MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c21af7bb95c19c612a239b33474ff9167efe84e3ae69b9b727b75401e2e81670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c21af7bb95c19c612a239b33474ff9167efe84e3ae69b9b727b75401e2e81670
SHA3-384 hash: aadfe68fb39f552a5b57aed031100777b41a21a12873c298df55303a02aeea607324e3ca9da66c17a2cb0b5a62fed17e
SHA1 hash: c5383fca92bf718c78c77b754572a072e767e106
MD5 hash: c82ca6c32016c3867edf5263e33687f8
humanhash: eleven-fish-cup-oven
File name:IMG_2021_01_13_1_RFQ_PO_1832938.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:999'936 bytes
First seen:2021-01-13 15:58:23 UTC
Last seen:2021-01-13 17:44:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PxaYippREEztEGl7Lw1pZu6a49DCKvRbWZ12/YOUOJ2NwcXmTrHf:ipLCGl7LMpZda49DCKkZ12/XJ2Nw7H/
Threatray 3 similar samples on MalwareBazaar
TLSH 97254903BBDC970CE3BD26BD383000611AE5EF27A6B8D61CF9C1A46D5A6291845FD7D2
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.rajo.com.br
Sending IP: 162.241.40.68
From: shmulik <shmulik@bcid-co.me>
Reply-To: shmulik <shmulik@bcid-co.me>
Subject: Re: Re: MT25QU256ABA8ESF-0SIT  51Kpcs
Attachment: IMG_2021_01_13_1_RFQ_PO_1832938.IMG (contains "IMG_2021_01_13_1_RFQ_PO_1832938.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2021_01_13_1_RFQ_PO_1832938.doc
Verdict:
Malicious activity
Analysis date:
2021-01-13 11:43:11 UTC
Tags:
ole-embedded trojan exploit CVE-2017-11882
Link:
https://app.any.run/tasks/0c8116df-dc17-4102-8c5c-16c29363dcb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111799/
Detection(s):
SecuriteInfo.com.Artemis.25121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580298
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c21af7bb95c19c612a239b33474ff9167efe84e3ae69b9b727b75401e2e81670/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 10:56:50 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yinppo4vygogckrdtmzuot7zcz7p5bhdvzu3tnzhw5kadyxiczya._file
Verdict:
unknown
Similar samples:
3311cea59262b019a69fb72b72a36fc8e55d48a0f14f853b3a52fc8740542e99
SnakeKeylogger
43891ebd12a33234d3776da3e200f2d778cc1a169050f3db729ceb8838f0ebd1
SnakeKeylogger
fa769a960a22d4ce289da152e5535fa6f9e610d8796aeb907bacf3157c1270b5
SnakeKeylogger
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210113-cpbtfm3p4j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c21af7bb95c19c612a239b33474ff9167efe84e3ae69b9b727b75401e2e81670
MD5 hash:
c82ca6c32016c3867edf5263e33687f8
SHA1 hash:
c5383fca92bf718c78c77b754572a072e767e106
Link:
https://www.unpac.me/results/186a5c5e-e931-48eb-b397-8a86b453bf1b/
SH256 hash:
92869b23e5e18ddef0e43f2eb81d101d113cfd486fecbcb655bdeca8856fe19a
MD5 hash:
62a0f1c1e6e6dc1f48f7c68ed78377af
SHA1 hash:
3ae1ce5390680b385134f9b2f9f223104dab1365
Link:
https://www.unpac.me/results/186a5c5e-e931-48eb-b397-8a86b453bf1b/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/186a5c5e-e931-48eb-b397-8a86b453bf1b/
SH256 hash:
45eb47ac779204b380f464974638c57fea6ce5b17b5db19dd89eff0706f5a3a5
MD5 hash:
ddfb73ef84e49c9c28f56850e8a77335
SHA1 hash:
afe9ba17919830b2db0190e8b60081b17847a3da
Link:
https://www.unpac.me/results/186a5c5e-e931-48eb-b397-8a86b453bf1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c21af7bb95c19c612a239b33474ff9167efe84e3ae69b9b727b75401e2e81670

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img e168a6044246feecae974ff32ac61559ff57c410f8a8ba1015b6c27c20b06ccc

SnakeKeylogger

Executable exe c21af7bb95c19c612a239b33474ff9167efe84e3ae69b9b727b75401e2e81670

(this sample)

  
Dropped by
MD5 367e0ce22cb9a524032e526a56aff948
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111799/
  
Dropped by
SHA256 e168a6044246feecae974ff32ac61559ff57c410f8a8ba1015b6c27c20b06ccc
  
URLhaus
https://urlhaus.abuse.ch/url/958833/

Comments