MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835
SHA3-384 hash: a8a50c1422fd2f5abc49a9648b17bb00c7107d001d0850210ffbf40f0baae21f38f930d65a0f817fb25518a7af7965d6
SHA1 hash: 7ff4d534b5b831b14706e956c2e18e19766c2284
MD5 hash: a515c19f0034abdbd4e06589023d2f42
humanhash: batman-floor-sixteen-don
File name:Proforma Bill of Lading for COSU6302595940.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:614'912 bytes
First seen:2023-02-19 16:55:12 UTC
Last seen:2023-02-19 18:27:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ks43Csr9nMjNhmKXEKF0nYNfS1tIfsjIzHIxRXIqnG:ks43CsRMjNcSEKmnmfOIzoxRYq
Threatray 4'501 similar samples on MalwareBazaar
TLSH T107D46B50E17C9212CC4A19EA272426B7DB7435A22A20D92ECBF5F9848F357334E5CED7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Bill of Lading for COSU6302595940.exe
Verdict:
Malicious activity
Analysis date:
2023-02-19 16:56:24 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/f5f70ae3-27a6-4bf1-810f-545600ee7831

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368225/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f254a642bf85850e3e124f/reports/6634cb11-72bb-4ff5-955f-9fbbc1096869/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38a85ede-40a4-444a-a6dc-f7dfc76a5039
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178833
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-19 12:48:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 25 (84.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ysmovtdyks37hixeppncm52nwj5xfxrisirdfnghrhqkx5ozfa2q._file
Verdict:
malicious
Similar samples:
1fd1e0ff7b9e6bc7b9014cbdfa12b15459011086a2398185e5b51ca92bf8a8e5
SnakeKeylogger
2665999d8c6d7ef85011d6e6429512d13397c07b7949329d61eecf79eb66f9b5
SnakeKeylogger
27d87225d2c5b22a531d89640b5346d988177a8d46b41e7977430dd8e095b20e
SnakeKeylogger
4a63d124fccf3d47730bf3b1b9d1befadb2b225b3b38fdacaa135f0800548c6c
SnakeKeylogger
4f8dc84952cc5e606fb05b608f35a150e5fa629c380db2cb2cb7a5aee1f322b6
SnakeKeylogger
587d7f111c3de0f35aee401c6b61f69103114dc9d65e4c5be1b9ce85f5ebf716
SnakeKeylogger
77864a5c81d11e61e24fa26853404d5e75a8780cd476cd6a0c7e525128a589ad
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
8878359c93d36d0849467e895c724bd5a171a4ac97f29217aca79645f3c57a40
SnakeKeylogger
c2b75ac0591a9d623520430e0c5adcf9ce5a812c77c43f9b1df080b628d48ad7
SnakeKeylogger
+ 4'491 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230219-vfpblsfe2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6166695280:AAFYAmHtNxka4VVDE564YnB1MkmT68AnzXY/sendMessage?chat_id=5981442240
Unpacked files
SH256 hash:
0873423e5539b9ec1935b2f39edb7ca46d086e13737b19df87d3d45ca71bbc84
MD5 hash:
12e2a8a324357a6aaad23762d9d447e3
SHA1 hash:
ae44d415540bc6b50b44f2b174d84299aa4e7d67
Link:
https://www.unpac.me/results/e10fa478-fe86-45cc-aea0-3886e9a26c1a/
SH256 hash:
7c7d7d537ac534e71802df29bb842a5fddce215172195a23868501cee5d9bf69
MD5 hash:
c52c5764d0944d040225068dbc9e60f2
SHA1 hash:
a8fdf5b4b60f487de4d4dfe8f83e55cb3d5d97ec
Link:
https://www.unpac.me/results/e10fa478-fe86-45cc-aea0-3886e9a26c1a/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/e10fa478-fe86-45cc-aea0-3886e9a26c1a/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
9b6f784ba7a2a79eaaf2663bffb7673efb314595d9eacc96f061d3a22990b718
MD5 hash:
f673a146bfbd1d0b3dc6cc23b75d9b8f
SHA1 hash:
8cd9f487d25aad32182150824dbef5d2c3566e75
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/e10fa478-fe86-45cc-aea0-3886e9a26c1a/
Parent samples :
4f523193ac9b23eee38414ec05142a0c0a75a8ff2511e74466b83dbd91f4f2e9
8e395be3af871eb7fdb84251645d3dde84ad4f292cba86558ee5a460492c9d5c
c901b86e7d9f3cd9b9c50533d67b0e95ab1bb154aa7d817b40af99b528d3dc58
c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835
03f5d841cf7d05300ddc081bfcc79ae321dd9e78cea0300234f54b475d847acd
092d252847b5c7d38f15bf70a993d2593bb200791fbea4e4f83586786ddc04ba
3015cb36bd43f649d4f6047cc5c9766d52cc8d7f9c6cdcefda0ca8059cba53ff
b3b88519f1491b7853455a033d91d12ed1b8186d15bd29203b8d0b24b89c0c52
fb77f5d41e15baf9dc0f4e2901c4a6fede55afd967e4b650d8603fe0123c7c3f
49783e573a0077bd788eb30488faca31c9b6ed231ba0d418538b10651cf0e780
b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
SH256 hash:
c12d2628d984c0b8071e1daa76812d8eae5cd9a18dd99eac444ba00d38977501
MD5 hash:
ec47f2cc8cb2264f192660aa1c81f96d
SHA1 hash:
50b322aa2022e5570911ceb2ca39aeaeca91e540
Link:
https://www.unpac.me/results/e10fa478-fe86-45cc-aea0-3886e9a26c1a/
SH256 hash:
c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835
MD5 hash:
a515c19f0034abdbd4e06589023d2f42
SHA1 hash:
7ff4d534b5b831b14706e956c2e18e19766c2284
Link:
https://www.unpac.me/results/e10fa478-fe86-45cc-aea0-3886e9a26c1a/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c498eacc7854/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368225/

Comments