MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ab9a4a743b66d515dc9b83579a2a1a00252bc5acf727c46279fc0f09e2b2ca1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	0ab9a4a743b66d515dc9b83579a2a1a00252bc5acf727c46279fc0f09e2b2ca1
SHA3-384 hash:	84e30682edb8a28032c7da45bebf564dbee8a6c2da37a268d92d2b42a4abb4075f304ab1515b81d5f42ee543f88473dd
SHA1 hash:	a71c63df5dfe5f13c9b62e594734b1440ba648e4
MD5 hash:	742a0dc73cf933445b47d94874517d45
humanhash:	lima-seventeen-delaware-pizza
File name:	Local Order.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	996'864 bytes
First seen:	2022-11-18 22:32:28 UTC
Last seen:	2022-11-19 00:51:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:4Pbb2eavj2Qep3SV501OElgbiEu9Xy6V8UWTk0xTxl8BP:4zb2eQ2Qep3Ss1blLb9Xy6V8USkUTx6P
Threatray	12'634 similar samples on MalwareBazaar
TLSH	T1252523B55A986562DEAD2CB4157D2C0192732F6B3E1DF184AF1EF9A201B37C188F1E43
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13097/50/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	880f434949430f88 (1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Local Order.exe

Verdict:

Malicious activity

Analysis date:

2022-11-18 22:33:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3d7e9940-7c67-4c28-92c3-d63965a1cdea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/335870/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.32324.5109.4752.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

cmd.exe packed

Link:

https://www.filescan.io/uploads/637808206fda73cab64e6b53/reports/a6726d73-862b-4475-bc7a-020e1c103253/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6411ac8b-1fc1-4c16-bb9d-9b5ca6e7800e

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1116821

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ab9a4a743b66d515dc9b83579a2a1a00252bc5acf727c46279fc0f09e2b2ca1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-18 22:33:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bk42jj2dwzwvcxojxa2xtivbuabffpc2z5zhyrrht7apbhrlfsqq._file

Verdict:

malicious

SnakeKeylogger

2f6e6357881973427aa992355125e2a7be58586613136a7fa4a84a49dd28dc93

SnakeKeylogger

3bd6eaf7910876056f5f594c6b15fd7a8b75c6eef0c0a76690ed49e72ea97366

SnakeKeylogger

3d239896c2fec074b4bc1867a197eb04511e376ee3175a8bd8edb307b7e886c0

SnakeKeylogger

44ef6929139229baffe966a8f2facca112903f143106b56b6afae3e0ae94276b

SnakeKeylogger

4a2077c64b24049a2dfcfb0d2788d4160f1b21bdea9fa588ac69ed8fcd1ecd6e

SnakeKeylogger

92bc2e1ae372c340fdc2e37a2224135e6e1f416e544f5a3e1462bb884eb7db21

SnakeKeylogger

c498b83c2623ae4b95259430d63e9ef264941ffa0bfb7a7005f3db8244a69707

SnakeKeylogger

cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9

SnakeKeylogger

cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa

SnakeKeylogger

+ 12'624 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221118-2ghc1sbb65/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/992926de-7684-463b-a866-9c0b8ec4516d

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/f9a61fef-af4e-4ae9-a083-ea25bc269e33/

SH256 hash:

131d3acc0af3089a73055f5c74a8d56c2b1e1b8cd27e482d694cb953cf0f6def

MD5 hash:

3e8a661f111df8a995a5d30b2daa9b41

SHA1 hash:

75132903bbd17c00cbf33620ae7d414e5bbc6e78

Link:

https://www.unpac.me/results/f9a61fef-af4e-4ae9-a083-ea25bc269e33/

SH256 hash:

0ab9a4a743b66d515dc9b83579a2a1a00252bc5acf727c46279fc0f09e2b2ca1

MD5 hash:

742a0dc73cf933445b47d94874517d45

SHA1 hash:

a71c63df5dfe5f13c9b62e594734b1440ba648e4

Link:

https://www.unpac.me/results/f9a61fef-af4e-4ae9-a083-ea25bc269e33/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ab9a4a743b6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/335870/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample