results/c4286849-5977-4af9-91fa-8151a3aaf261/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a07cbbd2eb1a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.68

Link:

https://yomi.yoroi.company/submissions/a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/248607/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample