MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc53056d783515978f191ef41c9817341026f4f68e78a4d2bde8392d03c4256c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc53056d783515978f191ef41c9817341026f4f68e78a4d2bde8392d03c4256c
SHA3-384 hash: cddaf53bcf0489bcdec1389a648b99d6e4680123c1adb139828c4f736c6be81375e34683eb0c360b369c5f2cc08ac873
SHA1 hash: 4a5f5b1c3a01eb9ae6260c830de03f4e7f1dd528
MD5 hash: 5a8e256d94dbb3028e46c5b1c78b8f9a
humanhash: east-tennessee-purple-south
File name:00098765_INV.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:498'688 bytes
First seen:2021-02-08 14:42:17 UTC
Last seen:2021-02-08 17:06:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:rhp1hlQYx0VqeA8v3559pUq1AfwWifAPBeefBY:9h3BpeefBY
Threatray 7 similar samples on MalwareBazaar
TLSH CDB47F033ED03C17D66D63F8DB67C0AC0E796561A388B06AFB52D0F643F5A2D8965A43
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: secureserver.digitaledgekenya.com
Sending IP: 148.251.164.94
From: Ms.Thanathip Chonthawornpong | Lung (陳佩蘭) <mike@howw.com>
Subject: RE: PAYMENT SWIFT COPY FOR = USD 80,950.25
Attachment: 00098765_INV.r09 (contains "00098765_INV.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00098765_INV.exe
Verdict:
No threats detected
Analysis date:
2021-02-08 14:45:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efc48067-9e32-49c7-b10f-88e6410b5f03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116066/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.48234.29736.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Sending a UDP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/601904
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc53056d783515978f191ef41c9817341026f4f68e78a4d2bde8392d03c4256c/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 01:01:32 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrjqk3lygukzpdyzd32bzgaxgqicn5hwrz4kjuv55a4s2a6eevwa._file
Verdict:
unknown
Similar samples:
12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0
SnakeKeylogger
224272c1a8b55de2e1c26cb5c0ae09f3f0b3b7136a9bf59601960e1e7c532290
SnakeKeylogger
795280757b94b198f3622a87576e76100e869f3ff8160c2f72bafba588166c6d
SnakeKeylogger
a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e
SnakeKeylogger
b5422097330f4a0cd2105b12707ab64dd674a16046377a583ed862585ea3f205
SnakeKeylogger
c74375870b8ed3789f5dda4a617b310fe4a8d2d073f8337cb67362eaf324be2c
SnakeKeylogger
d15fa8ff467270abc9ba8c36038c455d2ad1de137748a1cc886e5f148a3a3fd8
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210208-8a4apn594j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/500dcae9-ca6b-43e9-9cba-fdcd20f7e37d/
SH256 hash:
f09a19ba8ecbbaedeae2dbd46a9c5e93ca5f9c401df1272d25f3fea27792a412
MD5 hash:
90e0c8410e8f438d44ee6155992233a5
SHA1 hash:
c14d7c2e1a75dc0218d1eac57720cf9dd6baba7a
Link:
https://www.unpac.me/results/500dcae9-ca6b-43e9-9cba-fdcd20f7e37d/
SH256 hash:
334217cd976905896eeac6fcecfd451b37a2b40df028d966488757238cac6552
MD5 hash:
d06ee1760468a6847afb8d93ff2534df
SHA1 hash:
b85989fa3d9b342de3a7f2f7b758cf47e96b9fc0
Link:
https://www.unpac.me/results/500dcae9-ca6b-43e9-9cba-fdcd20f7e37d/
SH256 hash:
cc53056d783515978f191ef41c9817341026f4f68e78a4d2bde8392d03c4256c
MD5 hash:
5a8e256d94dbb3028e46c5b1c78b8f9a
SHA1 hash:
4a5f5b1c3a01eb9ae6260c830de03f4e7f1dd528
Link:
https://www.unpac.me/results/500dcae9-ca6b-43e9-9cba-fdcd20f7e37d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc53056d783515978f191ef41c9817341026f4f68e78a4d2bde8392d03c4256c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

r09 4411b1f408e1224702116f67b0b30765053b41015286c22b3e521cec5aeaaae6

SnakeKeylogger

Executable exe cc53056d783515978f191ef41c9817341026f4f68e78a4d2bde8392d03c4256c

(this sample)

  
Dropped by
MD5 2da4bebc74716bb217eac95e1e5788a6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116066/
  
Dropped by
SHA256 4411b1f408e1224702116f67b0b30765053b41015286c22b3e521cec5aeaaae6

Comments