MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34
SHA3-384 hash: 8b082a2bc863891824376669e56898ec9e31b4795262dc9e2a0966b7f5a32d8221a8d56c0638b335fd8b55b8d29c7e61
SHA1 hash: eb3436fd076e2854b1d5d6957ed32d907bd03d9c
MD5 hash: 8c0c9c9ce087cdab90db2db5cd29a194
humanhash: thirteen-queen-salami-mars
File name:12220173387_20220825_13363111_Hesap0zeti.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'198'592 bytes
First seen:2022-09-21 05:33:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Ce2L7HCkEYKfg9MTmmshNN5uhJ6+JQIUbr22TBEFlptV5FU778Z:D2fHCNc9g7sDNa6+JQIEr0tV5O3
Threatray 4'227 similar samples on MalwareBazaar
TLSH T1FF454AA172A48E9AF87B0BF15C65E43013A2BD5D94A4C10D1ECA7EDF75B3301609AF1B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12220173387_20220825_13363111_Hesap0zeti.exe
Verdict:
Malicious activity
Analysis date:
2022-09-21 05:37:40 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/5458a455-a480-4c99-9628-ca5f7d72b37a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311908/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6660.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/632aa28c1bf7950e75adddb6/reports/0eb0a2a2-20ad-44da-9878-4fd27abf5d84/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8af6c4ef-8c9d-4249-95e7-df50cf62987d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074513
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 05:34:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=apirdxqe4wxy2cqsma2dolgjfdmohldy76hidiexfi24l3w5zy2a._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
158eb8ce0ff9c64f21622db564612ad494dd26f85ffca36664dd10f8d5aac2c5
SnakeKeylogger
48712214c8917adabb23b1d7f215db81e7431d4143ae9c3f773ec43c1e8f2aba
SnakeKeylogger
6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423
SnakeKeylogger
accc171460a87b3ec4934c65261884592cc54ee58433665590663604b045f39f
SnakeKeylogger
e081465f75b5fc1a981ad522ad595642d28c19df648d26c2694f6d09d8035872
SnakeKeylogger
f99578c5197a92ba74cdeb977f96e4338fd6fadf547ddd1a3dcbaccd85d91236
SnakeKeylogger
fd3ad1ad1650875cef812f9574d44d0c2542eb6cc7fe8006d27234ac18ac2c48
SnakeKeylogger
+ 4'217 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220921-f9e8gaaghp/
Behaviour
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU/sendMessage?chat_id=5350445922
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f707138d-0973-4aba-9427-8de92a07571f
Unpacked files
SH256 hash:
cf63e9457af81a1c98f48956554e07e748f37f9e7acd88f5a38c48aaa1d925dc
MD5 hash:
a6a682bb0652b09f21e8bf9ed40352e7
SHA1 hash:
fa6ebb960886bf7b4f21067d019d609770433fb0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/82ee4c0f-e754-455f-ae23-884241bc4541/
Parent samples :
94c24602a155b82d399f1fc7d998b49ff13852401458eacad8172f2baf378041
f286888db8588564fd55f45265e0e8dba3ed3bc3a028faebeab4329598aca8c0
03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34
8bbd67ae0b2c475d8e6585ab3f032e589ade4838574b9ef02f9523be14e6cb2f
2c9a5406517242f170bad2fb9d01d17e8fcb15aa50129089fae78666ac5d71d4
a4642bf9cbd641619645c6f4761ef8037b3844e948f588c8bd58e32eed70fb14
4d97061314f112ff5f64d8a7ebd5ddbd8ad6f51f0fe4c104d0db4c9d0ba8de2f
1f176fdfac20ab4ddb6978f2d9bb69dff8fb113d24dcf1cce2a2f2b422ffe435
6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
dc0440d22e5e04a348da6604a84406ae83ba0100514523bc01914c0d58a12a80
2d04f50f400321cefee5b2b580f1949716be8190bf43c7cb6b36abd33ce2964a
73a0327037d99cc1b679dd7a845323da2380535813892602400997cd7a7495d6
75bacff6d2d5eb004e04e769d940b82708b9ce976903ff7316aa19b2fe6e794d
0225ee8b379936c1ec1680d4d7d7924e86bd0d90d495f95003417c3f99d00015
bb53ea4486abfc99270b773a2b436fd58d68d1061c184098b6f1520c20899cfd
f44752101afb7338fa8d2140aa52c7e0fd174405ae84be04ba4bacbab37dbbff
7f827d0f713c56d3ea862dd32fe8a25ad442218818d24cf68f30d29e2d2833ea
8414a2b799387045388139ba2b42085b6293cfef47df716a3d6960819d990dcf
3e63d0e2399f0f8636782e175b48e954c6ec90a8df027b11a77a817bbab176ce
8122adb4b9e54516cbcbd5329f729c63e5df60401f081e38bc770df930d277d1
932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5
dfca98bd8e0eb54b1e7708da67016cff14e7de001e845afaa5c869ef5a75c0dd
43750d2354f27de904d8fec306226ed5c64b4df834912524e965aa9b95211e01
fc6b929d8045b7277b0e5db028eef63002c1f5fa952970d24a150974ed227fa8
e62512e7cf411e5f3c6b128aae7fdf86980e9c7e3b4bd4aca3e5f53b60af3237
4c68110055c5902ce7fb0b21937939ead3f5d1b3857618c4286e93653e5f2813
9d0ff50ebd77de7861b3770a71c3ddd6c9694b8c70fd2dd07aea0980f83d7247
72591e77bbafe38b00b3946db0ac4dfd559ff18a13562d6e58a9bdb10a668ae9
5184dee4018720301d37bc49fcf46eb957a4e847294902e90f34dcb277d36e2b
479d6d3179e41f5b8e6f331c099b5668dc92df52aa43790167f59f192e0d8db3
a316758201301fbb5bea1354ae7fee5f8a81e0ad449b527eb1b5c00ab475b6c0
d3169220e46eead42605fb4420da09e0c524c7a5d20b7b0d087c13c29c9de964
6c69f2907eccb9bc8715c3bbe0af8c8e55effab53abd16e5641b336f79bdc483
93efea0105183d17343bfbc418414d76c18c3fb9534a9898a8a43bfc65e20d55
7368e15e16845dd62299d43c9ecceed80ba8852a2f4ed36379337c1dd933d48a
2654c41feea51b45a2178689043103ff6b732c3dbb727b8987205a7e393017ec
bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca
a7cfc4cd3bc4c1c1069e9db79a026f0fa4e362fc3adc086a996a5cc355a64f6c
8328804519cd57938377dcc004babb2ff194ef1c2f6aa3ed5636c8c49befe960
d80650ed37463b35238a439658309270ab12dd0b360f1d6dbe9b3e27fa298929
50ca265fdfe8cf164553eab678b3d6491cc940fa0adf369aceb55a66fad1d4f9
f39c440765aab25976b17266085e6ac69a2baa05d0fc02299c36cf265efec341
2a23c0997bc444edc695a4abdbf44727e453e2a1aefe737edc550fc2d334a9c4
3987c7ba08298c6fc3d6007468e751b3b751e750ea3a0ae5b2c5e699bac97002
SH256 hash:
555ac08b1b3e4dacbb84274d383c54ea9bc5533c5f9f0e1d5580bc869afb7a43
MD5 hash:
ba6d5c610097d3ae446339803a1a73b0
SHA1 hash:
cba8f3ac49d7727df83503dfd5c55088a5831e29
Link:
https://www.unpac.me/results/82ee4c0f-e754-455f-ae23-884241bc4541/
SH256 hash:
a7fe02111eddeb861f5a428819f9dc2d661ca640666fc1a60e4fdaaa8427ff98
MD5 hash:
667bcc4a6a9db69a03bcd46e000b1725
SHA1 hash:
2fbea9e4dbe5dc0a02de4d7af28c6cdfc2e4e098
Link:
https://www.unpac.me/results/82ee4c0f-e754-455f-ae23-884241bc4541/
SH256 hash:
4bab665eeb2831c07787b84b1f758176207239168b53c635b53f280e87e10767
MD5 hash:
98c295d3fbd8c6d3e37fb0c24e4f50f6
SHA1 hash:
6149ffab5546f9ada2c6ddc5b13ee3b220a482fc
Link:
https://www.unpac.me/results/82ee4c0f-e754-455f-ae23-884241bc4541/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/82ee4c0f-e754-455f-ae23-884241bc4541/
SH256 hash:
03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34
MD5 hash:
8c0c9c9ce087cdab90db2db5cd29a194
SHA1 hash:
eb3436fd076e2854b1d5d6957ed32d907bd03d9c
Link:
https://www.unpac.me/results/82ee4c0f-e754-455f-ae23-884241bc4541/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03d111de04e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/311908/

Comments