Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	756297
MD5:	cfc1c66cba07daef1e8ac13d5e042e7a
SHA1:	10451947894a7af9a06adc619179e00e933fb20a
SHA256:	addc1564d69b115e0cb5ff2264614c98dc51107f042e3ea0d93b99e49cf2e94b
Tags:	NETexeMSILSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

file.exe (PID: 1128 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)

file.exe (PID: 5916 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)

file.exe (PID: 4844 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)

file.exe (PID: 5260 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)

audiodg.exe (PID: 4844 cmdline: C:\Windows\system32\AUDIODG.EXE 0x364 MD5: 0B245353F92DF527AA7613BA2C0DA023)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "arinzelog@saonline.xyz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x522dc:$x1: $%SMTPDV$ 0x522f2:$x2: $#TheHashHere%& 0x537f3:$x3: %FTPDV$ 0x538b7:$x4: $%TelegramDv$ 0x4fb75:$x5: KeyLoggerEventArgs 0x4ff0b:$x5: KeyLoggerEventArgs 0x53817:$m2: Clipboard Logs ID 0x53a1d:$m2: Screenshot Logs ID 0x53b2d:$m2: keystroke Logs ID 0x53d11:$m3: SnakePW 0x539f5:$m4: \SnakeKeylogger\
00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4e9a0:$a1: get_encryptedPassword 0x4ec8c:$a2: get_encryptedUsername 0x4e7ac:$a3: get_timePasswordChanged 0x4e8a7:$a4: get_passwordField 0x4e9b6:$a5: set_encryptedPassword 0x4ffa8:$a7: get_logins 0x4ff0b:$a10: KeyLoggerEventArgs 0x4fb75:$a11: KeyLoggerEventArgsEventHandler
00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x176cc:$x1: $%SMTPDV$ 0x176e2:$x2: $#TheHashHere%& 0x18be3:$x3: %FTPDV$ 0x18ca7:$x4: $%TelegramDv$ 0x14f65:$x5: KeyLoggerEventArgs 0x152fb:$x5: KeyLoggerEventArgs 0x18c07:$m2: Clipboard Logs ID 0x18e0d:$m2: Screenshot Logs ID 0x18f1d:$m2: keystroke Logs ID 0x19101:$m3: SnakePW 0x18de5:$m4: \SnakeKeylogger\
00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13d90:$a1: get_encryptedPassword 0x1407c:$a2: get_encryptedUsername 0x13b9c:$a3: get_timePasswordChanged 0x13c97:$a4: get_passwordField 0x13da6:$a5: set_encryptedPassword 0x15398:$a7: get_logins 0x152fb:$a10: KeyLoggerEventArgs 0x14f65:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18474:$x1: $%SMTPDV$ 0x61094:$x1: $%SMTPDV$ 0x1848a:$x2: $#TheHashHere%& 0x610aa:$x2: $#TheHashHere%& 0x1998b:$x3: %FTPDV$ 0x625ab:$x3: %FTPDV$ 0x19a4f:$x4: $%TelegramDv$ 0x6266f:$x4: $%TelegramDv$ 0x15d0d:$x5: KeyLoggerEventArgs 0x160a3:$x5: KeyLoggerEventArgs 0x5e92d:$x5: KeyLoggerEventArgs 0x5ecc3:$x5: KeyLoggerEventArgs 0x199af:$m2: Clipboard Logs ID 0x19bb5:$m2: Screenshot Logs ID 0x19cc5:$m2: keystroke Logs ID 0x625cf:$m2: Clipboard Logs ID 0x627d5:$m2: Screenshot Logs ID 0x628e5:$m2: keystroke Logs ID 0x19ea9:$m3: SnakePW 0x62ac9:$m3: SnakePW 0x19b8d:$m4: \SnakeKeylogger\
00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b38:$a1: get_encryptedPassword 0x5d758:$a1: get_encryptedPassword 0x14e24:$a2: get_encryptedUsername 0x5da44:$a2: get_encryptedUsername 0x14944:$a3: get_timePasswordChanged 0x5d564:$a3: get_timePasswordChanged 0x14a3f:$a4: get_passwordField 0x5d65f:$a4: get_passwordField 0x14b4e:$a5: set_encryptedPassword 0x5d76e:$a5: set_encryptedPassword 0x16140:$a7: get_logins 0x5ed60:$a7: get_logins 0x160a3:$a10: KeyLoggerEventArgs 0x5ecc3:$a10: KeyLoggerEventArgs 0x15d0d:$a11: KeyLoggerEventArgsEventHandler 0x5e92d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: file.exe PID: 1128	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 1128	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 1128	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: file.exe PID: 1128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 1128	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6d9a4:$x5: KeyLoggerEventArgs 0x6dd3a:$x5: KeyLoggerEventArgs 0x6e860:$x5: KeyLoggerEventArgs 0x6ebc1:$x5: KeyLoggerEventArgs 0x234bc6:$x5: KeyLoggerEventArgs 0x234f5c:$x5: KeyLoggerEventArgs 0x235a82:$x5: KeyLoggerEventArgs 0x235de3:$x5: KeyLoggerEventArgs 0x70142:$m2: Clipboard Logs ID 0x7022c:$m2: Screenshot Logs ID 0x70282:$m2: keystroke Logs ID 0x237364:$m2: Clipboard Logs ID 0x23744e:$m2: Screenshot Logs ID 0x2374a4:$m2: keystroke Logs ID 0x7033c:$m3: SnakePW 0x23755e:$m3: SnakePW 0x70218:$m4: \SnakeKeylogger\ 0x23743a:$m4: \SnakeKeylogger\
Process Memory Space: file.exe PID: 1128	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6bba5:$a1: get_encryptedPassword 0x232dc7:$a1: get_encryptedPassword 0x6be87:$a2: get_encryptedUsername 0x2330a9:$a2: get_encryptedUsername 0x6b9bb:$a3: get_timePasswordChanged 0x232bdd:$a3: get_timePasswordChanged 0x6bab6:$a4: get_passwordField 0x232cd8:$a4: get_passwordField 0x6bbbb:$a5: set_encryptedPassword 0x232ddd:$a5: set_encryptedPassword 0x6ddd7:$a7: get_logins 0x234ff9:$a7: get_logins 0x6dd3a:$a10: KeyLoggerEventArgs 0x234f5c:$a10: KeyLoggerEventArgs 0x6d9a4:$a11: KeyLoggerEventArgsEventHandler 0x234bc6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: file.exe PID: 5260	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 5260	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: file.exe PID: 5260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5260	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x24087:$x5: KeyLoggerEventArgs 0x2441d:$x5: KeyLoggerEventArgs 0x24f43:$x5: KeyLoggerEventArgs 0x252a4:$x5: KeyLoggerEventArgs 0x26825:$m2: Clipboard Logs ID 0x2690f:$m2: Screenshot Logs ID 0x26965:$m2: keystroke Logs ID 0x26a1f:$m3: SnakePW 0x268fb:$m4: \SnakeKeylogger\
Process Memory Space: file.exe PID: 5260	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22288:$a1: get_encryptedPassword 0x2256a:$a2: get_encryptedUsername 0x2209e:$a3: get_timePasswordChanged 0x22199:$a4: get_passwordField 0x2229e:$a5: set_encryptedPassword 0x244ba:$a7: get_logins 0x2441d:$a10: KeyLoggerEventArgs 0x24087:$a11: KeyLoggerEventArgsEventHandler
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.416fa10.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x198d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18b05:$a3: \Google\Chrome\User Data\Default\Login Data 0x18f38:$a4: \Orbitum\User Data\Default\Login Data 0x1a05f:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.416fa10.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.416fa10.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.file.exe.416fa10.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.416fa10.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12d07:$s1: UnHook 0x12d0e:$s2: SetHook 0x12d16:$s3: CallNextHook 0x12d23:$s4: _hook
0.2.file.exe.416fa10.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15acc:$x1: $%SMTPDV$ 0x15ae2:$x2: $#TheHashHere%& 0x16fe3:$x3: %FTPDV$ 0x170a7:$x4: $%TelegramDv$ 0x13365:$x5: KeyLoggerEventArgs 0x136fb:$x5: KeyLoggerEventArgs 0x17007:$m2: Clipboard Logs ID 0x1720d:$m2: Screenshot Logs ID 0x1731d:$m2: keystroke Logs ID 0x17501:$m3: SnakePW 0x171e5:$m4: \SnakeKeylogger\
0.2.file.exe.416fa10.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12190:$a1: get_encryptedPassword 0x1247c:$a2: get_encryptedUsername 0x11f9c:$a3: get_timePasswordChanged 0x12097:$a4: get_passwordField 0x121a6:$a5: set_encryptedPassword 0x13798:$a7: get_logins 0x136fb:$a10: KeyLoggerEventArgs 0x13365:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.44a67c8.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x198d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18b05:$a3: \Google\Chrome\User Data\Default\Login Data 0x18f38:$a4: \Orbitum\User Data\Default\Login Data 0x1a05f:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.44a67c8.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.44a67c8.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.file.exe.44a67c8.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.44a67c8.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12d07:$s1: UnHook 0x12d0e:$s2: SetHook 0x12d16:$s3: CallNextHook 0x12d23:$s4: _hook
0.2.file.exe.44a67c8.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15acc:$x1: $%SMTPDV$ 0x15ae2:$x2: $#TheHashHere%& 0x16fe3:$x3: %FTPDV$ 0x170a7:$x4: $%TelegramDv$ 0x13365:$x5: KeyLoggerEventArgs 0x136fb:$x5: KeyLoggerEventArgs 0x17007:$m2: Clipboard Logs ID 0x1720d:$m2: Screenshot Logs ID 0x1731d:$m2: keystroke Logs ID 0x17501:$m3: SnakePW 0x171e5:$m4: \SnakeKeylogger\
0.2.file.exe.44a67c8.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12190:$a1: get_encryptedPassword 0x1247c:$a2: get_encryptedUsername 0x11f9c:$a3: get_timePasswordChanged 0x12097:$a4: get_passwordField 0x121a6:$a5: set_encryptedPassword 0x13798:$a7: get_logins 0x136fb:$a10: KeyLoggerEventArgs 0x13365:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.44a67c8.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b6d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a905:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ad38:$a4: \Orbitum\User Data\Default\Login Data 0x1be5f:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.44a67c8.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.44a67c8.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.file.exe.44a67c8.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.44a67c8.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.44a67c8.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14b07:$s1: UnHook 0x14b0e:$s2: SetHook 0x14b16:$s3: CallNextHook 0x14b23:$s4: _hook
0.2.file.exe.44a67c8.10.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x178cc:$x1: $%SMTPDV$ 0x178e2:$x2: $#TheHashHere%& 0x18de3:$x3: %FTPDV$ 0x18ea7:$x4: $%TelegramDv$ 0x15165:$x5: KeyLoggerEventArgs 0x154fb:$x5: KeyLoggerEventArgs 0x18e07:$m2: Clipboard Logs ID 0x1900d:$m2: Screenshot Logs ID 0x1911d:$m2: keystroke Logs ID 0x19301:$m3: SnakePW 0x18fe5:$m4: \SnakeKeylogger\
0.2.file.exe.44a67c8.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13f90:$a1: get_encryptedPassword 0x1427c:$a2: get_encryptedUsername 0x13d9c:$a3: get_timePasswordChanged 0x13e97:$a4: get_passwordField 0x13fa6:$a5: set_encryptedPassword 0x15598:$a7: get_logins 0x154fb:$a10: KeyLoggerEventArgs 0x15165:$a11: KeyLoggerEventArgsEventHandler
3.0.file.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b6d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a905:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ad38:$a4: \Orbitum\User Data\Default\Login Data 0x1be5f:$a5: \Kometa\User Data\Default\Login Data
3.0.file.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.0.file.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.file.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.file.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.file.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14b07:$s1: UnHook 0x14b0e:$s2: SetHook 0x14b16:$s3: CallNextHook 0x14b23:$s4: _hook
3.0.file.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x178cc:$x1: $%SMTPDV$ 0x178e2:$x2: $#TheHashHere%& 0x18de3:$x3: %FTPDV$ 0x18ea7:$x4: $%TelegramDv$ 0x15165:$x5: KeyLoggerEventArgs 0x154fb:$x5: KeyLoggerEventArgs 0x18e07:$m2: Clipboard Logs ID 0x1900d:$m2: Screenshot Logs ID 0x1911d:$m2: keystroke Logs ID 0x19301:$m3: SnakePW 0x18fe5:$m4: \SnakeKeylogger\
3.0.file.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13f90:$a1: get_encryptedPassword 0x1427c:$a2: get_encryptedUsername 0x13d9c:$a3: get_timePasswordChanged 0x13e97:$a4: get_passwordField 0x13fa6:$a5: set_encryptedPassword 0x15598:$a7: get_logins 0x154fb:$a10: KeyLoggerEventArgs 0x15165:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.416fa10.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b6d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a905:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ad38:$a4: \Orbitum\User Data\Default\Login Data 0x1be5f:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.416fa10.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.416fa10.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.file.exe.416fa10.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.416fa10.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.416fa10.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14b07:$s1: UnHook 0x14b0e:$s2: SetHook 0x14b16:$s3: CallNextHook 0x14b23:$s4: _hook
0.2.file.exe.416fa10.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x178cc:$x1: $%SMTPDV$ 0x178e2:$x2: $#TheHashHere%& 0x18de3:$x3: %FTPDV$ 0x18ea7:$x4: $%TelegramDv$ 0x15165:$x5: KeyLoggerEventArgs 0x154fb:$x5: KeyLoggerEventArgs 0x18e07:$m2: Clipboard Logs ID 0x1900d:$m2: Screenshot Logs ID 0x1911d:$m2: keystroke Logs ID 0x19301:$m3: SnakePW 0x18fe5:$m4: \SnakeKeylogger\
0.2.file.exe.416fa10.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13f90:$a1: get_encryptedPassword 0x1427c:$a2: get_encryptedUsername 0x13d9c:$a3: get_timePasswordChanged 0x13e97:$a4: get_passwordField 0x13fa6:$a5: set_encryptedPassword 0x15598:$a7: get_logins 0x154fb:$a10: KeyLoggerEventArgs 0x15165:$a11: KeyLoggerEventArgsEventHandler
Click to see the 33 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.4 - Destination IP: 193.122.130.0

Timestamp:	192.168.2.4193.122.130.049696802039190 11/30/22-00:11:36.516564
SID:	2039190
Source Port:	49696
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
file.exe