MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67
SHA3-384 hash:	672bb595823bb1474b0ad30322a9f00dd20623b42be673eb84b53073ca26510f8949fd71e1376865a7b753de2c27f7db
SHA1 hash:	60bc4126a255843f27e78c21aaa335c86575fd7b
MD5 hash:	91a0567ba2a550ef7542889d781c5b49
humanhash:	papa-carpet-massachusetts-mexico
File name:	Offer 203894Q03849.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	815'104 bytes
First seen:	2023-01-03 16:31:34 UTC
Last seen:	2023-01-03 18:30:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:fzXVzrdRQ3c6nL9O5EdtkGTRFVQvdX+RVQwUTiLdw/6WHvYM16ffrifPqPt:ZzQ3DtZFMdqVTUTyvWX1Qf+c
Threatray	7'020 similar samples on MalwareBazaar
TLSH	T1E305F14F27D4F221FAF427B49B1069940B732742A9F2E94C9C922CEF38217D46E5925F
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Offer 203894Q03849.exe

Verdict:

Malicious activity

Analysis date:

2023-01-03 16:32:28 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/b4e75204-5332-4126-b160-216293c2747d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19962.16413.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63b4588483a5ae8cb4a7b199/reports/c0d3797b-7969-4c94-bfde-088a75ce51c0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3b7fa1ad-b6e8-402d-b3e5-055889da648b

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1144662

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-01-03 10:21:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b2adzoifjdktrbvlnapwfld3zvc7tyz4huwz62x45eq2naernrtq._file

Verdict:

malicious

SnakeKeylogger

5ea5baa76e56e7f96fc470ff3b0a6d9b3ba0d0460b2228ab334e0048de21fe90

SnakeKeylogger

86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64

SnakeKeylogger

8f6910c2c42d4d5aef3cd7ffa5bb4a70e15c2b32e35d465be19a68ffd872b60b

SnakeKeylogger

a5c5fff9f5fb5557c0be28962dd29a09b3691eeab05cb2970718d877b2559b97

SnakeKeylogger

b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2

SnakeKeylogger

b675693b9b4cb58c64df75a0968f1ac36c8d5489d3c9ef49a3d5442f2e1f34ce

SnakeKeylogger

db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211

SnakeKeylogger

f51ac312a42b7ea58a385ce561b36ecb9cc5ccc5bbdc9bbf5aaadf7576b2c159

SnakeKeylogger

+ 7'010 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230103-t1yv4sca57/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5814180506:AAFpVfxl9CBszzsUeg8FTylBwiTKUc4g3lA/sendMessage?chat_id=5056270248

Unpacked files

SH256 hash:

8a6efa41d0ec15c4dffa9364fc8617c39383def886ae8e16c8b0f3cf1a5a2124

MD5 hash:

5543adca852a1a7deb90a3dc1d63308d

SHA1 hash:

d84c327bccca0c2089297b229333499b13d7a29b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/055cbb98-0f9d-4c37-988f-7355473590b8/

Parent samples :

59903dbe12d0e5cd2961b4ff5bd3301d7467fdb4c95ef23036bf0b1e7c42f8be
86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64
0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67
16c70890f10e57d8fc644114f168b302a49bca04865b7af24f8e10f81d0e0e1e
412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae
53ea6b76054fdccbe2b129aa71ffadfd5a24bc8dcea34b05e5a7aadf39966a41
916677af442bb08e425f3e31f614e2afca12ca7d2ab51976b409bd97013b0714
e3ff193a4d796ef753bc68ac96f45f6acdc728bf43080c6c2d2e0e32c99366ac
b3becceee731f92a558739ae11d931f571ab038a09b09661f0519eb5256e6303
56f63b02b2937f3a3cddae702465c1fb1f8f926a09a7ec6fe00a43ce447cb24b
b6ba9b1f0724dee6813ee67780cc5a130e5565d616b6acf53a7ef417ab580dfc
2c0040dfc6eef6371e00934559c481012e35a651d9d1e816f103b98a7af05749
c0abc071c31039697cb8f13d2769118e4068e78ad5d40fcc900462f709ab62ac
cc446f15fd527dd3d3dec1013dca6e1083d81c7499a0288a0ac71ad6832b4cd3
40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40
2cee131ab571c6866a10be794fb02583f30c577d93ee9742845331294923c1e7

SH256 hash:

c540ee591b86046d35bd8c6d10081c0a11ca9292c1665b772ea48a0b54ce200e

MD5 hash:

640dae8ea290a5b59948adf98a5a48ac

SHA1 hash:

6fc6c71f5820a59d87306d05076030ca8109380f

Link:

https://www.unpac.me/results/055cbb98-0f9d-4c37-988f-7355473590b8/

SH256 hash:

35b77d2f85552a16beded8417c02bc2d0438f55f767ff484cbc5073942e9b69b

MD5 hash:

851f4902d8c85b1eebb3a072b0621736

SHA1 hash:

26fe4051b81d3da25cd4a3a21efa47c401ea7d22

Link:

https://www.unpac.me/results/055cbb98-0f9d-4c37-988f-7355473590b8/

SH256 hash:

7b62b2ec5ec1f664b91669e62f8064b43c20a094dc86a45c5422fd991a4f8c9c

MD5 hash:

a9e50fd82223064b0ed99b89dbf604b2

SHA1 hash:

261b9b900fb235c34cfb8f15fddffd905401251e

Link:

https://www.unpac.me/results/055cbb98-0f9d-4c37-988f-7355473590b8/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/055cbb98-0f9d-4c37-988f-7355473590b8/

SH256 hash:

0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67

MD5 hash:

91a0567ba2a550ef7542889d781c5b49

SHA1 hash:

60bc4126a255843f27e78c21aaa335c86575fd7b

Link:

https://www.unpac.me/results/055cbb98-0f9d-4c37-988f-7355473590b8/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0e803cb90548/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample