MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 9 File information Comments

SHA256 hash:	f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127
SHA3-384 hash:	7653b156cad7118701494f199b301a7b58dc4d79b5e661bc233f322930f94cb6318e6759aba14e459c83c22b715715f9
SHA1 hash:	63da1660a3ba1e03b95262570f45f68af473573d
MD5 hash:	80adfdfc2141282ace1ab0241671d15a
humanhash:	lamp-zulu-skylark-kitten
File name:	00990900000000000000090.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	304'369 bytes
First seen:	2021-07-23 09:47:55 UTC
Last seen:	2021-07-23 11:11:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b89f3af6e8726c625cba8a18b46cbaf3 (2 x AgentTesla, 2 x Formbook, 1 x OskiStealer)
ssdeep	6144:2CWdjfLq1XJQv8Mmj2dNWwpSJqiroEl+NxyMlsduahMU2:hJNj2PWOSJqAMNxfq4YMU2
Threatray	365 similar samples on MalwareBazaar
TLSH	T1DA54F18EBB0DEA46E4824E7CBC41C2BF15647771645F0877FBC11B1A6DE229C6A62C07
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

00990900000000000000090.exe

Verdict:

Malicious activity

Analysis date:

2021-07-23 10:05:22 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/102cb8c8-c60e-4890-bd97-2c2f95861d4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/173584/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.2241.22863.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d24b0f9-5049-4149-9063-0d0116e961a9

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820671

Signature

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127/

Threat name:

Win32.Infostealer.Generic

Status:

Suspicious

First seen:

2021-07-23 04:51:13 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6yejpx2gcaykmzamhb352agy3wqhczxwnor7zp7up4nedwg5qetq._file

Verdict:

malicious

SnakeKeylogger

12fd71647d0ddc3a5619975288f310047162f1258765d337efaee411c9f7e7f4

SnakeKeylogger

42e71a6e0d1db101fe1fb3f5d8f067aea2fda52b24050dbadea6d8ebdddc4a81

SnakeKeylogger

80409fb80c399c6e5b75f6cf96199a95b1f97b101c42b74143bd7edc5ef53a74

SnakeKeylogger

83fef9d67405ca7975e04fc8c66e7d298809f90260d1b287f709a3bae49f502e

SnakeKeylogger

ab3bd41484af4af797f93d64c2c420accfdb426c635bdcbad90bfef989b2f4db

SnakeKeylogger

c751f9d546d20216bdc996ecdcea6ee9f57771682879383621bff83a8229e384

SnakeKeylogger

e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611

SnakeKeylogger

f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b

SnakeKeylogger

+ 355 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/210723-bstrernc2a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

44a794be84b452174915e4d461613b25d60a0959e59028d65f67c975282b0085

MD5 hash:

5fa95b6741cc6a759a0671ae6a78ca51

SHA1 hash:

addcd5570df63bd00f9ef53f26fbf02060846ed6

Link:

https://www.unpac.me/results/845ed077-ba94-445a-9a9b-724e9d663ad1/

SH256 hash:

f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127

MD5 hash:

80adfdfc2141282ace1ab0241671d15a

SHA1 hash:

63da1660a3ba1e03b95262570f45f68af473573d

Link:

https://www.unpac.me/results/845ed077-ba94-445a-9a9b-724e9d663ad1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICOIUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173584/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample