MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4b233fc40d4dc87b1b0083d75934909ec0fab27bc718a83428f679747128c1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4b233fc40d4dc87b1b0083d75934909ec0fab27bc718a83428f679747128c1f
SHA3-384 hash: 795510e7ba97eaa740738de81756a12448ca15e71ee5adeee70f549ef021dcf97fffa8e04a22bcae88b869c100353078
SHA1 hash: 30c4f9d4ff8407330e0a7e999409b1076f77c045
MD5 hash: 8f51350565372c90c6287fc56d312e1e
humanhash: black-montana-papa-xray
File name:mikenzy new week.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:433'253 bytes
First seen:2021-09-20 02:51:43 UTC
Last seen:2021-09-20 03:53:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:I8LxBw/vYgoa+ojiIQ9lLB3/zt0nyM9LWzB9u4QRLxFekUwSzML:Awgoa+ox0jmn19qzB9u4QRNFekU8
Threatray 1'040 similar samples on MalwareBazaar
TLSH T167943A693B385EC6E514883CA95D11F896FACED2D7D4E10E74F0798C2EB28734D1326A
File icon (PE):PE icon
dhash icon f068ccc8c8d0e828 (1 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mikenzy new week.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 02:55:25 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/6ada3999-34f0-4c6e-8aa0-48ae5ad8347c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189173/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.26423.30470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching a process
Launching a service
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Delayed writing of the file
Unauthorized injection to a system process
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/55cb0910-2dac-424b-b9f9-b7b3447fdc5a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853703
Signature
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4b233fc40d4dc87b1b0083d75934909ec0fab27bc718a83428f679747128c1f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 02:52:10 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uszdh7ca2toipmnqba6xle2jbhwa7kzhxryyva2cr5tzorysrqpq._file
Verdict:
malicious
Similar samples:
04514f416ce1d3bb390895ce496d91b024c3bd94cc3cb71ab6de2bcdb384e83a
SnakeKeylogger
28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f
SnakeKeylogger
3087b4544d6819908609fd3153790ba7c7f4a7afe6c473d95576591f74357778
SnakeKeylogger
8ab316ea3019d06369ef8f60dd9a350fd77fb05915d3711a9db59d4a0463bbb8
SnakeKeylogger
9cd3ef368ba18453043dc339a7666db5636655c58168ec64b59230be8635d741
SnakeKeylogger
a883f34db93775194950d1e84662fd150b16e0a3f28a007f44eae8447a6bf93a
SnakeKeylogger
b05d83bf5f35094c854c623854124b6f73b0f4b87720300efa5e6aa25ccf1804
SnakeKeylogger
b5d12830a95c77f889e84fe1f3997a931cb68f38c5e34da1fd8fb8f8438a26fd
SnakeKeylogger
bebfac3941c07e388fb1af12aa627d248d2dc29b0deead22f229d48681df4af6
SnakeKeylogger
dc7749ab9753ec5962ae6b0b4f1ec32c7b2bb7da1b75510a1cccc440994e6deb
SnakeKeylogger
+ 1'030 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210920-dcs2ysfchr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Snake Keylogger
Unpacked files
SH256 hash:
f055881a7b75c0c89c8d0133d3d1119d8257fc1722ca4339a031fe54edc37ca3
MD5 hash:
e8c4edc5d4ebccbd25d95f466e85385a
SHA1 hash:
88831bbf8d2b5d244acc16001ff7cc079339fb15
Link:
https://www.unpac.me/results/cc3c220c-c808-4bc0-932a-b6d55d61b977/
SH256 hash:
241e39beb2f7efc9dec2997fc59f1d7348502b4d9e2fd90b383134b14b162bab
MD5 hash:
731b9d23b24fb78582dcfb6f6f224d34
SHA1 hash:
098a1daba8ddb18eb9411030bef0b4821676198a
Link:
https://www.unpac.me/results/cc3c220c-c808-4bc0-932a-b6d55d61b977/
SH256 hash:
a4b233fc40d4dc87b1b0083d75934909ec0fab27bc718a83428f679747128c1f
MD5 hash:
8f51350565372c90c6287fc56d312e1e
SHA1 hash:
30c4f9d4ff8407330e0a7e999409b1076f77c045
Link:
https://www.unpac.me/results/cc3c220c-c808-4bc0-932a-b6d55d61b977/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/a4b233fc40d4dc87b1b0083d75934909ec0fab27bc718a83428f679747128c1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe a4b233fc40d4dc87b1b0083d75934909ec0fab27bc718a83428f679747128c1f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189173/

Comments