MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f399604bc076733669dcfda48e00a914bb4ba757132d3d632b4c213f383ff542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f399604bc076733669dcfda48e00a914bb4ba757132d3d632b4c213f383ff542
SHA3-384 hash: 80e0f5833d0230bf18a96b171b5dc8dc6384892acfbcc93cc7c3baf4be638ca7d83204d3b33ff053765d0a5bf6d9fdc9
SHA1 hash: 57c1143bac6cf094a54d153924250279662122b0
MD5 hash: 0a052df628f6d5a4a16bc02f09a382e0
humanhash: potato-three-hydrogen-sixteen
File name:IMG62790-KGY.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:478'720 bytes
First seen:2021-02-09 06:35:13 UTC
Last seen:2021-02-09 13:56:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:OUI2DwVx5fGbYsN1htAq4M2KsEDZ18+E/+B1jgBztd+R:R2OPtABec+E/+HjoM
Threatray 1'076 similar samples on MalwareBazaar
TLSH 3FA4ADDD722072EFC867D472DAA82CA8AB5174BB431B4603D42715EDDA4D98BCF244F2
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: alfayrouzherbs.com
Sending IP: 103.99.1.142
From: alfayrouzherbs>atef@alfayrouzherbs.com
Subject: Re:Quotation Request For Replacement Order IMG62790-KGY
Attachment: IMG62790-KGY.rar (contains "IMG62790-KGY.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG62790-KGY.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 06:45:06 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/9e722f6c-2fb8-4e33-9ffd-ba245d7723b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116116/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45702518.28227.2693.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602579
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f399604bc076733669dcfda48e00a914bb4ba757132d3d632b4c213f383ff542/
Threat name:
ByteCode-MSIL.Spyware.Snakelogger
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 01:08:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6omwas6aozztm2o47wsi4afjcs5uxj2xcmwt2yzljqqt6ob76vba._file
Verdict:
suspicious
Similar samples:
3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20
SnakeKeylogger
5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b
SnakeKeylogger
5ed34087532263b2a7797a258fadc6d243e1eaedc7bcd2860fbb7ee2e1e6306c
SnakeKeylogger
7248d0601627171f4663a14d2e7ca4d80dc8060cd8e126ff18b53d9139b5e423
SnakeKeylogger
924d2110a668acae185a205cc51772d088304b941e306ae369b7f62f788d3632
SnakeKeylogger
ae2820f20d20e5dc262e7e018e027646b4e5e4fcbc58cc6663dd077890b27e64
SnakeKeylogger
b3a68a5f2b68c4d0bb8d440144a968a680c954976bfeec54ae8074f616c0aded
SnakeKeylogger
c57e0fc02e939ef6d9f2e1d92cd74d6ed7df502a1c2ded6e8ae68f6bc5ff3aec
SnakeKeylogger
fe68726b96a9e7b3ac69958244d7e3d978b76f6844884fcd35515429dfa0f605
SnakeKeylogger
ffaecfe0e94157f82c2c6b162c2e97c081d2d6c7d64bab85cea7ec9684dde8c5
SnakeKeylogger
+ 1'066 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger ransomware spyware stealer
Link:
https://tria.ge/reports/210209-yq9dt73tca/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
c23144f6b7df04dcbbef3c8e4f92a7a1bcbcc4bd9c3fe2253a4a2c3f8cab2e43
MD5 hash:
5981143f306b660c4d39ee7bdd464a0d
SHA1 hash:
fff833536d084413042cfcf290f1ce901bb0ff0e
Link:
https://www.unpac.me/results/21f88094-af8e-4836-9239-934298848815/
SH256 hash:
a9c49247e373c85438f0f1b28bf57448e8ddbb6d358cee95f3b4c14b5af609e4
MD5 hash:
65bd19d77dc99fe1dd7987c27a577efb
SHA1 hash:
d66580095a05c323fca0bff55330f3eae75e5f03
Link:
https://www.unpac.me/results/21f88094-af8e-4836-9239-934298848815/
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/21f88094-af8e-4836-9239-934298848815/
SH256 hash:
f399604bc076733669dcfda48e00a914bb4ba757132d3d632b4c213f383ff542
MD5 hash:
0a052df628f6d5a4a16bc02f09a382e0
SHA1 hash:
57c1143bac6cf094a54d153924250279662122b0
Link:
https://www.unpac.me/results/21f88094-af8e-4836-9239-934298848815/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f399604bc076733669dcfda48e00a914bb4ba757132d3d632b4c213f383ff542

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar b391ca0e2a82b81bf4ab029dd110812ac6ac6b6d89da22ca9de6e1d929335006

SnakeKeylogger

Executable exe f399604bc076733669dcfda48e00a914bb4ba757132d3d632b4c213f383ff542

(this sample)

  
Dropped by
MD5 8a15949bcb6970cad77244fb6af43f7b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b391ca0e2a82b81bf4ab029dd110812ac6ac6b6d89da22ca9de6e1d929335006
Cape
Cape
https://www.capesandbox.com/analysis/116116/

Comments