MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 108fe65a7d577684e24b5cfc1f31a99fdc2582077047a9ae7ee7edc9915125c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 108fe65a7d577684e24b5cfc1f31a99fdc2582077047a9ae7ee7edc9915125c8
SHA3-384 hash: d7a4b0b14f73661ac0409b3d980c5e0b82e2f8d6e92d41721f515e3171d6a3e4635372756e2c0a21eb1934970ec5acf2
SHA1 hash: 68e4c8322a77098b508b9d8031190626a04d07a0
MD5 hash: c9cfbd1c9147f53f778a2fbfb3c3fc78
humanhash: xray-bakerloo-four-mockingbird
File name:INVOICE - Q0002255 - LKJIN001 (29-07-21)-pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:836'608 bytes
First seen:2021-07-29 17:27:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:7lnB2RMII1cq7iS/d348b134vEZfw9A8nqX7SizQxXEAlCjMXrfNShyZn:5BSMIIy1S/d3Xen9vqXWq0EAUkrfNVZ
Threatray 414 similar samples on MalwareBazaar
TLSH T15C05AE2085C8DB5ED8BD0375175802B46FF0A852E2F1EF283F9585B4AC91B91F9BE316
Reporter cocaman
Tags:exe INVOICE SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE - Q0002255 - LKJIN001 (29-07-21)-pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 17:30:48 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/41fc261e-dae6-4f95-b499-945d41c30e8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175121/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f232f251-2eab-45a9-9bf5-7c8eb2194ff6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824049
Signature
.NET source code references suspicious native API functions
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/108fe65a7d577684e24b5cfc1f31a99fdc2582077047a9ae7ee7edc9915125c8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 17:28:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cch6mwt5k53ijysllt6b6mnjt7oclaqhobd2tlt647w4tekrexea._file
Verdict:
malicious
Similar samples:
06727ec8f5dc2c12fbfde5df6299c715c3143a7b3c3a8ad5e19ffa317ceb059a
SnakeKeylogger
14b33650cf6497ab5a9f973f61ca8b43ad33a0b1a85f378345f51855567f4d2a
SnakeKeylogger
565befadf7619a22f5877dd965a76b7c24dab58a0be973afa11cad66b978a501
SnakeKeylogger
578aa3607cb34fde024d099b916e61c0a767d952312a2e8c9276f3167a65ad14
SnakeKeylogger
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SnakeKeylogger
b5e1daebfb2aa234328dc9776a1ecc77dd2726a7709c353c0265d8b1f4803f1c
SnakeKeylogger
b9acd58a25a9493713c0b5a3be62db4338de550aad1b23054d4be3de0c1b0c46
SnakeKeylogger
bfa0c6d6a166011476ffd4f4fa1c2c1669c273fa945f729267fa537ce7689b44
SnakeKeylogger
c2d1f5494d37cd229d820b263c934eba39bab86570c54e207730d1c84de98393
SnakeKeylogger
dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659
SnakeKeylogger
+ 404 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210729-f527hfnxa6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
CustAttr .NET packer
Snake Keylogger
Unpacked files
SH256 hash:
924c5a385f715adf18b99fa15eb82a89b648bb360c220f988d264ccbfa4ec31d
MD5 hash:
e0264198acd0ee03b69478754e904e16
SHA1 hash:
c60d5d94764f3cc7909502fad2c8b49975c149fe
Link:
https://www.unpac.me/results/af827663-b87b-4dc7-95dc-0e4d158490c7/
SH256 hash:
473f58c7b0f631d81fe52b73c611c2d956a8bf270eeb8336d2ef0eb9aaee8653
MD5 hash:
c70a620fcff3c02d787ed20bacc2813a
SHA1 hash:
489b13019abb61f782ab1a5d23f4fe048fc30157
Link:
https://www.unpac.me/results/af827663-b87b-4dc7-95dc-0e4d158490c7/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/af827663-b87b-4dc7-95dc-0e4d158490c7/
SH256 hash:
108fe65a7d577684e24b5cfc1f31a99fdc2582077047a9ae7ee7edc9915125c8
MD5 hash:
c9cfbd1c9147f53f778a2fbfb3c3fc78
SHA1 hash:
68e4c8322a77098b508b9d8031190626a04d07a0
Link:
https://www.unpac.me/results/af827663-b87b-4dc7-95dc-0e4d158490c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/108fe65a7d577684e24b5cfc1f31a99fdc2582077047a9ae7ee7edc9915125c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz c48a9d272329003f8efbf51aadef055cb30c807d30b5e3d1aedbbf725e6bf9e7

SnakeKeylogger

Executable exe 108fe65a7d577684e24b5cfc1f31a99fdc2582077047a9ae7ee7edc9915125c8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c48a9d272329003f8efbf51aadef055cb30c807d30b5e3d1aedbbf725e6bf9e7
Cape
Cape
https://www.capesandbox.com/analysis/175121/

Comments