MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c
SHA3-384 hash:	4ddc1783f85164e2e03ce6ec33c3b5316827b744ea494c8ddb7d4102eead90e209be0a5bed94e8c04e082a1fb0f99c04
SHA1 hash:	2e9870f0b5c87cf08bc71fdff1a080e1a5a1f7a7
MD5 hash:	0c2525c34d612a6e6592c019032850e1
humanhash:	march-spring-kitten-hawaii
File name:	Cjedeld.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	794'424 bytes
First seen:	2021-04-29 12:23:00 UTC
Last seen:	2021-04-29 13:15:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:p5Jfdfpz1U9TAjrarTo7skY2XqzB3jn/:pLRU9mJYk5qzB3j/
Threatray	59 similar samples on MalwareBazaar
TLSH	83F45905A3EC9626D1EE3B74B5702B0047F4FD06B176D74FA9C8B6AA98737814C40BA7
Reporter	James_inthe_box
Tags:	exe signed SnakeKeylogger

Code Signing Certificate

Organisation:	Discord Inc.
Issuer:	DigiCert EV Code Signing CA (SHA2)
Algorithm:	sha256WithRSAEncryption
Valid from:	2018-03-14T00:00:00Z
Valid to:	2021-02-18T12:00:00Z
Serial number:	04f131322cc31d92c849fca351d2f141
Intelligence:	17 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	584035e0344227fc32c92a7f3fd4d88594a26c2e953360543d613329e99122dd
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/146671/

Detection(s):

SecuriteInfo.com.generic.ml.5910.10350.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/702219

Signature

.NET source code contains potential unpacker

Creates an undocumented autostart registry key

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2021-04-29 12:22:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

malicious

SnakeKeylogger

55f1a2084fd1c1d5477519f06b02aa4fa4d917aaceffd116fc45820dc49a7795

SnakeKeylogger

68c3bc52831c9df86039c85e4e896413bb7ccba3a85827a3ac32909c68e582dd

SnakeKeylogger

69c0dfdb136e864341810ac7ac86ce413c9de466d775651e5bf6eeeeebb0e7c2

SnakeKeylogger

87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7

SnakeKeylogger

b8f8eab3a49bec6b9306853e8e5e2da49ba66b5773b259a2d6edfba479d10e85

SnakeKeylogger

c582dac0f0f94c07579c35ab71f62b25bf499123d3bea89a33a6b8a80ee3325c

SnakeKeylogger

e93cf93e8ff851cd540fa165166665bbb0f5bfd1103166686230e9cb810caa05

SnakeKeylogger

f4c25b70ae9ea0c7f4a7f028011167b7154ded11a0b8e90b1c7570ba9af1f2f2

SnakeKeylogger

fe5893ebe83a275869f55b370b0cd5334dabc2ff55d6ec03e923d89ae662f2f3

SnakeKeylogger

+ 49 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210429-5r6yr39qf6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

627313c62d851ad8948930eaf1b3e18f7a34f6131e3502a59c357bd39615f07f

MD5 hash:

48a8b4e53668bae5b7ac1c5660a2ef5e

SHA1 hash:

8b776e6fdd9ca11feeca248e11f56c0f69efa682

Link:

https://www.unpac.me/results/6f0a1475-b9b5-4d18-a09d-dba2d776579a/

SH256 hash:

3fc8c976459f8e7c48351cf5fd6c6d472bacca72a2eb8a48a2e3d80dfa36d151

MD5 hash:

b388c96f81a1f3e5565fb317eb8f3831

SHA1 hash:

312b6cc176bc114f8c1a99368f8882f3db2bd9ca

Link:

https://www.unpac.me/results/6f0a1475-b9b5-4d18-a09d-dba2d776579a/

SH256 hash:

52d2124a526a57fff631dfab771729274ce40dc513fde517ccea866231030dd0

MD5 hash:

2d2b7f0623bdad0884faef83d647094b

SHA1 hash:

123389258c2ecb30e27a734d90038fe0c7e60140

Link:

https://www.unpac.me/results/6f0a1475-b9b5-4d18-a09d-dba2d776579a/

SH256 hash:

f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c

MD5 hash:

0c2525c34d612a6e6592c019032850e1

SHA1 hash:

2e9870f0b5c87cf08bc71fdff1a080e1a5a1f7a7

Link:

https://www.unpac.me/results/6f0a1475-b9b5-4d18-a09d-dba2d776579a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/1182845/

Cape

https://www.capesandbox.com/analysis/146671/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample