MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051
SHA3-384 hash: 7e8349e2c25346e555b034d8d50cb4cb0184a5367517a9379a6f7ce4b82268b0dfbfe9b681d80e60ea4b72e0250a4e1a
SHA1 hash: f787a7262eec9f86dd755d250bf7bf633bc5bffd
MD5 hash: 59206e19b8a4a425829d4c3a41566a0d
humanhash: maine-nuts-failed-november
File name:Stock requirment.jpg.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'478'656 bytes
First seen:2022-05-04 13:03:56 UTC
Last seen:2022-05-04 15:26:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:nMtX82tdr7U5xSW2VpiAW4UjzgrMgc/Ue0HM+g:nc82dYS7ggrLcCHb
Threatray 2'487 similar samples on MalwareBazaar
TLSH T1B8655C4C73CA8503CC709A71DDB23B9327A3C7B9AC929F56629D753CC85F3AC0552A86
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter cocaman
Tags:exe QUOTATION SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Stock requirment.jpg.exe
Verdict:
No threats detected
Analysis date:
2022-05-04 13:06:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0aecec6-eb61-4b9c-9885-b4a56caee949

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268619/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated
Link:
https://www.filescan.io/uploads/627279c62b32b1c37c929261/reports/a994812f-2f01-4d8b-aa24-65baf93e5005/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9266a5c1-3f7f-4361-bd05-17e99a7dc77b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/987750
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 13:04:17 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
15
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fjoneblv6lg52b6ia3jtgbhey5hcmwkdxph6tvlc6l7t65xkbiq._file
Verdict:
malicious
Similar samples:
4c9059aa76dfa2f817a4bf9cbf18e9f36d9235b6d6eb91af99c99eb68109afe5
SnakeKeylogger
74d6ce17a5ef1abd3c1c2bf8b9cc472bc8f3816299a06498cc7266c8f479beae
SnakeKeylogger
9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01
SnakeKeylogger
a750c87300b171417adbf5ae69054d2b70073004238216f6e09df4666488f28c
SnakeKeylogger
b206c2d164d66dcd9fad4cffdcb28d73eb64d2f663f1de6fb90cc10b47665c41
SnakeKeylogger
c97f3c263a8cf99b9535d4cb5276eaab9e07fca8c51ac010d5fbfbad6fc5261d
SnakeKeylogger
f3898ca67fa60276c5c6ace2385d54120cd792943c98e865fbdeb020cb5d4ac9
SnakeKeylogger
f9da2b0b4faa792adade4a1bb0557486073ff2ac52c6c4271439d99419ac5f28
SnakeKeylogger
+ 2'477 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220504-qaywmsgdgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5353503679:AAEJ2PXDCuq1nn55H7AnHpcP0d_3E3empJM/sendMessage?chat_id=5212306745
Unpacked files
SH256 hash:
d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051
MD5 hash:
59206e19b8a4a425829d4c3a41566a0d
SHA1 hash:
f787a7262eec9f86dd755d250bf7bf633bc5bffd
Link:
https://www.unpac.me/results/86976e92-a2b6-4ba9-81cf-e151dfce1f57/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d952e6902baf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

ace 444b54f532157e23f1bd617f640c391588968d47a42baa7f01b2b283827ea44e

SnakeKeylogger

Executable exe d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 444b54f532157e23f1bd617f640c391588968d47a42baa7f01b2b283827ea44e
Cape
Cape
https://www.capesandbox.com/analysis/268619/
  
Dropped by
SHA256 0d8efaad34489a60cd4fb71cca95702af77c6ec83b9df8a3f32261f70e432662
  
Dropped by
MD5 508a3b0cf9e5cfaed4a9d0e39c5d80e1
  
Dropped by
MD5 14c2b1cf351fd144608241f3541982af

Comments