MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d
SHA3-384 hash: fcbc09d2eb411f7f96a9014b007b90d7f41d4b3c932e765383ad431f45c9eaeded6ee426667db54e434dd88eca58c608
SHA1 hash: 4189bf7a6fe8473395ee5814ca19a5aa70a20158
MD5 hash: 5ae16d5f8eae9b63068ad5a08a311179
humanhash: whiskey-chicken-network-romeo
File name:5ae16d5f8eae9b63068ad5a08a311179.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:652'800 bytes
First seen:2023-04-24 14:19:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:opGBO5ZZC/W2n9wl/mbORAuDSRB6okvdT1lPQiowic/7:mGqTC/fW/tRAu+RJk1RlPPse
Threatray 5'283 similar samples on MalwareBazaar
TLSH T142D4F1ADA7A9D7A3C1690FBD801661892B7050E73677C63CEFCB408DFF47B081985686
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2050707096cc4860 (6 x AgentTesla, 5 x SnakeKeylogger, 3 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ae16d5f8eae9b63068ad5a08a311179.exe
Verdict:
Malicious activity
Analysis date:
2023-04-24 14:21:58 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/0c0b6736-cf7e-44b7-9f01-8110a185d23b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/384571/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6446901b11b4ea178796f08e/reports/741cb83e-637f-49ef-80f1-e9662ad07769/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5463facd-ecc2-469d-9b69-2f1ff051ebe6
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220054
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqjyz3i7xq75crwhnkflkif4nzbwxbfezutfilunowxfprbvkeoq._file
Verdict:
malicious
Similar samples:
0b8f8615ac9193f5409cc48943cdc3e66fd58027058e594b4433ba110b94e197
SnakeKeylogger
416d574131255e4656d9d548ef7c74c1ba3850aa80a9acd9dbd0352eb03053ee
SnakeKeylogger
4e62540930b121dc5eb404032401ac2b37cd86b591e14c4404610a2e59f06b6d
SnakeKeylogger
8fcc45ad91c946c56a807d763576062e0a427539b9cb7fe2deb239b1da98e775
SnakeKeylogger
9d83a9e060a29f32c19203afbffe3e6b3d22d71ec4779bc7139c0b22a9881e65
SnakeKeylogger
b8e476dcba0bdaf21e70dbad37d600ee95679afc0827aed027d8441a12068e59
SnakeKeylogger
bf36b9ac0998d56e00d4fa60997ba6105f5d9ace84c3e5949fe036d0315d9019
SnakeKeylogger
c7afa76d4d1a5546ea2c384d69b1d167306bd1f71dbcc848cfb77cd964c5e71a
SnakeKeylogger
e58e0ed6eff59ab0ddb1da96a07aaeda4302bf94894fb62d909d3e9663c7a7c7
SnakeKeylogger
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
SnakeKeylogger
+ 5'273 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger stealer
Link:
https://tria.ge/reports/230424-rnewcscc85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6102267622:AAFFZ_GvUj4OisNxsdlwZ5OHZVEfanDQBf0/sendMessage?chat_id=6107719374
Unpacked files
SH256 hash:
4f37c36f8530e7f31e1837b3d9fa7d51f5266f5cb55fb6f9b42c8b057b0352f1
MD5 hash:
0bdf6244961627c4948e4b969e01b673
SHA1 hash:
e17a850c8404168fe6ecd8663964de698cc0999a
Link:
https://www.unpac.me/results/99f29e2b-0953-4f57-a34a-e01711c1a79f/
SH256 hash:
40e2f8634b88a7ea9f0b63815cf988062b174458edefc7c843264d5b32f456c1
MD5 hash:
ab966809d3e2e39e9b9d8ff412951e80
SHA1 hash:
897f8c2729acc8d89bb89562150d64c9794c32b8
Link:
https://www.unpac.me/results/99f29e2b-0953-4f57-a34a-e01711c1a79f/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/99f29e2b-0953-4f57-a34a-e01711c1a79f/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/99f29e2b-0953-4f57-a34a-e01711c1a79f/
SH256 hash:
af2a8dca56203be8ed2c14beb4fb0dc4f316b43aa655aef4afbc7cae31790bbd
MD5 hash:
1aa081cc0c26b5215da0d3ced2e07aa9
SHA1 hash:
1d24e6e13fb33c064209d7791c3fb7ac6d3a85d9
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/99f29e2b-0953-4f57-a34a-e01711c1a79f/
SH256 hash:
cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d
MD5 hash:
5ae16d5f8eae9b63068ad5a08a311179
SHA1 hash:
4189bf7a6fe8473395ee5814ca19a5aa70a20158
Link:
https://www.unpac.me/results/99f29e2b-0953-4f57-a34a-e01711c1a79f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc138ced1fbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/384571/

Comments