MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 030c7e34855a509df98be71d4b4d265b708520caa51ff467a3dee905f6225184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	030c7e34855a509df98be71d4b4d265b708520caa51ff467a3dee905f6225184
SHA3-384 hash:	b678756306d044cd8bd3751c40099d025bb8730c9f74e1d507891c33bd7cedba01db33a6eed729040cccef14b93590fa
SHA1 hash:	7cf1d16d57acd91a1a111f7b984822f8f1a08c98
MD5 hash:	7e08dd8c272898e16ad2a20295926b00
humanhash:	grey-whiskey-early-mockingbird
File name:	SATIN ALMA EMRİ.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	861'696 bytes
First seen:	2022-07-22 20:12:47 UTC
Last seen:	2022-07-22 21:19:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:PgKPgg31hqx8Vu/PV84G9PLtqYmzGuhkIWaQv:oK9qxf/PDMHmKuhkV
Threatray	3'965 similar samples on MalwareBazaar
TLSH	T166054CD1F190C89AD96B05F2AC6BA53024E3BE5C54A4C10D559EBB1B66F3382209FF1F
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/293477/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62db051745a9cc40879048c6/reports/98c62f09-3353-4134-8f7a-469db265659c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d923ea2-9fbd-4bf2-a18c-595f5b3f6302

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1039447

Signature

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/030c7e34855a509df98be71d4b4d265b708520caa51ff467a3dee905f6225184/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-22 05:08:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=amgh4nefljij36ml44ouwtjglnyikigkuup7iz5d33uql5rckgca._file

Verdict:

malicious

SnakeKeylogger

1abbde2370c16b13df70225a0c251790f64f3ba70067a30e959360da730eccae

SnakeKeylogger

48b02faab7ec612b14ad80e24b2c67bfca1c1f7474cfb64066261eb6aa0ed952

SnakeKeylogger

87f1846fd0df28e661944879a85756f80cc8b52de2dae5bd4a358ea62d59cd42

SnakeKeylogger

b3f7646d9cab31ed0eba819fbce5f17ec63460f168b6f8f330161a9fc6ff0644

SnakeKeylogger

b48c018d252b5974a13a65c6b67856d4f2059a90499f65037a63324e4a42001c

SnakeKeylogger

bfc2cfdeb6732fd82c5013684c3760c545b2e0a90aca8c36b3bb9049424d8f73

SnakeKeylogger

c043c4084860560666818264f233a8f6cc739d2e44abfcf36f5232f096dcae51

SnakeKeylogger

e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f

SnakeKeylogger

f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913

SnakeKeylogger

+ 3'955 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220722-yzdwrshec8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

e7d1e53be3efc1357156b11cbecceab02a30ae86389a0aaad95962d6b88ae0b4

MD5 hash:

82a2ec534b4751ed34db950f213fb9ba

SHA1 hash:

8bcde72cb8ab5e24f1c400ce55c1d7eb2f23d396

Link:

https://www.unpac.me/results/d71495dc-d765-4d66-926a-3fa6fe9a4eb5/

SH256 hash:

40de6e05441d672c52053009234730f0758d3b0583270b77b0addd403ffcd612

MD5 hash:

349c0e8ef6cd420a151af60ff4c6a448

SHA1 hash:

84477bdca150356cae4750a932223d9e5fc841a0

Link:

https://www.unpac.me/results/d71495dc-d765-4d66-926a-3fa6fe9a4eb5/

SH256 hash:

2ec17f09572da1390a191643cad703da63af6d7412f7c1095e5e35b5aa7e1226

MD5 hash:

f3e9c837d80bf36c62be1340c0494d37

SHA1 hash:

f13957a5d5096a3f1bea036eb824cdd41851cc71

Link:

https://www.unpac.me/results/d71495dc-d765-4d66-926a-3fa6fe9a4eb5/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/d71495dc-d765-4d66-926a-3fa6fe9a4eb5/

SH256 hash:

e1e83fa841be4d83d0bfc4ed5eb5ae2972653b772a19a5b991a2782387dc318f

MD5 hash:

2c46c0a4797b3960e5902ec0d4ae3aff

SHA1 hash:

e039e8b72e22600418a1c42ee6965f508cff5de5

Link:

https://www.unpac.me/results/d71495dc-d765-4d66-926a-3fa6fe9a4eb5/

SH256 hash:

030c7e34855a509df98be71d4b4d265b708520caa51ff467a3dee905f6225184

MD5 hash:

7e08dd8c272898e16ad2a20295926b00

SHA1 hash:

7cf1d16d57acd91a1a111f7b984822f8f1a08c98

Link:

https://www.unpac.me/results/d71495dc-d765-4d66-926a-3fa6fe9a4eb5/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/030c7e34855a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/030c7e34855a509df98be71d4b4d265b708520caa51ff467a3dee905f6225184

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/293477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample