MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd1fd75a5fede73a1929bd8fdfe922521d379ab47db28bdbfaab0d390f633413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	cd1fd75a5fede73a1929bd8fdfe922521d379ab47db28bdbfaab0d390f633413
SHA3-384 hash:	29db110f484fbdf24629766c06a3fefe00ea706ee5053097dbf10a8a859ff0cbfa9b988babacd82a7a00188f52526270
SHA1 hash:	ca84d2bf9f0ea7bc9ba3cd2aeebf16d555b83fb2
MD5 hash:	3a54b966538bd4a0f750db2aa38bfe3a
humanhash:	december-fillet-nine-cup
File name:	SecuriteInfo.com.Trojan.Win32.Save.a.9623.31722
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	641'536 bytes
First seen:	2021-07-07 05:53:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:2WBprGgAEyDQRZIZLIff1ccUS0fmlgg9J8+gPdNRTqZB4d0Sj:tBpiFtDQ0aff1PUS0fi
Threatray	137 similar samples on MalwareBazaar
TLSH	87D439983312709EF4168836B956DCF0EA107E665B0B820390D73F9FB91F5D6CF950AA
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Win32.Save.a.9623.31722

Verdict:

Malicious activity

Analysis date:

2021-07-07 05:54:27 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/549a88e4-e5d2-43f7-8bb9-9fa640dab974

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/170113/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.9623.31722.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b54b4ae8-742e-4f09-b39e-70ca168a3c4c

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/812699

Signature

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd1fd75a5fede73a1929bd8fdfe922521d379ab47db28bdbfaab0d390f633413/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-07 01:45:18 UTC

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zup5ows75xttugjjxwh572jckiotpgvupwzixw72vmgtsd3dgqjq._file

Verdict:

malicious

SnakeKeylogger

812f68851a0237986ff6d67142ef28113eba14a0a8410e339b81e4f38d2f6774

SnakeKeylogger

9a76b6c55801024e2f1fe932ce960c974f7f51d4fe4838ef077b4cc6a1432a3b

SnakeKeylogger

a3d13d3ae0ea1df687a6bd7a84db21340a3c23df83c1c55da4aae1d61d65f6b9

SnakeKeylogger

a8f581b584bdf1bc08a22728c89aab6a460419115166aea4154f5de4e685a1e2

SnakeKeylogger

b0c975b40f8a8f52aa372b0eea9ce604f35b9e5101b4aada3fda0cbb2e25229b

SnakeKeylogger

b2f77c882bdce0ff80269d0d2036243227eb3ac3bf3fd6d848c32b80df820337

SnakeKeylogger

c0122aead3c5a7b1a3a8d5f5cd7dcafa2ea0966d08cd4480ee041f5dd8eae89d

SnakeKeylogger

dbc9cca23dc54168c95c7179dd37bbeca4569b3004dbd272b92cddeee7aa9580

SnakeKeylogger

f8e4c7f5480d6b302e4870ca9eb28118ee47dd0dad4b689450782dfce53b8685

SnakeKeylogger

+ 127 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210707-bzxammjabe/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Contains code to disable Windows Defender

Snake Keylogger

Unpacked files

SH256 hash:

6b2731812b4e12e46916cba5e23eb4470a5a84b062d6654f8f19261c76e40268

MD5 hash:

005205c8e188a45758e3383f6501a7a6

SHA1 hash:

7def659fedd4796571e7788c2bb3e0598e91391e

Link:

https://www.unpac.me/results/6cc164b6-e3ed-4368-be81-7602777513bd/

SH256 hash:

9629111755027d7a13e9edc1c6bf391edad23ed573e56ed759c638bb88971c27

MD5 hash:

34c62c8bfc59e6729eb4a19d23c50672

SHA1 hash:

685d934db8e64a3e116984abcd7bc97a421beee6

Link:

https://www.unpac.me/results/6cc164b6-e3ed-4368-be81-7602777513bd/

SH256 hash:

eb1c38a1fa6a2c0c7fbb351c75d503add53aa7ac93f959173a36b90267e20d27

MD5 hash:

f5f5106fac6fb5692603ffa7e85b06ee

SHA1 hash:

01560544bae1eccf3ac756dd9658e16c6b2590ff

Link:

https://www.unpac.me/results/6cc164b6-e3ed-4368-be81-7602777513bd/

SH256 hash:

cd1fd75a5fede73a1929bd8fdfe922521d379ab47db28bdbfaab0d390f633413

MD5 hash:

3a54b966538bd4a0f750db2aa38bfe3a

SHA1 hash:

ca84d2bf9f0ea7bc9ba3cd2aeebf16d555b83fb2

Link:

https://www.unpac.me/results/6cc164b6-e3ed-4368-be81-7602777513bd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd1fd75a5fede73a1929bd8fdfe922521d379ab47db28bdbfaab0d390f633413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Choice_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/170113/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample