MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022
SHA3-384 hash: b409cf782790c33b23f2c54a38d7c691537e3dd4ee5518ee916b9783e1c9b5fdd5b9f74bc902ab3c236aaeb1665ce4fd
SHA1 hash: 67fbbcaef7c841afc2af6cda2740b3f934cd9c15
MD5 hash: c5af54622602c908d5af6c3d8d7bdb09
humanhash: lemon-yellow-sodium-london
File name:SecuriteInfo.com.Scr.Malcodegdn30.21285.16823
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:866'816 bytes
First seen:2021-08-10 07:05:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:5vVPp9AR95STVO0NF64RWPOyvzQ6bnVOGeuo8:5vVPpKRSs0KBOybx
Threatray 1'462 similar samples on MalwareBazaar
TLSH T10605014B22806793C425AB374CA993920B75EDD5DFA2D9ED7886392E1EF3741CE02713
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Scr.Malcodegdn30.21285.16823
Verdict:
Malicious activity
Analysis date:
2021-08-10 07:06:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc8a422f-83e3-43b9-932a-bf3c4bcf6f76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177826/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.21285.16823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Forced shutdown of a browser
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0cd7f9e-5bbf-4938-8c4a-affb127a1949
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829954
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 05:21:40 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpvmoahmrdhewi7qxnojs3x7yfmg54hhqav4dbuv5tjyiwrkaara._file
Verdict:
malicious
Similar samples:
0ecc2f2a0346ca13361092909a8587927ab52b9532ae7b6d69367546369b31bd
SnakeKeylogger
2a91e3c56d2e6e834bdfdab27b2092386d549d5ef85536aaa76ce5829d1090e4
SnakeKeylogger
4849dbdaa543b1235a1f8898c99a782d683bcc95353839889b1c0619d113ccaf
SnakeKeylogger
90d00d97833d65bb0bea7fa86afb3d311a66069c80acaf18ca32055ad6b307f7
SnakeKeylogger
92790a0411d50a0f721d15ea0b69eed610fa892ff992ad3ebad5713770063411
SnakeKeylogger
bfa0c6d6a166011476ffd4f4fa1c2c1669c273fa945f729267fa537ce7689b44
SnakeKeylogger
d66e6332874f85b47e9d2aa3c2b27d91a4bd42546e7e0ed2ccaf3556bc8130aa
SnakeKeylogger
f56732d49b44a54bd841c98e78c86dc04719eaec2fed43c2b6429abbcf7eee60
SnakeKeylogger
+ 1'452 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210810-39cjnr3n2a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/095c5f9d-a2e3-4c79-a0d5-64e0e9860a9a/
SH256 hash:
4dbbc841c36ec555f3a55e7d7df3dc45aa9337de0aaf946f48b420d3a39c4621
MD5 hash:
d1114c5ff2e5df6203c31d8fb1f5c397
SHA1 hash:
0c40decc423e1f3b1923f71aa9e6cdc6c98f4d4c
Link:
https://www.unpac.me/results/095c5f9d-a2e3-4c79-a0d5-64e0e9860a9a/
SH256 hash:
1da99d5f9d3e145a626fb8eb32bab53267e3bcb92606c1eab386efe03ad91a9a
MD5 hash:
a35b21bab80b74dbe5eaac8db0ccb886
SHA1 hash:
031bdb1218dfe8abf84a6f08b601b7aaaf15feec
Link:
https://www.unpac.me/results/095c5f9d-a2e3-4c79-a0d5-64e0e9860a9a/
SH256 hash:
38ec4914913ca3350bed3ebc01be68b4702869f97a7267a10a8f6a848d0b25d8
MD5 hash:
cf231dc53ada66fbaf81cfd9a55b8110
SHA1 hash:
a8fbdbc1ea811f0a724bf8c3813ae42b3adc473e
Link:
https://www.unpac.me/results/095c5f9d-a2e3-4c79-a0d5-64e0e9860a9a/
SH256 hash:
bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022
MD5 hash:
c5af54622602c908d5af6c3d8d7bdb09
SHA1 hash:
67fbbcaef7c841afc2af6cda2740b3f934cd9c15
Link:
https://www.unpac.me/results/095c5f9d-a2e3-4c79-a0d5-64e0e9860a9a/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bbeac700ec88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177826/

Comments