MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9c212cb52c220cb7ec19f77cfbe4b80c4cf2536507be9c6f86830d34901345b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	f9c212cb52c220cb7ec19f77cfbe4b80c4cf2536507be9c6f86830d34901345b
SHA3-384 hash:	274c459d8bf5d331a543477be6e5f57cc25855fcd9cb33dc835ad284704842859288a5238d8f7129c21dcfe6c9497cd9
SHA1 hash:	ba1ffcf1c8993656d787c1a1be070be46af7f980
MD5 hash:	3012ead88bb446b410086c5240e44d5d
humanhash:	network-victor-burger-glucose
File name:	02602301.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	808'448 bytes
First seen:	2023-01-26 07:44:21 UTC
Last seen:	2023-01-30 09:03:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:vT8irmdjXHNOrAe/IuBihmBDCzwrqhTPVcaT5uxzHZL232Nn:ihODewrCPVcEUrdn
Threatray	8'287 similar samples on MalwareBazaar
TLSH	T1C205172C1D7697F2E174F93583D4A0A0BB9F488273A7C9A9D9D62BC05F123826DCE11D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

02602301.exe

Verdict:

Malicious activity

Analysis date:

2023-01-26 07:47:57 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/80651a58-d493-4f48-be67-97737a7a08aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/357006/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Moving of the original file

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63d22f83416d38777a7a1fdb/reports/266f9d4c-1d88-4d7c-9f75-204b89e7f3a1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/570f2483-04a4-46b4-bfa7-2bc0b8125460

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1159343

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f9c212cb52c220cb7ec19f77cfbe4b80c4cf2536507be9c6f86830d34901345b/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2023-01-26 07:45:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 39 (41.03%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7hbbfs2syiqmw7wbt5347pslqdcm6jjwkb56trxynayngsibgrnq._file

Verdict:

malicious

SnakeKeylogger

0bbc61629171137fcf90a07950ef649620c67a2dacf3a473b8b39fe0fe3c3945

SnakeKeylogger

18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0

SnakeKeylogger

2ca9e2712098e5b6a7e425f1d99c1df463922aa5b67fe587ee0406c8b4b38d43

SnakeKeylogger

35d105be1afee51e261bf3f9f0391335c6ac2143dde3dfa452e9d40e61468185

SnakeKeylogger

d428f60cab13bb3180aebc0001d3be88758b370e142ac3cf14a1e5951051bc19

SnakeKeylogger

d9fd70e09b6277658de42ea772d2124d653706ab3f48afd15e1212d71415583b

SnakeKeylogger

de2e0c532da36b42ce3d7798e97fbf1c8a9bedc9ce181ded5cd62e3ca428a0a5

SnakeKeylogger

+ 8'277 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230126-jld72sda29/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

a2da16e6ff14a074308cef64af77c445c98c175cfcbe0ad56d5ec6fada291474

MD5 hash:

55f912d43a2e1f9581a71de2bf4dcd26

SHA1 hash:

fa09d9f3bcd89dd6abf9dcd666a098ee332cc34a

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/bc726c07-8c3b-4c53-a273-7528660e696b/

Parent samples :

05aa0bfb38f56b8c9d55a2e1ee9e678ae1bd6973bed9d4c1620ddb9cc18e7ef1
6c0f4b396f3c424a4f98906a0782857c992039b5604a7288d10547e27e4e4ab5
f9c212cb52c220cb7ec19f77cfbe4b80c4cf2536507be9c6f86830d34901345b

SH256 hash:

2984705bb4c021bb6f508c85fef3b7b0c3104a91e2d735e009a8af7352406c30

MD5 hash:

2afae3fafe0e79c8f8fa7338a7e803f1

SHA1 hash:

898e907290216b38aba0b130e0c7ae4881b9cc6c

Link:

https://www.unpac.me/results/bc726c07-8c3b-4c53-a273-7528660e696b/

SH256 hash:

94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129

MD5 hash:

874dcc6be499121b1425bfdff1f8ad46

SHA1 hash:

66f83bedc73876b77e152c604b8214bde86d965e

Link:

https://www.unpac.me/results/bc726c07-8c3b-4c53-a273-7528660e696b/

SH256 hash:

f9c212cb52c220cb7ec19f77cfbe4b80c4cf2536507be9c6f86830d34901345b

MD5 hash:

3012ead88bb446b410086c5240e44d5d

SHA1 hash:

ba1ffcf1c8993656d787c1a1be070be46af7f980

Link:

https://www.unpac.me/results/bc726c07-8c3b-4c53-a273-7528660e696b/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f9c212cb52c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/f9c212cb52c220cb7ec19f77cfbe4b80c4cf2536507be9c6f86830d34901345b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/357006/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample