MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
SHA3-384 hash: 31fe6c076aa18d8c7acfe6e7f71c87d0a3763842a0777899fad2af4b2c1a3c091bffe512d3b8672de50997036480afec
SHA1 hash: c4781aeff12fd99d68d8a1684982601791eb1e57
MD5 hash: 83a6a713f52af474a08a0cadde449a79
humanhash: failed-ten-salami-blue
File name:83a6a713f52af474a08a0cadde449a79.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:913'408 bytes
First seen:2022-11-14 18:44:31 UTC
Last seen:2022-11-14 20:44:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:W3gHLjtLHLjtTQcexevBp4ZzEggTpw3viVA4V95Bbu98/kNjxJU2zsHLjt:OgHLpLHLpT7M0pXj795Zuukxk2zsHLp
Threatray 8'988 similar samples on MalwareBazaar
TLSH T183154A2979BCB602EE36AAF70EF6AA4BCE7011411219C1070D2936DEE935E363D4D54B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKB-Payment Letter Of Aplication...doc
Verdict:
Malicious activity
Analysis date:
2022-11-14 13:05:48 UTC
Tags:
exploit cve-2017-11882 loader evasion trojan
Link:
https://app.any.run/tasks/0041b108-1496-4ecf-8878-80cfdb4e3b40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/333882/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44597.12665.17074.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63728cb26fda73cab64dcdb7/reports/f35b627a-c557-4901-8681-6ed8d05b6dd1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28025c51-0a20-41e6-b5c6-de28e736617d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1113191
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 15:04:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsbxjetquhx5nr7l5mpdyb32ijxmtdz3exqu4junygfroqe2xouq._file
Verdict:
malicious
Similar samples:
44ef6929139229baffe966a8f2facca112903f143106b56b6afae3e0ae94276b
SnakeKeylogger
495c80adad64f20ab292f42de22850ba2abcc8f9a1c1eb41eda64088fd0bfaa8
SnakeKeylogger
4b28969cc4f30f407d15a6d462105ac3f164585ae720d35a8249bd5c91fc51d5
SnakeKeylogger
60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c
SnakeKeylogger
b47aa7b5477954f8d297266a203475a4e9f7b1152cb3a804c29402511157848e
SnakeKeylogger
bd101151493572e15312c745f4216063668d99a1ac5d24584595975eb5ecde1f
SnakeKeylogger
c498b83c2623ae4b95259430d63e9ef264941ffa0bfb7a7005f3db8244a69707
SnakeKeylogger
+ 8'978 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221114-xemshahc9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ef5a83d-5313-401d-92c1-8e558ae70fae
Unpacked files
SH256 hash:
01a13768358702503a8c9bcdc2ba14ae9d6dda1d16c8f9e6ce52cd4bc1f69b5f
MD5 hash:
74fac1ce3ee20373406aa7109473469e
SHA1 hash:
a06ea8bf894b57c6f9b229ab208b57a599d3f3ad
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/9656bae2-a4af-4638-a438-5137db0bb29e/
Parent samples :
cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
62aa2952bc9fdff73484b242111347f7d20c176e19338ef06f6c0bcbe4b1d600
e36cc1a63904dd9cc83f590451a1dfaccdd87757a5d0b07448a87e2824bee7e6
SH256 hash:
becf99d2d433e1acc5b6c08644157a7f23579f0573bd5f818d60ea903dd2f03e
MD5 hash:
0eecfd1b9d5dcdd2a06f630792911d51
SHA1 hash:
50fb2e7c0d1e7702e0f46531ad49e050a9e1b258
Link:
https://www.unpac.me/results/9656bae2-a4af-4638-a438-5137db0bb29e/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/9656bae2-a4af-4638-a438-5137db0bb29e/
SH256 hash:
781f4d3fb9d31b3727e039694864e00a5253b8b854180e422f3ef9c5a282d9f8
MD5 hash:
99b687f83f92957ffd1e9f43448a38eb
SHA1 hash:
3204c7b3eeb77b19433dff4446c70958961ff4b5
Link:
https://www.unpac.me/results/9656bae2-a4af-4638-a438-5137db0bb29e/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/9656bae2-a4af-4638-a438-5137db0bb29e/
SH256 hash:
cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
MD5 hash:
83a6a713f52af474a08a0cadde449a79
SHA1 hash:
c4781aeff12fd99d68d8a1684982601791eb1e57
Link:
https://www.unpac.me/results/9656bae2-a4af-4638-a438-5137db0bb29e/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc83749270a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2283634/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333882/

Comments