MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c10cdab79d291209250dbe8cab991843dedfdf4291d742e7764ecdcaa910b9e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	c10cdab79d291209250dbe8cab991843dedfdf4291d742e7764ecdcaa910b9e5
SHA3-384 hash:	a69e871837de07ee3c58175bcd396a84c830ec7e6859f82b6b6fc363c52fa73ac473becee618b7e4f2e1c78506d96cff
SHA1 hash:	84216581428627eb077b7c3f743b4c425ba13679
MD5 hash:	99c12f44a84f8c77f8bd03ece127a4a3
humanhash:	avocado-kitten-magazine-ten
File name:	DUE INVOICES.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	613'376 bytes
First seen:	2021-02-05 14:37:01 UTC
Last seen:	2021-02-05 17:16:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:bsoXSDMpra6Xkd2gfAXlz4m1QN75+a7q9hHmh37WORAV3lwoMGC:Lp1FgfAXhM+aW9hHmhrWrC
Threatray	4 similar samples on MalwareBazaar
TLSH	91D45C6D259FAAA1D079CCF2005B13C086855B1DC8EAA2F75F8857DCDD2378486B3ED2
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DUE INVOICES.exe

Verdict:

Suspicious activity

Analysis date:

2021-02-05 14:37:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3dc38205-7374-430d-b140-ee07102979b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/115745/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.6999.14560.4114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c10cdab79d291209250dbe8cab991843dedfdf4291d742e7764ecdcaa910b9e5/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2021-02-05 06:40:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yegnvn45fejasjinx2gkxgiyippn7x2cshlufz3wj3g4vkiqxhsq._file

Verdict:

unknown

SnakeKeylogger

0bb556219dd8f5b174a72a9ef148070c4fc1d81157759f3d65245548d4a71b2a

SnakeKeylogger

319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f

SnakeKeylogger

484f0ef144b32492e7e9fe36e92b69b336583fa925438d2e82409006dd534af7

SnakeKeylogger

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210205-zqle6zwpe6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Looks up external IP address via web service

Beds Protector Packer

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/e0b7055e-d886-4d51-906d-d08f4c976a2f/

SH256 hash:

0bb556219dd8f5b174a72a9ef148070c4fc1d81157759f3d65245548d4a71b2a

MD5 hash:

80cc647cf1e3df7ded9730ee5f7f160a

SHA1 hash:

362af99f7e4a49b207f46cd54970802a2f74f1e7

Link:

https://www.unpac.me/results/e0b7055e-d886-4d51-906d-d08f4c976a2f/

SH256 hash:

bfd065c0c93f5cf2dbff3a4d55756aa114e92eb04c7676527b24d95f6f36cc75

MD5 hash:

3b87fbd4b66ba50820f12063221e9915

SHA1 hash:

0574fe059e5c8996bbf25eae91b87aa27a77a14e

Link:

https://www.unpac.me/results/e0b7055e-d886-4d51-906d-d08f4c976a2f/

SH256 hash:

c10cdab79d291209250dbe8cab991843dedfdf4291d742e7764ecdcaa910b9e5

MD5 hash:

99c12f44a84f8c77f8bd03ece127a4a3

SHA1 hash:

84216581428627eb077b7c3f743b4c425ba13679

Link:

https://www.unpac.me/results/e0b7055e-d886-4d51-906d-d08f4c976a2f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c10cdab79d291209250dbe8cab991843dedfdf4291d742e7764ecdcaa910b9e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/115745/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample