MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7ef2edde21ad380720affbcd1bf24969069070aed8ee1195bccc5a92eabdd97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	c7ef2edde21ad380720affbcd1bf24969069070aed8ee1195bccc5a92eabdd97
SHA3-384 hash:	452224f2517bd2716f740926dd44e937263b7fe9fefa2efc13f3633cc2462851305482c43e2d74ffbabf6f860b644615
SHA1 hash:	e8038f4a625fbc630f0b3529294e2a7200f5775b
MD5 hash:	4cb8705016ec68defdd08f9ec0285f91
humanhash:	kentucky-uniform-kansas-don
File name:	NEW ORDER CF 2022-24400.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	901'120 bytes
First seen:	2022-05-10 07:56:54 UTC
Last seen:	2022-05-10 08:38:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:2mGDfxt7J0T4I00J7lWFsMbq5r+H/nkFqREQyFKmyreG55EE8:a2T4kJ7lWFPHkE5r7
Threatray	3'874 similar samples on MalwareBazaar
TLSH	T12E158D5072C8EE99E42952B1C935C5F00731BE49C5B2D60F299A7D8E38B33436566F2F
TrID	54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f26efec4b6c2c00c (24 x AgentTesla, 14 x Loki, 12 x Formbook)
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ORDER CF 2022-24400.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-05-10 08:03:17 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/e280c248-5963-455b-ac81-7d6fddfd467a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Artemis4CB8705016EC.906.11178.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/627a1ad236c061db6e5fcf53/reports/88e9bda3-de3f-440e-8ef3-0edfd52a70de/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a474282-68da-4553-85fc-e7bea714ce19

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/990783

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7ef2edde21ad380720affbcd1bf24969069070aed8ee1195bccc5a92eabdd97/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2022-05-10 04:10:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 41 (48.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7xs5xpcdljya4qk766ndpzes2igsbyk5whocgk3ztc2slvl3wlq._file

Verdict:

malicious

SnakeKeylogger

2bfea17922f05369c64106054d491ed82119003d0e23061bd6b4c8a76c07f6b9

SnakeKeylogger

2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0

SnakeKeylogger

7905618d53c7c0d9b949044ac76a711aed6ab9a5b6e7156c08871637a2858666

SnakeKeylogger

79e4a36b4788430d7ab6689fb53c4d913c0cf0745a6a2c2b080e5cd68a18db08

SnakeKeylogger

96929d91624ef88554c7850bc57c8cfd2bb093fb8cdaad5f8865c1001c5a5d0d

SnakeKeylogger

a2740d771fd485b1010c57895ae92798ab9b7f06f9e21808c49dadd0557c64c4

SnakeKeylogger

e54702edca66649a4e9f2d9af065fedc078257bad7ece8952fbff60f7b9fc87f

SnakeKeylogger

fec889ae8aee9a919471ea23e1603d9f76be40fb90b9298a8e7c607263acdd1b

SnakeKeylogger

+ 3'864 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/220510-js9brsgdc8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

417fbf6ee0491d2b11145ec9e3f64a7231de4d86c151d38c9b6b8eed0912b98e

MD5 hash:

e6417e4f40bf0980689a4b794a793ce2

SHA1 hash:

b6ed944ac449a6102fb5badf4eae34f37054565a

Link:

https://www.unpac.me/results/056ea586-1802-49db-92f9-6f1a78406846/

SH256 hash:

54c052da4f50cf66a9cd0253e2a6c25d0a8545013cfbb5807c63d4af1bdde8a2

MD5 hash:

cd2845cce07aa02f9264fdda83c76ceb

SHA1 hash:

9c1fad8c7c5a0696f9f45c34950142ce87389ad7

Link:

https://www.unpac.me/results/056ea586-1802-49db-92f9-6f1a78406846/

SH256 hash:

23d1bf6a661e0aa4907e828d66517737483662e4041b61f236eb7c1bdbf56c2d

MD5 hash:

e7bd8771ff561b175ada7e971c419647

SHA1 hash:

75f36570a89d546e44df2c7af5c1bcfabb1ae552

Link:

https://www.unpac.me/results/056ea586-1802-49db-92f9-6f1a78406846/

SH256 hash:

39cda4cfd28cfe713ffa4cd8f556da9c470e14a0421910a6c22162fdaad296a0

MD5 hash:

bf3d911c020eec788e8cefe846b9d0af

SHA1 hash:

18c474b6c15f834fc9cae4cd4148f9b6cb8319e1

Link:

https://www.unpac.me/results/056ea586-1802-49db-92f9-6f1a78406846/

SH256 hash:

c7ef2edde21ad380720affbcd1bf24969069070aed8ee1195bccc5a92eabdd97

MD5 hash:

4cb8705016ec68defdd08f9ec0285f91

SHA1 hash:

e8038f4a625fbc630f0b3529294e2a7200f5775b

Link:

https://www.unpac.me/results/056ea586-1802-49db-92f9-6f1a78406846/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/c7ef2edde21ad380720affbcd1bf24969069070aed8ee1195bccc5a92eabdd97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 356d9b71745a01a9c8779422d0db467a890f8230008f18d6660a57ea4026ab54

SnakeKeylogger

exe c7ef2edde21ad380720affbcd1bf24969069070aed8ee1195bccc5a92eabdd97

(this sample)

Delivery method

Other

Dropped by

SHA256 356d9b71745a01a9c8779422d0db467a890f8230008f18d6660a57ea4026ab54

Dropped by

MD5 172e6b9a4022e61fae066412b08db90c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample