MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e29669b57713393df41674e76baa95d05515070f13eb65bfb83671c111050da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e29669b57713393df41674e76baa95d05515070f13eb65bfb83671c111050da
SHA3-384 hash: c38a54076bcf3616665f8c7a14663917d443358fa4a51ad0f9bf1969139fd38de6d8ff2ea5b4b512b93b9ac8046211ed
SHA1 hash: 375baeae1bbd20df9e0ca671675d2963c68e4b83
MD5 hash: a048dfb723d59467c3e4c7578f63caa9
humanhash: helium-mobile-green-mexico
File name:NEW INQUIRY 20222405.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:603'648 bytes
First seen:2022-05-24 12:53:06 UTC
Last seen:2022-05-24 13:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:m5Ck3AfxmWf13YGUVwBV4fkEe+dk48xiUIucalLKTvi:m5COAfxRf1YGJX4fkEe+a4IbIucwLKji
Threatray 1'110 similar samples on MalwareBazaar
TLSH T19FD4128033F98F47E8BD9FFC58916A4047B1E2656E91EB040EEAB0FE5D71B214186B47
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW INQUIRY 20222405.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 03:03:11 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/17875679-4729-4bea-9802-fe87bf911237

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274091/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Enabling the 'hidden' option for analyzed file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628cd574054dcf0ecae7abf1/reports/d676982d-1790-4e4a-bc97-c949c1b58db6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3a8398e-424b-4a87-8a06-b0789959ebea
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000641
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e29669b57713393df41674e76baa95d05515070f13eb65bfb83671c111050da/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 03:03:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=byuwng2xoezzhx2bm5hhnovjlucvcudq6e7lmw73qntryeiqkdna._file
Verdict:
malicious
Similar samples:
4136cbd135de0a67aecbb84e9eb39357299777d4eaca08ce9055233f62ec6996
SnakeKeylogger
49144b7e90a73187512a8847add84f34826dd5bfa6113fe0dd013c4a2db51dcd
SnakeKeylogger
4fe060579e231bdeaaa2093bb47c0049b1665a221b3ba953eeefbd36e36c51bb
SnakeKeylogger
5bf9f321e795da8caa68cef487b457a673fc98aca56cbbcf70fdf7f180d32ec9
SnakeKeylogger
71881316918836c22fd8dd6f6e7d8759cd49943ec5f467f6be628f223b37d122
SnakeKeylogger
a0024c792833532f6d5f0e391971e41c7efb27d30c062478ccca706b9eb4ffa4
SnakeKeylogger
b3587ff41c4ab5cfd37aa464d4f32ec71e86860b9089da3ea4df459a3d44b446
SnakeKeylogger
f77eec40f010868f37b6aa50bee3bd651dba380d888fcc36339945357dad2620
SnakeKeylogger
fb6c380b910cba16a60426c3671d3b19e5a90fa1061769178edc7a0821c8224f
SnakeKeylogger
+ 1'100 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220524-p47j7sbbd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e8b5a24d5eb9fe062fc883ad0cc96b89ecbd0784e600a18d69595b08de405777
MD5 hash:
c74df7927f3d1e801e00e5109f545c49
SHA1 hash:
cefd0f54ea6f82ebb5302a85847412799017853c
Link:
https://www.unpac.me/results/df2da51a-8e96-4fd3-9fc4-9b03ff0f8ce6/
SH256 hash:
4f32ada6189517f0d3c13db55ae0ac819cdd00ed129400bd92d57dd4b1c9135b
MD5 hash:
31bf29f7540f6539bf87def18f37ca91
SHA1 hash:
609dd26856029fec93e8c5f4bbb3b17575dd45cb
Link:
https://www.unpac.me/results/df2da51a-8e96-4fd3-9fc4-9b03ff0f8ce6/
SH256 hash:
8a4d506c4e49e6a6a8ce8cb0e44961d804abdbec272857f6959f4065d587df6f
MD5 hash:
38fcb77aa5e36ab11277ecd94aeb12ba
SHA1 hash:
1de93082ad78407367db434abb954bd0e872667e
Link:
https://www.unpac.me/results/df2da51a-8e96-4fd3-9fc4-9b03ff0f8ce6/
SH256 hash:
72c91fdad59e06742ab11408962929f766b4fbe34e6b4e730dfb02707c08a430
MD5 hash:
06b823e64681bae033de886e22f0c8b6
SHA1 hash:
0791fc63e09cf5b5e77ebebf46271b7e66a39c7c
Link:
https://www.unpac.me/results/df2da51a-8e96-4fd3-9fc4-9b03ff0f8ce6/
SH256 hash:
0e29669b57713393df41674e76baa95d05515070f13eb65bfb83671c111050da
MD5 hash:
a048dfb723d59467c3e4c7578f63caa9
SHA1 hash:
375baeae1bbd20df9e0ca671675d2963c68e4b83
Link:
https://www.unpac.me/results/df2da51a-8e96-4fd3-9fc4-9b03ff0f8ce6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/0e29669b57713393df41674e76baa95d05515070f13eb65bfb83671c111050da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274091/

Comments