MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa
SHA3-384 hash:	bd3862c6707e7e1b71689cc4d57bf65c42b7c10f709381ea1cb465a163f7aa442ee5746290bc5d2d74af432dea8b8c45
SHA1 hash:	150cd955f8340bdf73c76d5a194f4b7cb6be015f
MD5 hash:	bd088f4ac6454c9ce4f45af8a5da6c33
humanhash:	undress-maine-jig-angel
File name:	SecuriteInfo.com.Win32.PWSX-gen.138.20886
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	612'352 bytes
First seen:	2022-11-17 10:35:13 UTC
Last seen:	2022-11-17 10:35:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:64S/U/5s5BEvokyqfSjTQcUqpjPMEPnGREuM+WcjZnbCkI:Zr/5NwvqfS4cUCxPnGRE9+LjZnbCkI
Threatray	9'094 similar samples on MalwareBazaar
TLSH	T19BD418E96893796EE5B9B35D55F1A840CAB388320EC0AE2441783DC55D339D3B162EFC
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13097/50/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ziraat Ba.esaji pdf.rar

Verdict:

Malicious activity

Analysis date:

2022-11-17 09:30:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ccf0d23b-7277-44c1-bb8f-116297114c3f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/335279/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.12652.29918.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

hacktool packed

Link:

https://www.filescan.io/uploads/63760e9307c3f5e84a019d01/reports/ab5894d2-9452-4000-964c-764104854ad9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ddf8827-78d7-43cc-988f-c91c65682686

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1115660

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa/

Threat name:

Win32.Trojan.Taskun

Status:

Malicious

First seen:

2022-11-17 10:36:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zuaesigrzkjmx6qr4akdssrx3layr5s2brv26r3gahkgfgmre35a._file

Verdict:

malicious

SnakeKeylogger

2f6e6357881973427aa992355125e2a7be58586613136a7fa4a84a49dd28dc93

SnakeKeylogger

3bd6eaf7910876056f5f594c6b15fd7a8b75c6eef0c0a76690ed49e72ea97366

SnakeKeylogger

495c80adad64f20ab292f42de22850ba2abcc8f9a1c1eb41eda64088fd0bfaa8

SnakeKeylogger

4b28969cc4f30f407d15a6d462105ac3f164585ae720d35a8249bd5c91fc51d5

SnakeKeylogger

4bb9d6b2fd689b24941493f61b6c39313a35fe7e544a686b69e5a21f38db511c

SnakeKeylogger

60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c

SnakeKeylogger

c498b83c2623ae4b95259430d63e9ef264941ffa0bfb7a7005f3db8244a69707

SnakeKeylogger

cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9

SnakeKeylogger

+ 9'084 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/221117-mm8ptsac2t/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b98b0e4c-fbb3-4b75-9f37-e5f9d3b79458

Unpacked files

SH256 hash:

c7bf00c4643e3e6332afd20d6e493abea305062577f9b282d9d1de36a10eb41d

MD5 hash:

c1b285fe04f0125b8c0c8f865fc62626

SHA1 hash:

b1f47963380c32f82628035e7db5b2dc4bcc41a9

Link:

https://www.unpac.me/results/828cf305-49b0-406c-a726-3dcc992cec99/

SH256 hash:

c30294f97fd317905407c7f0c37908d5e7094ef8a067a6d1abb33ef83e4e2bc3

MD5 hash:

6ca9f3093d1147bdd58aaaec0bf35d17

SHA1 hash:

5fb3c64d57889dcbe8d1f8a4c6be39a0c3a0759a

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/828cf305-49b0-406c-a726-3dcc992cec99/

Parent samples :

ac6b2faf121905b8980455fab8e39a7cc3bf4fd5b2bff91068b5a6b348d23ee3
cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa
29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce
a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44
4f5ea72df2ff98979013fbfe0781a01d8d487d886ebc5012e037f553527996d2
b88d6e2b1c5a0fbccf8af747e7bab2326b5bbf84ebceaec5d615a42a414c516c
0f8f70dd445fd84967a71a4d4f40e9f630b2a814e7d9107b1066ba1f8fb3bfa4
7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/828cf305-49b0-406c-a726-3dcc992cec99/

SH256 hash:

e33f4cc3149ad67b3cd555466f1145b6dfd01718d676bf877b3e2fc23326842b

MD5 hash:

5f7a26cdcda4889580691530b0fb1686

SHA1 hash:

45b737c7521f6986e67a83498987227269fcb4d9

Link:

https://www.unpac.me/results/828cf305-49b0-406c-a726-3dcc992cec99/

SH256 hash:

ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52

MD5 hash:

1f2a6c02dcf9aa00a28a5039fb5b8ce0

SHA1 hash:

1ef480867d39b98368af7586a8e6ba38c0c3893a

Link:

https://www.unpac.me/results/828cf305-49b0-406c-a726-3dcc992cec99/

SH256 hash:

cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa

MD5 hash:

bd088f4ac6454c9ce4f45af8a5da6c33

SHA1 hash:

150cd955f8340bdf73c76d5a194f4b7cb6be015f

Link:

https://www.unpac.me/results/828cf305-49b0-406c-a726-3dcc992cec99/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cd004920d1ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/335279/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample