MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2
SHA3-384 hash: 7f7b8baa9f8a97882fa9dcd6d1d321660289594b0857f9af59149f4fda675183c0966ba84f5df3fb1ccfcecb5aba35dc
SHA1 hash: fefeeb5af4c33fb895f9611bafbbec23abbd5b0c
MD5 hash: 86f82e281d672ca3bbc7e8977569e982
humanhash: carbon-mexico-montana-quebec
File name:PROFORMA INVOICE.PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:784'384 bytes
First seen:2022-10-17 12:37:24 UTC
Last seen:2022-10-17 14:26:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:8IL+nZ2oP5FDlxTT+zmLJ+xzNvCKmvKys/:dLzoRFZpT8mLJENvyK
Threatray 6'023 similar samples on MalwareBazaar
TLSH T13CF4497612D65617E4293275C8C7D2F32AFBAD206061D1C79AE76F6FBC440BB9203386
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/320979/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1625.16910.10873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634d4cacb5f60e72b8c702a4/reports/7a625472-a5d6-447f-9188-695c1ffb65b4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c72063d-8f77-40a9-87cd-e2516d799a33
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091871
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 12:38:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgwv6enahvmssk4lzuyag3ownv3ygdw6u7bwto3rlc3cxp6artza._file
Verdict:
malicious
Similar samples:
0c7339cf54785cd76320a0d84bf76019eb1fd5b18dfebf1d9ca7f5ee6e8e958f
SnakeKeylogger
0f1b9c97ca2d11237543964ee3fd39734c0e9cc2371aed7dd49deb4409c839d2
SnakeKeylogger
2262bf3bc3250b4bcefab73d88c2fd44b2d2fe02e4350f42e1f9bcfcab98a867
SnakeKeylogger
321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6
SnakeKeylogger
3fd707dbbf7a289a8cc02b0e3ae49cda05d20836991d0fc19723ecb42d4bcf76
SnakeKeylogger
79626acc1a4ebd2993c5f10522687e95bff00496a54d7ce8377be9d1cf92e901
SnakeKeylogger
9079a00cf539b8f9adfa046a9cf1f7c1c80fb370fb89d0a27f0fac1b0646c4c3
SnakeKeylogger
a0baf98ce28c1245d78159191bd0fafaf80c8c6b76b5e80b43bea8874af910a9
SnakeKeylogger
a55d4c3a6ff031ca6502aef0e7c59374721f9ffed5856124e583b3e433fdfb16
SnakeKeylogger
de0b6160f294319b2882dbeea5e4b7e9e1ebee17c14d8af1c964b8bfc09db1ae
SnakeKeylogger
+ 6'013 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221017-pt27qscabm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5633581612:AAEbgoliingzrZhNwiVV1Ke-e-BfNBIzx3I/sendMessage?chat_id=5754175656
Unpacked files
SH256 hash:
18b4104c100f6b59977cbd9114eb29afd5ae36f82bbc534330efb03e5c12c9d6
MD5 hash:
1d203598bbfd286dbf46f4e5675af9fe
SHA1 hash:
f85378e0bd2a845090b4a184c4f70413fa6b0119
Link:
https://www.unpac.me/results/79e4c766-fedf-46f9-ae0c-8c1d750b6508/
SH256 hash:
45e94aa327dd24b91627ed818783db6188e586b2ba688483e48261bfec92d22a
MD5 hash:
fa1dfa95c2e3922fabd4fcd1ab61d8d5
SHA1 hash:
dc33bbbea0ba04d4846dab114b70e0774f5c0fed
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/79e4c766-fedf-46f9-ae0c-8c1d750b6508/
Parent samples :
466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da
11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2
4058b407562c232f56c58d6592d9004e2395f545cffd0a249d0fa1b66a0e8247
ee6a61f1176307566990e3ac0eacef9a696929e2f1246abf9706300294cdde61
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/79e4c766-fedf-46f9-ae0c-8c1d750b6508/
SH256 hash:
149a8e502d8706d12ccf9ed69aa87b42752b1ad64e4789395834109d69e2c75b
MD5 hash:
5afe5a9fc7d318feb191c6f8aa523acd
SHA1 hash:
10ce38ad8a08ce36c9f652de5d677eba536bccea
Link:
https://www.unpac.me/results/79e4c766-fedf-46f9-ae0c-8c1d750b6508/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/79e4c766-fedf-46f9-ae0c-8c1d750b6508/
SH256 hash:
11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2
MD5 hash:
86f82e281d672ca3bbc7e8977569e982
SHA1 hash:
fefeeb5af4c33fb895f9611bafbbec23abbd5b0c
Link:
https://www.unpac.me/results/79e4c766-fedf-46f9-ae0c-8c1d750b6508/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11ad5f11a03d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/320979/

Comments