MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c77d21c9baafd0ea0a3135eb10d7e8e860e589413edd56756b1143147d13e029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c77d21c9baafd0ea0a3135eb10d7e8e860e589413edd56756b1143147d13e029
SHA3-384 hash: 010dffa41f951f47ec54cd5340c2b5fca4936a99f7d20f5cdd9cc74713344a7d5367d4becd35152d08892244f93c3049
SHA1 hash: 8b0c98fa7841b96c7caae9f98a73265e4e79fe30
MD5 hash: 4f46851cdfff179991db543dc95d87fb
humanhash: louisiana-carpet-mississippi-mike
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:472'064 bytes
First seen:2022-04-23 05:44:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8xAYtv/h/2lf5/WVh5g24KqPAZRC1mhLsNpwHR+IewsRh:4BdhuKC24K6Kw3vwx+fwsn
Threatray 3'449 similar samples on MalwareBazaar
TLSH T1B4A4120176E49B12E7BCD7F96CA1155683F2E136721AE70C4CBAE0FB25613900B5AF93
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger ZiraatBank

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266003/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50178242.15412.7019.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the process to change network settings
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62639265dfdc89e806156e1f/reports/a61d209a-4ca3-4e3b-91c8-ad757e29b057/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe81e4eb-b233-473d-837e-f7641da3357e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981782
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c77d21c9baafd0ea0a3135eb10d7e8e860e589413edd56756b1143147d13e029/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-04-23 05:45:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y56sdsn2v7ioucrrgxvrbv7i5bqolckbh3ovm5llcfbri7it4auq._file
Verdict:
malicious
Similar samples:
1dc207500d5004cc89794c0b80957677307fed4d349a0bc6326f53a1d1f47ea5
SnakeKeylogger
2a9e7dfe6fc252814dbd5fd219e43bbf78bdf7ed7e553a3c33eac5c8c8a70c8c
SnakeKeylogger
6436c27d2ad3b57ce408d0523526d7ed388d92abac0982c295a33e91251a03a1
SnakeKeylogger
8f83d97afb25938e23097c6a3a79061c12c558b6a51e23878355034155c2f709
SnakeKeylogger
8fafb97685664f52793149fa849b9593f20a95584928020d4e6fe8e4513950eb
SnakeKeylogger
b2e786b08de5350314dadcab93bf6b41ae62006f1dc611cbcf60a246e1643138
SnakeKeylogger
b95a01b8b7d6c29696f7cba379e4c37cfd8e6bf236e8559271b779615a9f0b81
SnakeKeylogger
ca5bfc42daf3182e19891fca776764678e338143367bc203cdf598e72eb32293
SnakeKeylogger
d54edb4986821e6032b6d63787036b23d7e04b95a95a5d4487b7cd306958ffc4
SnakeKeylogger
+ 3'439 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220423-gfqb1segbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
67f89511c4d09bb276e184b290bf3a38446706bce0ec575a166d49d42cd7861a
MD5 hash:
62fdc6d76022cb008f7454c86828e4ed
SHA1 hash:
d73861ae82c04824f235ba60439e079a830596c3
Link:
https://www.unpac.me/results/3664f54d-520f-4d7c-b586-f54cbec01396/
SH256 hash:
773681cac06a2bd02ebb5065f492340341bc8ff187689ba56f38713bbef893d0
MD5 hash:
38dffe73b27f46f4b3b256392af71b46
SHA1 hash:
6f04a60652947ee4c6b1864a5800a7845dbb2c99
Link:
https://www.unpac.me/results/3664f54d-520f-4d7c-b586-f54cbec01396/
SH256 hash:
7c01f9b841f6a9e8835311a234ea370f1e09e4636b8c44cc382b29ffcc4bfb3f
MD5 hash:
a10e4d74da26373a4efe0bb9ab1880cf
SHA1 hash:
70872a19d072b1b81f66691dc2e62658a56fe675
Link:
https://www.unpac.me/results/3664f54d-520f-4d7c-b586-f54cbec01396/
SH256 hash:
8e1b71477c489cbc954c8d54d08284f759ab2cd1b65050128ecbda9ebe16904d
MD5 hash:
b477c0f043954b457d5f0f91327ec606
SHA1 hash:
0db8774ef3e2b8245504f66a35afcf987ebdaaba
Link:
https://www.unpac.me/results/3664f54d-520f-4d7c-b586-f54cbec01396/
SH256 hash:
c77d21c9baafd0ea0a3135eb10d7e8e860e589413edd56756b1143147d13e029
MD5 hash:
4f46851cdfff179991db543dc95d87fb
SHA1 hash:
8b0c98fa7841b96c7caae9f98a73265e4e79fe30
Link:
https://www.unpac.me/results/3664f54d-520f-4d7c-b586-f54cbec01396/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c77d21c9baaf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c77d21c9baafd0ea0a3135eb10d7e8e860e589413edd56756b1143147d13e029

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266003/

Comments