MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2f51241300d7e6249e13dd4c3dc9fc544f99bc6ad56a0c9dbce6e322142e2a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	e2f51241300d7e6249e13dd4c3dc9fc544f99bc6ad56a0c9dbce6e322142e2a1
SHA3-384 hash:	f69ed32f4fca1af509846e5c151e206542d1f6551cc811db11c303f6bcef8a23f71881c3e55b9816bd54e2732d7503e0
SHA1 hash:	1cb87144408e46d0ac83a7bf8ba91536e63d0263
MD5 hash:	5a9f1ab0a8c2ec155873908a9b74d8a3
humanhash:	ink-alpha-king-jersey
File name:	proforma.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	511'356 bytes
First seen:	2022-03-29 06:40:49 UTC
Last seen:	2022-03-29 08:13:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep	6144:ubE/HUFfvyJqtYNkM8jX59xdlh70yPacxBNhFSVmEpZIJRuMZHjPZZ9a6Xe4gtWK:ubJfasyGMuX59xdlhIHcPsV0buk1a6o
Threatray	2'877 similar samples on MalwareBazaar
TLSH	T1CAB48AA06F41CCD9CDD407340566991AA2327E3ABF788D4E0ECEF95A7F733C29849925
File icon (PE):
dhash icon	71cce8cc6db2d469 (1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/258937/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.906.20951.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11923/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6242aa021f2042394848a329/reports/336e8a4d-3b12-4301-af0a-70fddb7c0b78/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f52da6f2-5491-4b2e-a152-e3ff993ceaf1

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/966496

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/e2f51241300d7e6249e13dd4c3dc9fc544f99bc6ad56a0c9dbce6e322142e2a1/

Threat name:

Win32.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-03-29 06:41:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 42 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4l2reqjqbv7gespbhxkmhxe7yvcptg6gvvlkbso3zzxdeikc4kqq._file

Verdict:

malicious

SnakeKeylogger

3e22ce49e987a1d097778730877bd196bca1182772dbce70d75e109e1ed64702

SnakeKeylogger

41920913663df199683fb9f2970f4da7d73048ee8d639cc79939a20930b49910

SnakeKeylogger

7a35121d4cd8c78978b81eeb043aabf6c7c8246c4eef93322c029903a0677775

SnakeKeylogger

83a5ba65b562afb66309deae1567c919f0e08de04e2c00bb85c55102fe023b0b

SnakeKeylogger

a07cbbd2eb1a433275f36b62b5f850aebe498091e1926c59a02c54d5bf0b4863

SnakeKeylogger

d9c3080d262ce878565455b1d34ab1ed0c45e470cb6651de7e168150807c7d1c

SnakeKeylogger

+ 2'867 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/220329-hfrqhsgchk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

1df4c47c3df5edbd64ffc44ebba76ac81dd375dfe80d619e3c3cb50368fe475e

MD5 hash:

016301b14173a8e193578c1890c2e777

SHA1 hash:

76e13a36e3100f0db46a2aff59b49d98ba2d0264

Link:

https://www.unpac.me/results/c22e11c4-cb06-4027-a444-2b6528c7a199/

SH256 hash:

fd8c759976a398d5e4502c528899564e4caa01c1b1e0a7df23a8c571d15d8375

MD5 hash:

46d2ca181c7099c4e8dacf31c74bdd1b

SHA1 hash:

135f338992cdd3670b2995d908abeb9f05c28eef

Link:

https://www.unpac.me/results/c22e11c4-cb06-4027-a444-2b6528c7a199/

SH256 hash:

63ec8f9143d5dbf4c1b8635017fdd03a283c238e7ca9e3d5826cbca93c9e734f

MD5 hash:

a56e7f39f25683cc018fe24074abbb3d

SHA1 hash:

edeca5a831ece09a24118175882adda92e8eab9a

Link:

https://www.unpac.me/results/c22e11c4-cb06-4027-a444-2b6528c7a199/

SH256 hash:

073bd4b12b85caa4c01ea9ab763e8cb3aac9c37e6fdb6aa197e1830e2538fd77

MD5 hash:

e8f1ec2bfb301fc2570ee19923e0fc1d

SHA1 hash:

88d8ee17669c8e25ea5296283069df99c39b9517

Link:

https://www.unpac.me/results/c22e11c4-cb06-4027-a444-2b6528c7a199/

SH256 hash:

e2f51241300d7e6249e13dd4c3dc9fc544f99bc6ad56a0c9dbce6e322142e2a1

MD5 hash:

5a9f1ab0a8c2ec155873908a9b74d8a3

SHA1 hash:

1cb87144408e46d0ac83a7bf8ba91536e63d0263

Link:

https://www.unpac.me/results/c22e11c4-cb06-4027-a444-2b6528c7a199/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e2f51241300d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/e2f51241300d7e6249e13dd4c3dc9fc544f99bc6ad56a0c9dbce6e322142e2a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample