MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08e55223b0a8da57702711d7441d1bfda8517ec87aedecb0bc270da6f24ae5d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 11 File information Comments

SHA256 hash:	08e55223b0a8da57702711d7441d1bfda8517ec87aedecb0bc270da6f24ae5d9
SHA3-384 hash:	505783c5f6c594b32ec31ec91711321411384beec6253a790f2626ed42eacb15d71d40959ff9b942aaa1137ead1dd889
SHA1 hash:	1bbd5db361d9585e72f723479b991b04e714d870
MD5 hash:	08ce041697745a1b29727b09555918d1
humanhash:	arkansas-cup-mars-purple
File name:	B22T3HrDXsC7ZZE.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	498'688 bytes
First seen:	2021-10-05 12:29:22 UTC
Last seen:	2021-10-05 13:36:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:yqIof1TdNZnoHEDEhAGprOESOZy9NDN8w:lIopkHEDEhfprOEhZip8w
Threatray	1'214 similar samples on MalwareBazaar
TLSH	T19FB4E03DC7630615CE7887F23828D2B047F9AC5892CAE7BC5EC4ACEB39637B5955440A
File icon (PE):
dhash icon	1806bc6de8f96990 (4 x Formbook, 3 x AgentTesla, 2 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

B22T3HrDXsC7ZZE.exe

Verdict:

Malicious activity

Analysis date:

2021-10-05 12:35:07 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/00c7e883-54ec-474c-85bd-c9f1649e720f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195024/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615c455998a6280f39325646/reports/4986977b-5a7d-4a07-98ba-4b7cfac16bd7/overview

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/603b531b-9f52-4379-93bd-3a02bbed528e

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/864764

Signature

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08e55223b0a8da57702711d7441d1bfda8517ec87aedecb0bc270da6f24ae5d9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-05 01:52:34 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bdsvei5qvdnfo4bhchluihi37wufc7wiplw6zmf4e4g2n4sk4xmq._file

Verdict:

malicious

SnakeKeylogger

1901d32089e7426f08d27545c0666f0d08c52487cbda7c4dbe644578e79ce9dc

SnakeKeylogger

2331603d506c3775f2faf8fda993a1bba066632b92a5d0fbfb0ed20c680888d6

SnakeKeylogger

5c76aef388b4a8cdd706e882c0e441389c8730c36d17450d80e566d81095cac0

SnakeKeylogger

75b6cd16095479799e88f8b51cf417d8334a9745f6a7aa463750fec760bf2106

SnakeKeylogger

879c48b2c49f21c55026b8d1068328b3d1e5cc9c65e7a5aaa84563ba73ac4cad

SnakeKeylogger

b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SnakeKeylogger

dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659

SnakeKeylogger

e86dd6f8d70cbc4581e91e9728fd91ec5b760347ea9abe5a0b51dec8ca373cbc

SnakeKeylogger

+ 1'204 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/211005-pphyasaafp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

f5d8efc13ac7547373fb271d347b295abc9a6b6d5c68fb001c3240be1c556574

MD5 hash:

e9b11e6624d97520aa26ee60ab844068

SHA1 hash:

967c1f73183b3a258f78945db9623a7384085f0c

Link:

https://www.unpac.me/results/e4dd918d-3047-47f7-80cf-d383d4214a18/

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/e4dd918d-3047-47f7-80cf-d383d4214a18/

SH256 hash:

62cc6faadf4636bf7f545db00fdfb3f034d84c8abb9f794693d335d026109242

MD5 hash:

fe060e22e4c939b61965ea0680d00c83

SHA1 hash:

184ec8414ec9df093ddba0b25e38958fb986db59

Link:

https://www.unpac.me/results/e4dd918d-3047-47f7-80cf-d383d4214a18/

SH256 hash:

08e55223b0a8da57702711d7441d1bfda8517ec87aedecb0bc270da6f24ae5d9

MD5 hash:

08ce041697745a1b29727b09555918d1

SHA1 hash:

1bbd5db361d9585e72f723479b991b04e714d870

Link:

https://www.unpac.me/results/e4dd918d-3047-47f7-80cf-d383d4214a18/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/08e55223b0a8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/08e55223b0a8da57702711d7441d1bfda8517ec87aedecb0bc270da6f24ae5d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195024/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample