MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d82eefa0193afb698d4121a88c3f938b3806a33ace81b5338f2c42ede1f830bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	d82eefa0193afb698d4121a88c3f938b3806a33ace81b5338f2c42ede1f830bb
SHA3-384 hash:	9168a0d27a86626800c58617bec03d2b8ee9087970378a9406636497a96ad69ca67867aa8412d04b8d64d26548854371
SHA1 hash:	1991c3c97e615ddc3e1fdd45c6dece4c0052c943
MD5 hash:	f7cc11cec3fab768dfc2939a7d84f5e9
humanhash:	arizona-video-jupiter-north
File name:	f7cc11cec3fab768dfc2939a7d84f5e9.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	323'474 bytes
First seen:	2021-10-15 17:53:54 UTC
Last seen:	2021-10-15 19:07:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:b8LxBqtPhY23qhQfbkQBLmAN1U4vUJBSrjqyVXYsDqcuUURBXc:nRhMhQfPw4fUJ0iyosGcuUUR9c
Threatray	1'480 similar samples on MalwareBazaar
TLSH	T113641256F28189F7E01105310672AB76F33B9B49C027AF438774B9F70A70E8E956BE46
File icon (PE):
dhash icon	4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f7cc11cec3fab768dfc2939a7d84f5e9.exe

Verdict:

Malicious activity

Analysis date:

2021-10-15 17:57:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2d4a0402-ee8c-4e41-bb13-d86126612a92

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/197798/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.43460.30617.28565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

lokibot overlay packed snake

Link:

https://www.filescan.io/uploads/6169c03da9d585e6d529cc7b/reports/3fa428cf-b7a9-4263-8ad2-c13f5f22526e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/922ad347-90be-49b3-9f52-05b477a6d72c

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/871268

Signature

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/d82eefa0193afb698d4121a88c3f938b3806a33ace81b5338f2c42ede1f830bb/

Threat name:

Win32.Trojan.Tiggre

Status:

Malicious

First seen:

2021-09-30 17:52:23 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3axo7iazhl5wtdkbeguiyp4trm4aniz2z2a3km4pfrbo3ypygc5q._file

Verdict:

malicious

SnakeKeylogger

311e6b79bf6aa94aea754fe0a53c0d3d544cafbffd35148b1a876db33202065f

SnakeKeylogger

591c4b1b79229112cd960b877907a6fa5e48372b54aed771560d18b13459f93f

SnakeKeylogger

6bfde0abeab045d2ea80c8f46415b00ac74911b23a98b6e72d66ce7fafdec5d6

SnakeKeylogger

8fe218b955266ea66ca10d94c9acea08f47c56cda69c7f93071ae83be18e9432

SnakeKeylogger

e2b899baa7500884e7dbe9219f641996f11ed287b17abcce04764815d64895ae

SnakeKeylogger

+ 1'470 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211015-wgwmrabbh9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot1816395306:AAE3ZBLYV2L9aT9mL8itL9vr3RP6nOz_B1o/sendMessage?chat_id=1368673464

Unpacked files

SH256 hash:

d82eefa0193afb698d4121a88c3f938b3806a33ace81b5338f2c42ede1f830bb

MD5 hash:

f7cc11cec3fab768dfc2939a7d84f5e9

SHA1 hash:

1991c3c97e615ddc3e1fdd45c6dece4c0052c943

Link:

https://www.unpac.me/results/719405c8-491a-4ed1-8491-f817c62569c1/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d82eefa0193a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/d82eefa0193afb698d4121a88c3f938b3806a33ace81b5338f2c42ede1f830bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197798/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample