MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600
SHA3-384 hash:	19c1718efbf03e4e8952029ab0ee06d2217decfc405561fbd61e7b03d29e11ce05a3cb64273793d143759aa989853517
SHA1 hash:	c045280247b1bc9def35292e886eb293a8dd313c
MD5 hash:	8a85449fb1c6b204febe5ba71ad70758
humanhash:	vegan-grey-lamp-orange
File name:	8a85449fb1c6b204febe5ba71ad70758.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	84'992 bytes
First seen:	2022-09-28 16:09:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d655cdd353e3fe347bc4da07dcebce9e (2 x SnakeKeylogger)
ssdeep	1536:ihxFLm2oH/uv5xupoVHxmhd/ChZ1Nyj4OJTQZujKij+LM4AZjGJ0DDFHCy7Z:iBvv5xuGVxod6H1pMTQ69ZKJ03Fx
Threatray	4'295 similar samples on MalwareBazaar
TLSH	T1928302B58230DD83FA429FB65D0CBB3B12C89F6ACB49992321E1F84547B13467346C93
TrID	35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/314409/

Detection(s):

PUA.Win.Packer.Upx-4

Win.Malware.Snake-9953539-0

Win.Packed.Msilperseus-9956591-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39776/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cmd.exe evasive greyware hacktool packed shell32.dll stealer stealer

Link:

https://www.filescan.io/uploads/633471ded089a0c15dd29829/reports/5c1fad9c-99c0-485b-8cf6-1b7885245e04/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fecddf5d-e60d-4b8b-ac59-5be3e4b0e7a7

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1079382

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

404keylogger

Link:

https://mwdb.cert.pl/sample/fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-09-27 14:53:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7u2mkbpwqfmmzaeq4dqouxj6zy67pewg5q5hmshmjbffzl7okyaa._file

Verdict:

malicious

SnakeKeylogger

339539d03ce22693c391b3141e6c20b2403da4efe6e25247c87c81a2e2fe1530

SnakeKeylogger

62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec

SnakeKeylogger

a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

SnakeKeylogger

f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203

SnakeKeylogger

fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048

SnakeKeylogger

+ 4'285 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer upx

Link:

https://tria.ge/reports/220928-tmdb9ahegq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5476629412:AAGbkcFsGq72YxKoGZjVmRBskss9nHikjMc/sendMessage?chat_id=5594190904

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4556c8c3-a736-445d-8f2b-782cd6c43b08

Unpacked files

SH256 hash:

6ffc9b4e7897bf9b477355154d800091c8e225ab5928fd0935f31b83e367b530

MD5 hash:

d69438dcad59bfa694a0faf1d11cd0c9

SHA1 hash:

c1d3bf05ad948f9a2667b6fa08e0cae0e4220c9b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/fa22fb14-15ce-4d5e-9da3-537a30fe5d43/

Parent samples :

339539d03ce22693c391b3141e6c20b2403da4efe6e25247c87c81a2e2fe1530
fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600
26f7e04c866b93d54f94ceb8dae437a6a2fa39c271574cfb9c6a2578fa263fa6
d54ebc19e986fb1fbdb6ae33eff1ec6f65f9b9a6bb83d1e03954526379217cd1

SH256 hash:

4ce6a4869baaf7fd3293ad0a99648aee85cf2f64de5e71820ad49ddd2d08eca4

MD5 hash:

a2948f515aa2e3e021ecc7d795d3e903

SHA1 hash:

4200d66e18a8581de65334a1c68f5d7191296beb

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/fa22fb14-15ce-4d5e-9da3-537a30fe5d43/

Parent samples :

fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600
4ce6a4869baaf7fd3293ad0a99648aee85cf2f64de5e71820ad49ddd2d08eca4

SH256 hash:

fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600

MD5 hash:

8a85449fb1c6b204febe5ba71ad70758

SHA1 hash:

c045280247b1bc9def35292e886eb293a8dd313c

Link:

https://www.unpac.me/results/fa22fb14-15ce-4d5e-9da3-537a30fe5d43/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd34c505f681/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/fd34c505f68158cc8090e0e0ea5d3ece3df792c6ec3a7648ec484a5cafee5600

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314409/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample