MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202
SHA3-384 hash: 8783086bd8947fe5f1ff702fd2410c098ade5e6e4723a553b055ebcdac00c795279e48b3037fa164fe1a50847759537e
SHA1 hash: bd1df86d6fc54e130dfdd55dbae21e7bd0fad133
MD5 hash: c395575b52beb2f46def29d174949434
humanhash: violet-jersey-uniform-stream
File name:c395575b52beb2f46def29d174949434.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:441'856 bytes
First seen:2021-08-30 13:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:PWjdu1hpm0EyiU+qM/QeW+leJjFPyLjEtfU47Ecps7+zYcRQe2/bZqBFyAM:08s0EVU9M/Ea+FPQABUeEd7uYc0IPy
Threatray 1'279 similar samples on MalwareBazaar
TLSH T1C9942312FEE5C163C2D65F7BC98750505730E21B6622EF0A85CE00CD952B36E9E67B8B
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c395575b52beb2f46def29d174949434.exe
Verdict:
Malicious activity
Analysis date:
2021-08-30 13:30:47 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/ef1be6a1-0b5b-4303-a2ad-1c01fae4f788

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183775/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9de50377-4c4e-47b5-af9a-340daac2dc18
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841586
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474020 Sample: 1Vk5s9G6NG.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 5 other signatures 2->41 6 1Vk5s9G6NG.exe 15 5 2->6         started        process3 dnsIp4 23 google.com 142.250.185.142, 49705, 80 GOOGLEUS United States 6->23 25 www.google.com 142.250.186.132, 49706, 80 GOOGLEUS United States 6->25 27 192.168.2.1 unknown unknown 6->27 17 C:\Users\user\AppData\...\1Vk5s9G6NG.exe, PE32 6->17 dropped 19 C:\Users\...\1Vk5s9G6NG.exe:Zone.Identifier, ASCII 6->19 dropped 21 C:\Users\user\AppData\...\1Vk5s9G6NG.exe.log, ASCII 6->21 dropped 43 Writes to foreign memory regions 6->43 45 Injects a PE file into a foreign processes 6->45 11 1Vk5s9G6NG.exe 5 6->11         started        15 1Vk5s9G6NG.exe 6->15         started        file5 signatures6 process7 dnsIp8 29 checkip.dyndns.org 11->29 31 api.telegram.org 149.154.167.220, 443, 49712 TELEGRAMRU United Kingdom 11->31 33 2 other IPs or domains 11->33 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Multi AV Scanner detection for dropped file 15->53 55 May check the online IP address of the machine 15->55 57 Machine Learning detection for dropped file 15->57 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 13:17:06 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yspgdc7an2news4p2qumz3475v7g37hmxe2yh22qkjzlcf4dqiba._file
Verdict:
malicious
Similar samples:
5602a38dd672c7daf709a315c7eb0169557193112daed1885a2fd7718e3ebcc8
SnakeKeylogger
8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0
SnakeKeylogger
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
SnakeKeylogger
a1588613803bbed9e0f4ae3f526aaacbbd2b6cba0d1b5c7f585403c0770e0788
SnakeKeylogger
a1ef7c34fac1d166d47f99112a77e8f00f229c78f3a248da9ef005387997001a
SnakeKeylogger
c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948
SnakeKeylogger
d935261d62e1721db7f65671dc26c56c532b98d8b3335fce23455b2404a39ed2
SnakeKeylogger
db531d6e969f16a9318224e16a18f3314fa75d0eaad90fc9a805f10d098d67c9
SnakeKeylogger
e583ec3949ffc33bf0ad3ce05bb0204379ba1b5b6f5e6ec499844c3775a0fceb
SnakeKeylogger
+ 1'269 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210830-frfyrn27hs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendMessage?chat_id=1407381447
Unpacked files
SH256 hash:
c1a151b5995b7f36d8b78c56ed3186d220a2e3334c2885b099f4d32c73df1ff7
MD5 hash:
21971137acdff9bbbda8985c5e69ca51
SHA1 hash:
9fd63878c84ced29047353779484c6d7b239a0ac
Link:
https://www.unpac.me/results/923d984d-701b-42c4-a381-29e977797b5d/
SH256 hash:
5e89b626b7e24e9019d040f8bc852b84cc1b671245aec90bcb97d4940f1c9e18
MD5 hash:
fbaf23456d8afae14796f11fdcf69bc3
SHA1 hash:
83d7d522d18a450a715154de82ede3807e960193
Link:
https://www.unpac.me/results/923d984d-701b-42c4-a381-29e977797b5d/
SH256 hash:
476a37eae18ca72b18f4118b7c803b90e8d87a4983fe185b1d8914150e94270c
MD5 hash:
0843ddaf4b10119a61eae50623425843
SHA1 hash:
176ace25ee2ad5a8def88f4cb57a91026d183e74
Link:
https://www.unpac.me/results/923d984d-701b-42c4-a381-29e977797b5d/
SH256 hash:
c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202
MD5 hash:
c395575b52beb2f46def29d174949434
SHA1 hash:
bd1df86d6fc54e130dfdd55dbae21e7bd0fad133
Link:
https://www.unpac.me/results/923d984d-701b-42c4-a381-29e977797b5d/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c49e618be06e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1491590/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1435626/
Cape
Cape
https://www.capesandbox.com/analysis/183775/

Comments