MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f
SHA3-384 hash: 975c76d2da0a0142690ca6d429282bcae29e9f1099ac525f5c692006f6305f86d2d985c8b27017ed894de8bb7d0e7edc
SHA1 hash: 86b1cfa18642e1f64d345ef2fe69406cc0373fe3
MD5 hash: 63c8fc8677019ac92d0fe2d47a724fba
humanhash: spring-six-mirror-oranges
File name:Original Shipping Doc.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:367'964 bytes
First seen:2022-05-04 15:02:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:oNeZsTngKXTXgpHpmSY1I5YJcO+xYHPeSp8dira:oNRTg0Qfm/y5YJkEeSmiu
Threatray 6'539 similar samples on MalwareBazaar
TLSH T12274DF107294D016C7E136310F66DAB61BA9BC5D1D66861B33F07F4F3AFC683A90A362
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Original Shipping Doc.exe
Verdict:
Malicious activity
Analysis date:
2022-05-04 15:06:29 UTC
Tags:
snake
Link:
https://app.any.run/tasks/cd6ad2a0-9706-4108-a0fc-6e6cf8404d25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268670/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16299/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar
Link:
https://www.filescan.io/uploads/627295be2b32b1c37c9312a6/reports/4ba3a628-ffaa-406d-b5fa-7d22dfa260ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fed499e7-bb5d-4388-9b9b-43cda1420dd5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987879
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 15:03:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhryw56thgdwc6z6xudcscnoxayhcniiu2ch5lbxhmae7a554q7q._file
Verdict:
malicious
Similar samples:
279b911a8deff7f7887920f7580adfd320630808c39e481beb0d3c619242a718
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
347fa0ad9e11712fe0628c2454141d6fec8e995acbe7fe7461e6dbf94f2838ce
SnakeKeylogger
4f7d1f1df60c29fe9eff2e75f317a316c9ddc9afe569624a466670cf396b8d61
SnakeKeylogger
8d210f06f267f917e5d73113eaa2bb0fe911562241170d00a2d3ab5d97408ce5
SnakeKeylogger
9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01
SnakeKeylogger
e2db235aa3f5964cab6475624e6e62c5fa0724fafb5cddb5542ff0a27a84dd86
SnakeKeylogger
+ 6'529 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220504-se1xxaebc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5382724210:AAG4Iq9wjsCc6GotCuehwkLAVm3HSKGajeo/sendMessage?chat_id=5144477649
Unpacked files
SH256 hash:
355d8e2787430dea64265f9fd66857649fff36724b31740880b47485288164e5
MD5 hash:
5d0f1eca7bc23b850047d4f3c42f9797
SHA1 hash:
b3ec9bb8cc44273afab8649aef16950bbd39dae2
Link:
https://www.unpac.me/results/347a3a17-7053-44dd-9236-d89d8cb5cb37/
SH256 hash:
e80693236399496d661fdaaca5c7246c5f16a20e1afdb5c91ad9ddf5f1566e0d
MD5 hash:
aaf2fbb1b7d02d08c29e58b295d83fe5
SHA1 hash:
819619dff445dbebaf9cf856ec394061100184db
Link:
https://www.unpac.me/results/347a3a17-7053-44dd-9236-d89d8cb5cb37/
SH256 hash:
78e566cdd09470a1c8df5a1ad593332417e83ce620b3e286f78adb2779281a38
MD5 hash:
4ca6aaa5d423ffbed26f4c0d1a873ff9
SHA1 hash:
5a5779b3fc316e06e47ddf5521fd56e58d9b7a5f
Link:
https://www.unpac.me/results/347a3a17-7053-44dd-9236-d89d8cb5cb37/
SH256 hash:
511ce06056f7181ec8b5389c98a0500a8d81e603dbc6cf2a81b8af478a05b1fc
MD5 hash:
520ebc5b5943865f6a528a6bce395df0
SHA1 hash:
5e6bf5336079c4eefe098477e71756bfdcae9bc8
Link:
https://www.unpac.me/results/347a3a17-7053-44dd-9236-d89d8cb5cb37/
SH256 hash:
c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f
MD5 hash:
63c8fc8677019ac92d0fe2d47a724fba
SHA1 hash:
86b1cfa18642e1f64d345ef2fe69406cc0373fe3
Link:
https://www.unpac.me/results/347a3a17-7053-44dd-9236-d89d8cb5cb37/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1e38b77d339/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/268670/

Comments