MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0aebb619ff6cd86ac07e9d3cab06fb5e3cbca33d2eebd35f599abea266c406b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	b0aebb619ff6cd86ac07e9d3cab06fb5e3cbca33d2eebd35f599abea266c406b
SHA3-384 hash:	755e48fc4ad6fa21cbae5cd6226402f8ca6315cc07931b4a49594644ab145d1d3938e452359d3daf9c26d64d0f28df75
SHA1 hash:	995b762b007e3db46b8ac4c0b033bcd4ce18b51b
MD5 hash:	a2ecd0f2cb301f0a050811c0e83ac865
humanhash:	undress-delaware-ink-four
File name:	a2ecd0f2cb301f0a050811c0e83ac865.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	263'598 bytes
First seen:	2021-10-01 06:27:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:38LxB6Xp4H0XkjN+7e9acd1juLXFY0Y+gVfpldRd00tBQUAf9Njx:Fp4AkQ7wju5hY+gVxla0pq
Threatray	1'180 similar samples on MalwareBazaar
TLSH	T14D441213E6E2C9F3D58623765A766BA6B3FB951400A20D034B957F272C4304B4E2F397
File icon (PE):
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a2ecd0f2cb301f0a050811c0e83ac865.exe

Verdict:

Malicious activity

Analysis date:

2021-10-01 06:29:13 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/a517deed-cf65-47e8-bf24-a951596c89ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/193863/

Detection(s):

Win.Trojan.Generic-9895399-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Launching a process

Launching a service

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Delayed writing of the file

Unauthorized injection to a system process

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15ae7410-40dd-427b-a71e-4a39dc4a9f0f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862500

Signature

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0aebb619ff6cd86ac07e9d3cab06fb5e3cbca33d2eebd35f599abea266c406b/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2021-09-28 09:04:00 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

SnakeKeylogger

2f5741617cf3f7d6da4c993e5bae8234d61ec9adfe066e06149f5aa654199cfa

SnakeKeylogger

4b42b08f71663433e141c099172c2fb0f694068fd0cd28c7ff44bacc72b0b670

SnakeKeylogger

4fb379f068789022ebf792d5fb43dc16aab2823e646e88edfba6f8b2de509c3c

SnakeKeylogger

575851a7e2354cd5541ba5839a38b687c7bbe85e58a44a96fa3afce12cebb4e3

SnakeKeylogger

92e08e6d05c91ab6a65913d8c99ac2b5d09662a1674e615c3828c5120efbd106

SnakeKeylogger

a3ad4554c582908654304ad34c10e5a00cfbe0c06d28117b17fb4acabc8fea72

SnakeKeylogger

b0902cdfe3415d25757b82903a6b77c04b3ff45a015841fc93e6753f36f79e05

SnakeKeylogger

e3b25e21c6d04b5f2d72025c7956dbc3a4a5613f3b8d7ab8d0010bc3d437bc1b

SnakeKeylogger

fb2fd5d1cd31c753b74ea5d3b372cf96e6e4f9c520c31dd2d14ef17bdf965d3f

SnakeKeylogger

+ 1'170 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/211001-g7rzxsbac6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Snake Keylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot1816395306:AAE3ZBLYV2L9aT9mL8itL9vr3RP6nOz_B1o/sendMessage?chat_id=1368673464

Unpacked files

SH256 hash:

fde9673e0878783412ae8d1848316601f2f3b567a3688694b42d745fe18f14a0

MD5 hash:

20e0ca41c8419f551c52aa86700b5074

SHA1 hash:

e2a47c15342f874e051b18b577eca2c49ab99782

Link:

https://www.unpac.me/results/774863d9-b43a-4db6-beb6-443aea507fc1/

SH256 hash:

63e311436e8e4beaf9f6d12594c773c6f03a37ff9b3276923f9b44224745db33

MD5 hash:

9561d5d23b7a269a92c760f9109d4e49

SHA1 hash:

0ccb99dce90cc776a110f115548ccba61e6b85f3

Link:

https://www.unpac.me/results/774863d9-b43a-4db6-beb6-443aea507fc1/

SH256 hash:

b0aebb619ff6cd86ac07e9d3cab06fb5e3cbca33d2eebd35f599abea266c406b

MD5 hash:

a2ecd0f2cb301f0a050811c0e83ac865

SHA1 hash:

995b762b007e3db46b8ac4c0b033bcd4ce18b51b

Link:

https://www.unpac.me/results/774863d9-b43a-4db6-beb6-443aea507fc1/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b0aebb619ff6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/b0aebb619ff6cd86ac07e9d3cab06fb5e3cbca33d2eebd35f599abea266c406b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193863/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample