MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3
SHA3-384 hash: 3d4df7596df44ce0b9351c77b7fa3a1f2ea7b88135ab9b8102ee14b7a51a2249dbfebbd78058fe6098306885aff5c94b
SHA1 hash: f8372831247316dad9651f0f7dc8c94adfcc26bd
MD5 hash: 432dafd9a9d895a6be98225d93533bc9
humanhash: louisiana-michigan-blue-winner
File name:Specifications_Details_20337_FLQ.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:515'072 bytes
First seen:2021-07-22 11:31:42 UTC
Last seen:2021-07-22 12:46:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:uSQ/Nqlqn3cbReqAora+i9er+ji0TjD2yrkMxz:UNBn3cFSUlSjBkM
Threatray 329 similar samples on MalwareBazaar
TLSH T17FB40131A810AC71C75B65B269A7E9000FB1DD53DB41E28967883EBF34767F182CA93D
dhash icon 0730d8d4d0d83087 (2 x SnakeKeylogger)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Specifications_Details_20337_FLQ.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-22 11:32:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f882b23-ada5-409d-9dd7-bac17f8e43e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173287/
Detection(s):
SecuriteInfo.com.Variant.Bulz.571151.32536.16363.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8356ede0-43fb-4607-8350-0486a8792b83
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820069
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452480 Sample: Specifications_Details_2033... Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 6 other signatures 2->52 6 notepad.exe 5 2->6         started        10 Specifications_Details_20337_FLQ.exe 1 8 2->10         started        12 notepad.exe 2 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\...\notepad.exe, PE32 6->22 dropped 24 C:\Users\user\...\notepad.exe:Zone.Identifier, ASCII 6->24 dropped 54 Writes to foreign memory regions 6->54 56 Injects a PE file into a foreign processes 6->56 58 Injects files into Windows application 6->58 14 notepad.exe 14 2 6->14         started        26 C:\Users\user\AppData\Roaming\...\notepad.exe, PE32 10->26 dropped 28 C:\...\Specifications_Details_20337_FLQ.exe, PE32 10->28 dropped 30 C:\Users\user\...\notepad.exe:Zone.Identifier, ASCII 10->30 dropped 32 2 other malicious files 10->32 dropped 18 Specifications_Details_20337_FLQ.exe 15 2 10->18         started        20 notepad.exe 12->20         started        signatures5 process6 dnsIp7 34 172.67.188.154, 443, 49760 CLOUDFLARENETUS United States 14->34 36 checkip.dyndns.org 14->36 60 System process connects to network (likely due to code injection or exploit) 14->60 62 Multi AV Scanner detection for dropped file 14->62 64 May check the online IP address of the machine 14->64 66 Injects files into Windows application 14->66 38 checkip.dyndns.com 216.146.43.70, 49729, 49730, 49733 DYNDNSUS United States 18->38 40 freegeoip.app 104.21.19.200, 443, 49731, 49785 CLOUDFLARENETUS United States 18->40 44 2 other IPs or domains 18->44 68 Machine Learning detection for dropped file 18->68 42 checkip.dyndns.org 20->42 70 Tries to steal Mail credentials (via file access) 20->70 72 Tries to harvest and steal ftp login credentials 20->72 74 Tries to harvest and steal browser information (history, passwords, etc) 20->74 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 09:28:30 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ikyrjnccghywbsirvxoek7bbsiac3thfraoedvjevzp3fk63xrq._file
Verdict:
malicious
Similar samples:
0fd24182ae201889c3d558acce14173beed490188ca84a194fed05e0db536b50
SnakeKeylogger
21b388eab73d616288845e539ca31fc4ca8ed48ab7d17f89da8120e771e93119
SnakeKeylogger
26c0342341d8f635875228b02af26b628a2852ddca3f5f44a2302272666b86b5
SnakeKeylogger
3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6
SnakeKeylogger
490184d8ff38d237b99b28727e3f597619cf2932a7cbd72ea752c4ef6612f97d
SnakeKeylogger
c305b7d9f3cf302bf11fc470c71d71aeebc35f82a517205dbd40c2245c0ead37
SnakeKeylogger
dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659
SnakeKeylogger
eef8296b48413e2526b7d3c0f32fb61f74af87c42d3fb6d0a9cceff38d94b783
SnakeKeylogger
f7ed67d7c6000038e212899e27aa85249ac54df9e5d7221ae7e863a8576606d5
SnakeKeylogger
+ 319 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210722-144bdawcs6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
4f2b221420d635dcbc6e33b8d613671cc2948b488c47018ed6f39a2ed52d10ac
MD5 hash:
7bd8f0def037dbbe9ba63d6f44b83c9a
SHA1 hash:
e925a9f39d3be231bc7e6f4da43cbe292cf92db1
Link:
https://www.unpac.me/results/fab002c3-824b-4346-9f45-a3340f4f5220/
SH256 hash:
6d18f25edd8c3a673102a5e38c7b503fdc7d5933897aa312761dfc6a31d361bd
MD5 hash:
44de0f3af019f087cadcda2f40774db4
SHA1 hash:
c3d527e9ee22b06a4ad7e21d0de710eeb50e863d
Link:
https://www.unpac.me/results/fab002c3-824b-4346-9f45-a3340f4f5220/
SH256 hash:
0ab57a04302fc3292f2786125c5fcee26dfd5b1987d4c7e60c48b1ae52675301
MD5 hash:
8e70928a7672abc6718365241fcab827
SHA1 hash:
759349b6ca5c7c01e3af138e8f3c691293afa330
Link:
https://www.unpac.me/results/fab002c3-824b-4346-9f45-a3340f4f5220/
SH256 hash:
f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3
MD5 hash:
432dafd9a9d895a6be98225d93533bc9
SHA1 hash:
f8372831247316dad9651f0f7dc8c94adfcc26bd
Link:
https://www.unpac.me/results/fab002c3-824b-4346-9f45-a3340f4f5220/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173287/

Comments