MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7
SHA3-384 hash:	89b9a9318e4c83a7556ee59957f7034a16cc038e9fdb08f5f1994c0a5326a6d4fc337b734c4b262032a2cd2a20d88749
SHA1 hash:	eb4db1db3a23102297fc38e96b3d8c29033c676e
MD5 hash:	d2509f72c1b2febebdaa8058b52f43a9
humanhash:	papa-nevada-oranges-idaho
File name:	Doc.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	664'064 bytes
First seen:	2023-02-01 14:30:25 UTC
Last seen:	2023-02-01 16:51:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:s6puW68gG3AiuKKtzbhFZhh1EqjnvsYZ3sWeh3ih9HnAYcH/d:nmXG3EKKFEZ+sBYTA
Threatray	6'611 similar samples on MalwareBazaar
TLSH	T1D1E401BD935DDCAFC78C00FF91B45049AB75127AF591EB8D0ADFE1A9848B30119221EB
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Doc.exe

Verdict:

Malicious activity

Analysis date:

2023-02-01 14:34:29 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/e0a7ea67-9404-4160-b0e3-b524016f01fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/359036/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65256538.9312.889.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Unknown

Threat level:

0/10

Confidence:

67%

Link:

https://www.filescan.io/uploads/63da77a989bd67c10fdc0456/reports/3766a79d-88e1-4e0b-a685-00fcf6f6d0f3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fcf8c86a-0b80-4e8c-afdc-f3b733af51bc

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1163850

Signature

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-01-31 09:40:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=a6qsldc66ggynqapqq2arkrbmz6hqf5y47i6vunfiemfnugsd3lq._file

Verdict:

malicious

SnakeKeylogger

0d1b2fea0d5ddb060f0354f282e7fcce69fc48b55e94195f01b1ed374cf4329e

SnakeKeylogger

242e3afa42a4b6ecbe015e0d0a2786c42a24167e05a12f380f6e63af24d8c4e2

SnakeKeylogger

64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6

SnakeKeylogger

6c7cbf4b4eb2e90a7093cc03786942ca42c88c0cdd30397b1530530c7ad40ae9

SnakeKeylogger

915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9

SnakeKeylogger

dcff2f1adb183112521e7b484dc2fff1bf98316fcc38f4c06eb0e39c416fa3dc

SnakeKeylogger

f9aa33269f7d56d6a16db1c91b5ce0df11fbe25c50d2c3f2222e07b83098d212

SnakeKeylogger

+ 6'601 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230201-rvqlfaaa76/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5875198898:AAHb7cYwGrkdJdBq0_UiL6kYLg7WcXhadcM/sendMessage?chat_id=5279616630

Unpacked files

SH256 hash:

178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad

MD5 hash:

159af9cf7f94d64c8120c80268965306

SHA1 hash:

fb41ab37af2c83e96d97e9cd066f90e72d4887ea

Link:

https://www.unpac.me/results/6bd704bc-240d-47f8-9ba1-bfd0e42677ea/

SH256 hash:

54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8

MD5 hash:

4f6caebd865502f7c8046fbae3284c61

SHA1 hash:

be357e832bf6f61454875b37a1759cf1c5fa5ca4

Link:

https://www.unpac.me/results/6bd704bc-240d-47f8-9ba1-bfd0e42677ea/

SH256 hash:

e14bae511555b562634d7a914df52dce93489279d67693ca13144ce6f3239d2a

MD5 hash:

9a1eaf4ed2216af182cb81454cf2dc72

SHA1 hash:

b1afe759badeaa2097ef5a62192195e8f64dc4f6

Link:

https://www.unpac.me/results/6bd704bc-240d-47f8-9ba1-bfd0e42677ea/

SH256 hash:

a36469c0036f41248cf13fee0a8fe9cae5f4c10ff354e2823749509fbd00edd9

MD5 hash:

12a8f3f466433145558351bba8ac259a

SHA1 hash:

9dfa3e180dfdbd94fbfbeeabe76c2f7c5217d4fc

Link:

https://www.unpac.me/results/6bd704bc-240d-47f8-9ba1-bfd0e42677ea/

SH256 hash:

dd249b190ff631741c13b51065403ddf79af635576ae426dfebff5eb198aee15

MD5 hash:

cc0a2e631f077cae7123a7e2f9c57206

SHA1 hash:

572c45d55c9ba9bcd54c552a103191bfa1bd6af9

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/6bd704bc-240d-47f8-9ba1-bfd0e42677ea/

Parent samples :

cb563ff3fa9247f01f5095a96366375afb516c64763e292ed2762ea54089eb67
2cfac063ce372f51cebf3b117fc562ac998573168d81c004f013216a73f5da3c
6c1442a74b18905daf82a0a9dd5039b4b74f91812e43af2601e71a7b4621b09e
bfa71d8dce5ab5e1891ccf16cb8f4d909560f0da154e4900be6663a4313c3f07
54e42c5494814f1b4af016fe7aa0818c17b264b489ef763343aa9134fc9130f9
07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7
f7626ca5799f9bb0842eb33d0c870ab943abed8eb6882dd11b4e741fa6453f25
1896efa72cff54069401ed803a33765d3f6ca525aba0be3c5d7f27c9f9e02269
f95f56dd2dd17221a9f386e642e1755b20aa49349574e6cbf2b386f13bbe1e76
8e3c95bcf195b498bdd53c1ad2adb5329718601ed0abac5fb45ecdc9c8855916

SH256 hash:

07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7

MD5 hash:

d2509f72c1b2febebdaa8058b52f43a9

SHA1 hash:

eb4db1db3a23102297fc38e96b3d8c29033c676e

Link:

https://www.unpac.me/results/6bd704bc-240d-47f8-9ba1-bfd0e42677ea/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/07a1258c5ef1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 07a1258c5ef18d86c00f843408aa21667c7817b8e7d1ead1a5411856d0d21ed7

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/359036/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample