MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20
SHA3-384 hash:	8008bdaaa8e2127c800c22dfe32a945e98c56cc427b043a8a37a0a82cd502cca12a691de43ca864ae4c2919fd02ca328
SHA1 hash:	550fc889de33b94a63dfaf1138bcc54be489f767
MD5 hash:	5ab98f94682ec463f48cada8b9811055
humanhash:	black-october-low-saturn
File name:	IMG_25579.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'487'816 bytes
First seen:	2021-01-20 06:31:42 UTC
Last seen:	2021-01-27 17:06:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	12288:Z50jwcEc6tcJHuDvjCBS9obwfHIAeqaZxYcf:L08cEc6tck6SqUfHLeqa/Yg
Threatray	233 similar samples on MalwareBazaar
TLSH	9A65AE0A91164553E9683D7A846F2F8447809BBE3882D387BC0D7773FA91FCC66864F9
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

abuse_ch

Malspam distributing SnakeKeylogger:

HELO: totalgcc.com
Sending IP: 185.222.58.142
From: links@totalgcc.com
Subject: NEW INQUIRY, UL LISTED-----
Attachment: IMG_25579.img (contains "IMG_25579.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG_25579.doc

Verdict:

Malicious activity

Analysis date:

2021-01-20 06:41:06 UTC

Tags:

ole-embedded exploit CVE-2017-11882 loader evasion trojan

Link:

https://app.any.run/tasks/24ad40da-bb7b-4ea8-b6ff-987399435e01

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/113023/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Creating a process from a recently created file

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/585801

Signature

.NET source code contains very large array initializations

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected MultiObfuscated

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-01-20 01:02:17 UTC

AV detection:

7 of 45 (15.56%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=whejwftsheryv2ukoggua5i2ciz2ws4upgyz437lq3wvute25qqa._file

Verdict:

suspicious

SnakeKeylogger

3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11

SnakeKeylogger

5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa

SnakeKeylogger

761e77be2bbf6089f04b1901c44548bd4ff5ac873a74b1ca0e0604bb902eff22

SnakeKeylogger

7862be8b6b58fc073c3b91badfeab7f5d939725074f2022be9430f89c594692d

SnakeKeylogger

8f560b247ad96f57de4e2f6da3d99af31a7ac8478e560c6fbfaa1d3615e65575

SnakeKeylogger

9b7b121dfaa8fe9005cebcc4fbface3382e339b8e05eb29e2e6aa37c419ed81b

SnakeKeylogger

c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6

SnakeKeylogger

daa6dbdc8820fd2049680ae3a25ff25d14245a39d75717cc5e3b06f042c82585

SnakeKeylogger

e2d112bd0fd186acce6eebc6ec5d389c69fd6ae1154d0f44938de68dedec29cc

SnakeKeylogger

+ 223 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210120-rxlg7lff5j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

e2b5646e959fcf2f6ed994780262e65c16cecbc9d3421ada3239f26130ebe8d1

MD5 hash:

7a13d5b7628956f87cb4f24b3e66ff5d

SHA1 hash:

5a2a3e4a70a7ef67180b6dea2273c9c3ae162f9c

Link:

https://www.unpac.me/results/c59e1b94-fa89-4724-b1cb-280992345bd8/

SH256 hash:

c06d4e3d0205d9bdd4a4b40b8da710d698b3a5d73a1626c9ca058c10b2c6d00c

MD5 hash:

7f67414b3fd29299f2d29ad7c2afb995

SHA1 hash:

2ec40d57c08c47433a6d044d271d74005dddae8d

Link:

https://www.unpac.me/results/c59e1b94-fa89-4724-b1cb-280992345bd8/

SH256 hash:

4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046

MD5 hash:

29e19b5dce96140a8b90152b16bd44af

SHA1 hash:

4f3dc6eb876bb58f53966980a9c451a04ec17d8a

Link:

https://www.unpac.me/results/c59e1b94-fa89-4724-b1cb-280992345bd8/

SH256 hash:

07be9b3bf74a6a649db54546cfe576f2c35391949bd51c5b0bb19c962098ff66

MD5 hash:

282f8bfb06cb62af0b596f2efbfd4511

SHA1 hash:

481ed547493ccd1ca04650d5f8258c4c97f1b8a4

Link:

https://www.unpac.me/results/c59e1b94-fa89-4724-b1cb-280992345bd8/

SH256 hash:

49dc26861fffee2f6440e56a10b7086ea305d2f16bb9e27ba3e08b9893557f86

MD5 hash:

e732cd6decfed3503b4020899d5a56f9

SHA1 hash:

024c1bf147c698e92aae340bbee323601d02a787

Link:

https://www.unpac.me/results/c59e1b94-fa89-4724-b1cb-280992345bd8/

SH256 hash:

b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20

MD5 hash:

5ab98f94682ec463f48cada8b9811055

SHA1 hash:

550fc889de33b94a63dfaf1138bcc54be489f767

Link:

https://www.unpac.me/results/c59e1b94-fa89-4724-b1cb-280992345bd8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_KB_CERT_0deb004e56d7fcec1caa8f2928d4e768 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificate