MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3e845dc7b429254e650f20fff9771f5bd2c84c7e31d2846143402859d8ae3bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3e845dc7b429254e650f20fff9771f5bd2c84c7e31d2846143402859d8ae3bd
SHA3-384 hash: 5eefa3f0638fe99eeab14db4e1ace0dd5f14474fc6e3b532809031bb0a68cd7c3c5f988ce9d9cf19037ae1eea3df7940
SHA1 hash: 91a6b72b7f04a0c21639519a5f35110a36b28b06
MD5 hash: 2e8793a02a7983b2ecdc3449d4a93bbf
humanhash: fourteen-oregon-fanta-video
File name:cGs8fEwx9e8FWB0.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'071'616 bytes
First seen:2021-03-10 07:21:14 UTC
Last seen:2021-03-10 08:50:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:55VOjYkAd0WajYkAEjYkALScbrTF6R3T6qboUDCFFLvTB0v+uSYAItJkbp+jP2B5:vVei0jnEVQj6IYLmv3FMbEPpJ089ynD
Threatray 36 similar samples on MalwareBazaar
TLSH 6C35D02352449B50E0392FB8642025A047F6BFCAFB2DF90EBC36355E6A729C7C735616
Reporter abuse_ch
Tags:Endurance exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: qproxy3-pub.mail.unifiedlayer.com
Sending IP: 67.222.38.20
From: Ammar Shahbandar <info@arwani.ae>
Subject: RFQ 0010021 ARWANI
Attachment: RFQ Arwani 0010021.pdf.xxe (contains "cGs8fEwx9e8FWB0.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cGs8fEwx9e8FWB0.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 07:25:13 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/5d08d052-09e7-43d4-84a1-1c5288479cdf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123482/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.569.23568.13907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/633948
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 07:22:08 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypuelxd3ikjfjzsq6ih77f3r6w6szbgh4mosqrqugqbilhmk4o6q._file
Verdict:
unknown
Similar samples:
035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753
SnakeKeylogger
03a7c8a4e67e6739db52502fb4babb8421059e3269610dbec749b3f0aa4a4641
SnakeKeylogger
06ab3bdeae92bc8dceb7b2c99ba9d65087b1b1e9d3b6aa3abbade809259e677f
SnakeKeylogger
11b82240c0a2fbb5f71aefab2266d18d28746ffc267b585f72498006a57aa6bd
SnakeKeylogger
363f1e19af5976e6c19e76c71e98c405b227938e261beb7e2a0bcc27e4a44be7
SnakeKeylogger
4fba0a6de9bae92d10236ea02250e0079376e43a4b6c1aed009677bdb4b8c21e
SnakeKeylogger
60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74
SnakeKeylogger
6aca638f8c9405c4c02bb3f2b5f5e5bc9d5596f8c68a57fb99347031415b584b
SnakeKeylogger
998a2fc57352ed3bde7f7b8bea269593342e6664ea8209a764d28ff4e0bf68f6
SnakeKeylogger
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
SnakeKeylogger
+ 26 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210310-9wq33vtmpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/22cbd711-45cc-4648-bd74-ba2aacb900eb/
SH256 hash:
c3e845dc7b429254e650f20fff9771f5bd2c84c7e31d2846143402859d8ae3bd
MD5 hash:
2e8793a02a7983b2ecdc3449d4a93bbf
SHA1 hash:
91a6b72b7f04a0c21639519a5f35110a36b28b06
Link:
https://www.unpac.me/results/22cbd711-45cc-4648-bd74-ba2aacb900eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c3e845dc7b429254e650f20fff9771f5bd2c84c7e31d2846143402859d8ae3bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

ec03d2f24b85a043b09e322aba48b6153a9fd1e4f6a638b43c1dfb6b5b774ac6

SnakeKeylogger

Executable exe c3e845dc7b429254e650f20fff9771f5bd2c84c7e31d2846143402859d8ae3bd

(this sample)

  
Dropped by
MD5 9ac1335689e75601fd2b7efbd3c66252
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123482/
  
Dropped by
SHA256 ec03d2f24b85a043b09e322aba48b6153a9fd1e4f6a638b43c1dfb6b5b774ac6

Comments