MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6615944bcd14eb2cc0169ddcc82da15b04f9f20f7e4f646118550c9d6d49b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments

SHA256 hash:	f6615944bcd14eb2cc0169ddcc82da15b04f9f20f7e4f646118550c9d6d49b90
SHA3-384 hash:	dfbe78c2dd2f4b9817caf08082e39e2f63e8ffcae7c071b4506a37648b9337a00f9b3a4a5786f95caa2790d62cbfb859
SHA1 hash:	e2a997c5e591719aac831f3e04424958588b1d8f
MD5 hash:	36c2fa1ca1990fdd7d05cf420d964b0b
humanhash:	bulldog-wisconsin-twenty-alpha
File name:	bank in slip.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	326'656 bytes
First seen:	2021-11-16 13:37:15 UTC
Last seen:	2021-11-16 15:32:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:Pkc4v6sV0FVoTewHXYDzC2e+JVydGKomLeGfuJRIdOuEBA0qzC:c3SsSfZwHX0rPOdGKgfbqO
Threatray	1'666 similar samples on MalwareBazaar
TLSH	T13A64CF1976EC4B0BC4AB6BF9ABA285588772F1781237E31D1E8070C729E5B124F413B7
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/206460/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1102.32472.22201.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6193b43e43e8f62b669560e4/reports/ffe822fd-fc3b-4b30-aa57-ec45e239cc8c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9336c732-9b9b-4395-98b5-6616a3beba67

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/890388

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/f6615944bcd14eb2cc0169ddcc82da15b04f9f20f7e4f646118550c9d6d49b90/

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2021-11-16 13:38:07 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zqvsrf42fhlftabnho4zaw2cwye7hza67spmrqrqvimtvwutoia._file

Verdict:

malicious

SnakeKeylogger

252225cfd4ec7a7b61e5138d1587a4a212909f596004b8a157fe9f0ed4c6496b

SnakeKeylogger

3776aaf0ca18645e4e245513a4aa3279cb6240221dac7f2401b63e8fba00ffbf

SnakeKeylogger

66031e4ff03fc8ec6928197fd807124ae2128324865b792ae1be3297a01d7fbd

SnakeKeylogger

726e779529f34143e4d094f0252f3c6e04547d062970d26c0cb553c57c98b1ed

SnakeKeylogger

9ff44ba44707bbdda0a858a2d0c11725b146fb4671ed91295ce2e0a3ac8b175c

SnakeKeylogger

c69aa221ec1df4acc67aac0fd7a1e7dcefa181f496b21839576343fd7fa8fb8d

SnakeKeylogger

d33dac65118a88b15580c028deba8f4ecc95ff7d0a316259612264a0b6e06d11

SnakeKeylogger

d57a5e8835ba746d89d2c4ecc9f904793b485c6affc1b9901486c84eb88f4e1e

SnakeKeylogger

d5a760147bf03d771e76984af79221d7a8f6e0b9ddd8d542b39d782c1abf9d3c

SnakeKeylogger

+ 1'656 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211116-qxd5rababj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

29f7d6ea06b162f3958d90e90f4dca764d61c4a59345014cc82580e6dece68ad

MD5 hash:

22db181b3bb1a0b3ad0fc8226d0482ab

SHA1 hash:

ffa90d1b4a472a3421385ac34b8cda3e71163c49

Link:

https://www.unpac.me/results/ddc66d83-ae85-4de5-be2f-ab116381a818/

SH256 hash:

86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f

MD5 hash:

bf5c170790a9378101dbc312303925e3

SHA1 hash:

bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8

Link:

https://www.unpac.me/results/ddc66d83-ae85-4de5-be2f-ab116381a818/

SH256 hash:

6f9bb94c487403bebdc42a62d64e4a5fc5961468cb9afe77a944cddc7f3612cb

MD5 hash:

4acd77bbb1bc13d9fd405d9bc7369ce7

SHA1 hash:

6c57f834093aa0ebd31a2e7f728117f881402433

Link:

https://www.unpac.me/results/ddc66d83-ae85-4de5-be2f-ab116381a818/

SH256 hash:

f6615944bcd14eb2cc0169ddcc82da15b04f9f20f7e4f646118550c9d6d49b90

MD5 hash:

36c2fa1ca1990fdd7d05cf420d964b0b

SHA1 hash:

e2a997c5e591719aac831f3e04424958588b1d8f

Link:

https://www.unpac.me/results/ddc66d83-ae85-4de5-be2f-ab116381a818/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f6615944bcd1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/f6615944bcd14eb2cc0169ddcc82da15b04f9f20f7e4f646118550c9d6d49b90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_ID_Infostealer Create hunting rule
Author:	ditekshen
Description:	Detects exfiltration email addresses correlated from various infostealers. The same email may be observed in multiple families.
Reference:	https://github.com/ditekshen/is-wos

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/206460/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample