MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63
SHA3-384 hash:	9b81aae0e16c05daf0782fb61756d37cf9b7bcf08f858af72b2c90ac0f5a2e55e4bd187dd006b5e9d511e303d67552ce
SHA1 hash:	7c7a87429e9533c14497c799c085825ca68f5b4a
MD5 hash:	54827a45e0eec3ecb462066523d63e6c
humanhash:	seven-ceiling-ceiling-chicken
File name:	Payment 05-08-22.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	349'184 bytes
First seen:	2022-08-06 07:04:57 UTC
Last seen:	2022-08-06 08:01:59 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:Ix59upXOxIEkA2kOGiUrFo2jCrAAAAAAAtA1AAtwAlaAKAWDhwLSLgw3SHNpYj/h:7p+1kA1DrFTjC+wLSLUYjrqPGAJpa
Threatray	3'827 similar samples on MalwareBazaar
TLSH	T1B4749D491B8C4CC9C8514834D2A1C56F412AFC314E2B9693FD9B3EDEEAFE58D61C9A07
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f0f0f0f8b2e8fce6 (1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment 05-08-22.exe

Verdict:

No threats detected

Analysis date:

2022-08-06 07:07:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/585e6cf1-2cf1-45f2-9b1d-b0daf6d539c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296807/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.6758.22613.9363.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62ee12f56336465f2a1886ca/reports/71dd9039-8005-43f2-8b7d-565b2b9dd94b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/027f3a7c-fcfc-43f9-a14b-f23723c693c0

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1047170

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-08-06 07:05:20 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=52a4osmlinb2rsjvhflxo6tuz4xwcwz3bwfatbdowbx43zya3zrq._file

Verdict:

malicious

SnakeKeylogger

449238734fa329e17dfa46fc52b056f4871acbb4594c55a5eff63a7bccfc34f3

SnakeKeylogger

4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119

SnakeKeylogger

654a2eb34978a26d0460717b1455bcc81d0009ef8f0bb2f40b0492ae1cb8a969

SnakeKeylogger

905d818616f511420c41ece2186350b7bb82c452665728b85c0d3aac2f4f9eae

SnakeKeylogger

9d95821bb4404a72889a0dffdd949e174204e8d61fc1b4a9671013d7b265ea09

SnakeKeylogger

ee8ca295b5207447c2f6d92d2a964399b5d4f58d2787e2a7e0bdeb3282f55472

SnakeKeylogger

f23701b52c994665bb4f95c48306728400a78fa164a8adf2d66eaf5ffccce185

SnakeKeylogger

+ 3'817 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220806-hwh4baech2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5410455012:AAE1SHAu8VAoPkLETxqziCFDZfyqp8DD7SA/sendMessage?chat_id=2008035906

Unpacked files

SH256 hash:

ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63

MD5 hash:

54827a45e0eec3ecb462066523d63e6c

SHA1 hash:

7c7a87429e9533c14497c799c085825ca68f5b4a

Link:

https://www.unpac.me/results/b17c6dae-f7e6-4101-8804-582877897a57/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee81c7498b43/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296807/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample