MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005
SHA3-384 hash: c31e2146473371214669ec6c31f30e82df585127715848efe681cd98907c0b0e91db28ad9c4aa82cb25cd435c974c91a
SHA1 hash: f65779d14d36dc58e9f244825df6dc1ad417b6f3
MD5 hash: 6906fb326e0fa1a2f52a1b88687f2f5b
humanhash: network-virginia-sierra-eighteen
File name:Caixa_04_11_2023_Recibo.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:535'040 bytes
First seen:2023-04-11 13:12:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:KpJPdDNdEZ+xsWSe7U0ATZwiluOCK1qoJWYHFq5:2hd5dE4EeI0AZwk1qooJ
Threatray 5'086 similar samples on MalwareBazaar
TLSH T159B4F09D6271EF92E56C0FF45445244223B8F248E2B4FAA94DA713F78A73F6211183E7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Caixa_04_11_2023_Recibo.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 11:12:24 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/754527ad-703e-438d-99ab-e528be0dfa15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381495/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64355cdef17a8f86fc8c9d88/reports/3d8a285f-b152-47be-ba26-3788a8347f7d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/234973db-7371-4e7e-a1f4-be22bb3928b7
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211821
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005/
Threat name:
ByteCode-MSIL.Trojan.DarkStealerLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 13:13:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tbvp5affaorkugazmj2bijvrso7hwtehcod5dyaqbz4lqvnmacq._file
Verdict:
malicious
Similar samples:
48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b
SnakeKeylogger
549dd9bedf40c44d43f4c7fabd72feab510a787f291d6c6a090f13152fd66ad8
SnakeKeylogger
560d725c51733509f17d4a1b647cb5cfea3f400cfcc9cbab82da116419db1297
SnakeKeylogger
7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899
SnakeKeylogger
915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9
SnakeKeylogger
be97a51ffa2d24ac0f2eba8eb2bc3ed49057c873d16d8c6b893c84b8670c9a1f
SnakeKeylogger
d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
SnakeKeylogger
d5e86309672a8e1e47bb674fe35761d8ae5c0091665ccf38af18f79afcc08e59
SnakeKeylogger
eebe1c81da57309a99fa8cf1a8ef2ef90af6072182ad6b8dd3ceb8a31500bd0c
SnakeKeylogger
f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a
SnakeKeylogger
+ 5'076 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230411-qf259ace78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
608353a81a77f63d4573da277cb2e7c663739f5b8613353da4ff77334ef71213
MD5 hash:
dfc1f714a28bae8cab306760cb5926a1
SHA1 hash:
fc6f90fbe70f7b915648869087975e9926e214d8
Link:
https://www.unpac.me/results/8e09875d-4d3d-4e33-b4fe-b894b44aa3b2/
SH256 hash:
5d27a68630508457273b7353c64105849ba4c11cee94e03a3e9790580cd93eae
MD5 hash:
4ba9d5740d7a72dd603664f8d90b63b7
SHA1 hash:
f9b7f956a0f88d65987cb8013c79119d0db5ea6d
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8e09875d-4d3d-4e33-b4fe-b894b44aa3b2/
Parent samples :
560d725c51733509f17d4a1b647cb5cfea3f400cfcc9cbab82da116419db1297
dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/8e09875d-4d3d-4e33-b4fe-b894b44aa3b2/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/8e09875d-4d3d-4e33-b4fe-b894b44aa3b2/
SH256 hash:
ae2386920cd2b4949819fd7cd758f258ee6a541b84171764a4d5406eaddead9c
MD5 hash:
d8c5bcf93ffa3068b4471a5251596fe9
SHA1 hash:
0c0d596140b1ab6f03062138c3abbff81e200a6b
Link:
https://www.unpac.me/results/8e09875d-4d3d-4e33-b4fe-b894b44aa3b2/
SH256 hash:
dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005
MD5 hash:
6906fb326e0fa1a2f52a1b88687f2f5b
SHA1 hash:
f65779d14d36dc58e9f244825df6dc1ad417b6f3
Link:
https://www.unpac.me/results/8e09875d-4d3d-4e33-b4fe-b894b44aa3b2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dcc357f40528/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe dcc357f405281d1550c0cb13a0a1358c9df3da64389c3e8f008073c5c2ad6005

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381495/

Comments