MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab8acef9d760e5d0d7a7647aa054ca1a6910d31d83ce98a6b3e3d898ca3b1a0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash:	ab8acef9d760e5d0d7a7647aa054ca1a6910d31d83ce98a6b3e3d898ca3b1a0a
SHA3-384 hash:	d8f242a705170d17c47ea98ef29762b0ea7dce34b321a88012b55e2697e6694a9b8494ba71b493b2b2422db34136772e
SHA1 hash:	1140239d42360028f93de7b68b68cce037722a09
MD5 hash:	c7c764f2008a898bb3d01a0182274cac
humanhash:	mountain-florida-shade-washington
File name:	awb-65432678543656.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	970'240 bytes
First seen:	2021-07-05 05:29:46 UTC
Last seen:	2021-07-05 06:42:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:U0/nx5tnX3qAz+6NsBLWdqRLcUjWoLor/x5nCOaZurUb0a6tVVTUuk:DNX5+6NVdqtjWDrC7ZJyWu
Threatray	96 similar samples on MalwareBazaar
TLSH	B5254A71A2FE4A61CDEBC7F48F6052EC4F757EA5FB0AA23E548575080DB0B610E15A23
Reporter	cocaman
Tags:	DHL exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

awb-65432678543656.exe

Verdict:

Malicious activity

Analysis date:

2021-07-05 05:32:26 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/6f530ad7-3627-4dac-b448-17e393017108

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169665/

Detection(s):

SecuriteInfo.com.ArtemisC7C764F2008A.12364.24045.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3d4ade4d-0d60-448b-9278-5e0a4fad992a

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/811690

Signature

.NET source code references suspicious native API functions

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab8acef9d760e5d0d7a7647aa054ca1a6910d31d83ce98a6b3e3d898ca3b1a0a/

Threat name:

ByteCode-MSIL.Trojan.CrypterX

Status:

Malicious

First seen:

2021-07-05 04:47:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vofm56oxmds5bv5hmr5kavgkdjurbuy5qphjrjvt4pmjrsr3difa._file

Verdict:

malicious

SnakeKeylogger

5776326232f8948c3e3bbbbb80ff0b1f50fc12df854c6eec11af2d4a0a9666f2

SnakeKeylogger

696b1367b770c081fe7e6fcc3df793fbb642132c61735b3a9adacf4e9b606d04

SnakeKeylogger

812f68851a0237986ff6d67142ef28113eba14a0a8410e339b81e4f38d2f6774

SnakeKeylogger

96da1ea97149602a60c3b2936c9146df60e2e3687af0cb882f3427216a2a633f

SnakeKeylogger

9a76b6c55801024e2f1fe932ce960c974f7f51d4fe4838ef077b4cc6a1432a3b

SnakeKeylogger

a3d13d3ae0ea1df687a6bd7a84db21340a3c23df83c1c55da4aae1d61d65f6b9

SnakeKeylogger

a8f581b584bdf1bc08a22728c89aab6a460419115166aea4154f5de4e685a1e2

SnakeKeylogger

c2d1f5494d37cd229d820b263c934eba39bab86570c54e207730d1c84de98393

SnakeKeylogger

f8e4c7f5480d6b302e4870ca9eb28118ee47dd0dad4b689450782dfce53b8685

SnakeKeylogger

+ 86 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210705-nhrjfsaera/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Unpacked files

SH256 hash:

5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110

MD5 hash:

257ca10e5cbb2f8bdf0ae6f3e900e11e

SHA1 hash:

9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec

Link:

https://www.unpac.me/results/d0b4f7db-bf97-4fdc-9b70-b1a89e435e33/

SH256 hash:

7b64bdd78ffdf72238e21fe50207f0785d26797d87e1c9b32bcf93b9addb79b9

MD5 hash:

37c598525c33bec6c51e02d7b3c46cda

SHA1 hash:

7d6520e44d63ebece5062ec86024bac76386f490

Link:

https://www.unpac.me/results/d0b4f7db-bf97-4fdc-9b70-b1a89e435e33/

SH256 hash:

6fcc9f365b067b50afed7c396067bd942d2e29bbdc9b1b8ad8e58fe1bfa7f65a

MD5 hash:

abdf40529b349134c22dc0b40bef5fb3

SHA1 hash:

1cc6e8db6e07fa9a8d8053f224d3117f99383507

Link:

https://www.unpac.me/results/d0b4f7db-bf97-4fdc-9b70-b1a89e435e33/

SH256 hash:

ab8acef9d760e5d0d7a7647aa054ca1a6910d31d83ce98a6b3e3d898ca3b1a0a

MD5 hash:

c7c764f2008a898bb3d01a0182274cac

SHA1 hash:

1140239d42360028f93de7b68b68cce037722a09

Link:

https://www.unpac.me/results/d0b4f7db-bf97-4fdc-9b70-b1a89e435e33/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/ab8acef9d760e5d0d7a7647aa054ca1a6910d31d83ce98a6b3e3d898ca3b1a0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Choice_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 539c6fdb70ea4621455762f3f734aab61db851161e1a450aae984595b4c8d145

SnakeKeylogger

exe ab8acef9d760e5d0d7a7647aa054ca1a6910d31d83ce98a6b3e3d898ca3b1a0a

(this sample)

Delivery method

Other

Dropped by

SHA256 539c6fdb70ea4621455762f3f734aab61db851161e1a450aae984595b4c8d145

Cape

https://www.capesandbox.com/analysis/169665/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample