MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72
SHA3-384 hash: 082146ac2210f35f0245f2e22ba1307c3428be770146cdb73b6f79eb76104830b2f49fd524332efea6e0eda76f83ff0d
SHA1 hash: 3966263baa4e4e511fe383910555ef5ceaa40914
MD5 hash: 660e3fcc23c3a833e6e8af22b13ebd81
humanhash: oscar-jupiter-cardinal-pluto
File name:660e3fcc23c3a833e6e8af22b13ebd81
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:176'128 bytes
First seen:2023-02-01 04:11:02 UTC
Last seen:2023-02-01 06:35:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:P44CG54MEA4qmNCNqiSnVm6BY1T2gg/HvV0qZ1+ipTraV8u1VcGLT9XM:Aveu/TMsiaeA/H/P+Ck
Threatray 9'013 similar samples on MalwareBazaar
TLSH T17D04BEC563DCDF19D1A9457E80B226B7D329CD2D5F47E32E209031BD9E2238E8612E27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0962b292933b2e8 (4 x RedLineStealer, 2 x AgentTesla, 2 x RecordBreaker)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
660e3fcc23c3a833e6e8af22b13ebd81
Verdict:
Malicious activity
Analysis date:
2023-02-01 04:12:33 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/8b704d9e-a6ff-49c6-a14a-449f5ba64bb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358838/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65251845.29097.7289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Reading critical registry keys
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/63d9e65c1c9cbf7d625509b4/reports/60613d0b-97fe-47d2-a0a5-218ed0423661/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/440a4734-2151-4650-a867-e93cda221063
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1162874
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72/
Threat name:
Win32.Trojan.SnakeStealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 18:52:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 39 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2shjgnkbcqo2u5ef7izewolm55u7b2en572oye3muhrruzh3zza._file
Verdict:
malicious
Similar samples:
03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b
SnakeKeylogger
1d2f2d684eb25205c07a58d9268d0c69a6c506f9eb14e1473a39306aff9f5a1a
SnakeKeylogger
38d4917ca5acd022a5d0ac06a01bae2b9bdd7f7dcdf6c38e02f6d574c08ebe18
SnakeKeylogger
857a42515928a58c55da34ff697bc0b19f4dc5f64791490bfd64edcc020ea23e
SnakeKeylogger
8dadd5b92192e3d2c6496f82eaac50967f738738b40ff9214c6d7d9fda8d9228
SnakeKeylogger
a30ca77ad86272e9b5f83aaa8a0f62baa2234fb29f63da58b580423cd00655c9
SnakeKeylogger
+ 9'003 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230201-erznqabg64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bac403b77a2f6a9eceeb3e2b284737a97dbe89e54849ad307a97b4c550a28047
MD5 hash:
e124dccca54cebef5d6b70695cf5254d
SHA1 hash:
ed5d519fd824fcaa1e6716888b173d4d2b186fbd
Link:
https://www.unpac.me/results/e8b18ed1-ce63-4fc5-b55c-2262697454b7/
SH256 hash:
0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72
MD5 hash:
660e3fcc23c3a833e6e8af22b13ebd81
SHA1 hash:
3966263baa4e4e511fe383910555ef5ceaa40914
Link:
https://www.unpac.me/results/e8b18ed1-ce63-4fc5-b55c-2262697454b7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ea47499aa08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2524751/
Cape
Cape
https://www.capesandbox.com/analysis/358838/

Comments


Avatar
zbet commented on 2023-02-01 04:11:31 UTC

url : hxxp://23.146.242.108/44/vbc.exe