MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7266603a03ce21acdfa6a305bccb3abeb18d2be9008fbf0ed73be637db59e53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	c7266603a03ce21acdfa6a305bccb3abeb18d2be9008fbf0ed73be637db59e53
SHA3-384 hash:	350534cf6510dc57ac53c3fe8926185924cb41ef848c2184f4fbc7310e2543b9efb2baa9a1c2cf968b95b3f75d179bb7
SHA1 hash:	96563dbb32d04a8db74b055239ddaec04260038b
MD5 hash:	9f12c172a252e205470ad9b0d750b646
humanhash:	timing-twelve-aspen-fish
File name:	278098765432344.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	747'241 bytes
First seen:	2021-10-08 11:29:35 UTC
Last seen:	2021-10-08 13:18:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	12288:zRSWdMu/cMexHN8PB4Vb+Tv8rw73vwPAn+LF6Wf6ku8144:zRSWqu/cMexHN8+dQuwbn+LMuuk
Threatray	1'261 similar samples on MalwareBazaar
TLSH	T156F4F16A7204D0A8FBF774308FB5D6B193591F1CA5E64483BEF22FAED928727060B151
File icon (PE):
dhash icon	e4fcaca69ee6a69e (1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

278098765432344.exe

Verdict:

Malicious activity

Analysis date:

2021-10-08 12:23:25 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/37baf615-f91e-4934-824d-fb0900d02a36

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/196120/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.20461.31606.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61602bc398a6280f39347663/reports/f581e37e-f8b4-4977-b228-7fab607d451a/overview

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/867036

Signature

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Contains functionality to capture screen (.Net source)

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7266603a03ce21acdfa6a305bccb3abeb18d2be9008fbf0ed73be637db59e53/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2021-10-08 11:30:14 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y4tgma5ahtrbvtp2niyfxtftvpvrruv6saepx4hnoo7gg7nvtzjq._file

Verdict:

malicious

SnakeKeylogger

18ea5ebd8331a357b54d5ab5b08db0bce05f8c452cabca6ff56fa2264525de9f

SnakeKeylogger

5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2

SnakeKeylogger

6970940c6f449a63ac5a04ad826be1f9236863ca76d040797bf2e8fbf89a6c3d

SnakeKeylogger

69e1e65f93b1939bf2677660efd59acec32e6f340134ea03f5c5abe17682c875

SnakeKeylogger

8072ca29a8527b0b1c1fa59ca07d85da4ce692ba73cc0471c73b47d08f839845

SnakeKeylogger

82fec44e43fc056ae43c3e9635f1ba3893b9b88f2a253fa08e7bd21f53b10303

SnakeKeylogger

834833adf2996b1c2846f36b48aea5ec0b71fd7f14e314baacd3755d27825197

SnakeKeylogger

ca131901976444e20c94e9dc78c814aff81e7af84ad3014cced5e060dc380ebb

SnakeKeylogger

fdd7d2255680c3ba9ca9ff8c01ded5d24557dfbc1b88608435ac7c1f003aed04

SnakeKeylogger

+ 1'251 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/211008-nl6phseahq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

63cbd664f26c1ac292b8d3bdbe53c5b1544ef603d97d7a0c5eb67f1e6e0c1f08

MD5 hash:

10f88144a346b1f32b5944c734fa8728

SHA1 hash:

aadc19b0b01899a3cbc74536e19f7ee1143a0444

Link:

https://www.unpac.me/results/3fea30d6-76b1-43f4-8b87-5acd6d624fdf/

SH256 hash:

c7266603a03ce21acdfa6a305bccb3abeb18d2be9008fbf0ed73be637db59e53

MD5 hash:

9f12c172a252e205470ad9b0d750b646

SHA1 hash:

96563dbb32d04a8db74b055239ddaec04260038b

Link:

https://www.unpac.me/results/3fea30d6-76b1-43f4-8b87-5acd6d624fdf/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c7266603a03c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c7266603a03ce21acdfa6a305bccb3abeb18d2be9008fbf0ed73be637db59e53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_KB_ID_Infostealer Create hunting rule
Author:	ditekshen
Description:	Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196120/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample