MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0c3c3426224d4f5424eee1147d113ed14a4307f407ef3f8e4ac8efc20933299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0c3c3426224d4f5424eee1147d113ed14a4307f407ef3f8e4ac8efc20933299
SHA3-384 hash: 9a71c3b8864ed47330ce639e2bb43174d861dac3daeb429b406ba9a9d6eacbb5c1bbad4e6eebf69183799440fcb217b5
SHA1 hash: 43cd6b86046aaaeb5317e09362dd956d9b6171ef
MD5 hash: f0e80be8e191e0f6ac062fa47701d8e0
humanhash: uncle-nine-skylark-carpet
File name:f0e80be8e191e0f6ac062fa47701d8e0.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'048'576 bytes
First seen:2022-09-19 16:32:45 UTC
Last seen:2022-09-19 17:55:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:GZZUxh18IwRBrcLWFx2QAAEj6SjV+jiSX/2ETZhRg81Msoizi7krHdTfm:kHIwPFxzA/jx54H3lhRVQ7kr9Tu
Threatray 4'089 similar samples on MalwareBazaar
TLSH T1AB25063F3A0E0AA2ED5DF07C8E050B49BB63BF036240A99653CB35CA876F5665C75C85
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 15199b5a1b2d575b (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f0e80be8e191e0f6ac062fa47701d8e0.exe
Verdict:
Malicious activity
Analysis date:
2022-09-19 16:40:08 UTC
Tags:
snake
Link:
https://app.any.run/tasks/4f8f541d-d1b5-4ef7-ab48-83a3b3c6306f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311396/
Detection(s):
SecuriteInfo.com.BackDoor.RatNET.2.12329.15782.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/632899d3e64c53f047f575f9/reports/fb7eb71e-560c-4c7e-a36a-aaf3114b738a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13c8a692-4501-42a1-8054-b93886dcc981
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073104
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Binary or sample is protected by dotNetProtector
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0c3c3426224d4f5424eee1147d113ed14a4307f407ef3f8e4ac8efc20933299/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-12 01:44:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydb4gqtcetkpkqso5yiupuit5ukkimd7ib7ph6hevshpyietgkmq._file
Verdict:
malicious
Similar samples:
024aa3421fb7bc058d1dabcf8cffd6fd1fbd7c6050d02f582e270eb94cb15b2c
SnakeKeylogger
079ebfc9684c2028587bd3cd09739b3bf0c8f5c672e25684ec672f7942ca07d0
SnakeKeylogger
16bbc679833a9cc2c646fa6830a10618fdc04dbd27c0a99e233ba08701f9ec75
SnakeKeylogger
6375d4e0dad1b1f461a4456cbefb8cef43175e2b4b0caa9780cc2a18de115a73
SnakeKeylogger
c061fdbee9bcc8f7a144ebaa92026184cf60430b49b891539f42ec07f711acb6
SnakeKeylogger
ff3c2c1845e5d581981d7ace413c747abf2999bb7ed7663916fa8932b89e78d1
SnakeKeylogger
+ 4'079 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220919-t2h62sgga4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d27df2af-37cb-4e38-8270-083a2a14da45
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/0367a04c-e0bd-4987-bda6-ffd47feddc4a/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
fea3e6423e7da01618af7dfbd3c61896933047cce2b8c9dbfb40d5cfbf62b74a
MD5 hash:
c3ccc7c608671a75ca95d18059ee129c
SHA1 hash:
c95622c20a1d784befc158a714c62a433d5886d0
Link:
https://www.unpac.me/results/0367a04c-e0bd-4987-bda6-ffd47feddc4a/
SH256 hash:
194a744eb3fda89c376f7b6799aa7d745fb001764d0ca4244fc38aac5a82e762
MD5 hash:
2a252bfe338c8a4ee6a00d899dd7b78e
SHA1 hash:
e77d57aaae862bf63da7354b41d20245f54f7fd5
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0367a04c-e0bd-4987-bda6-ffd47feddc4a/
SH256 hash:
c0c3c3426224d4f5424eee1147d113ed14a4307f407ef3f8e4ac8efc20933299
MD5 hash:
f0e80be8e191e0f6ac062fa47701d8e0
SHA1 hash:
43cd6b86046aaaeb5317e09362dd956d9b6171ef
Link:
https://www.unpac.me/results/0367a04c-e0bd-4987-bda6-ffd47feddc4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0c3c3426224d4f5424eee1147d113ed14a4307f407ef3f8e4ac8efc20933299

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311396/

Comments