MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1224acc15643267fe1c2f4585b3439037e65c819ca2cfc306b1dac95b2479b5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	1224acc15643267fe1c2f4585b3439037e65c819ca2cfc306b1dac95b2479b5f
SHA3-384 hash:	f53ba892ad3976875f63b76bd122f1cc145edcf017c012b378151d1f86cb0bef4fa93c1013a5d243a06b49cbf313aa75
SHA1 hash:	014a2d9bd6e8f62f35b455e1d7e607066fa48a44
MD5 hash:	ec1fc428f9c0635a34dee7fa42a63703
humanhash:	blossom-ten-timing-low
File name:	Puchase Order.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	847'360 bytes
First seen:	2022-04-08 08:40:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:XCR66E0ZQZ4Yr+AIAFDCzkIzf5ak0UM31U4BhrLMfLRYlMaKfpxQhdXrIqJex:Xe66ET4YrEz35E3DBhrwflI2IhdXM
Threatray	2'808 similar samples on MalwareBazaar
TLSH	T1620512187EB6CA15CBA60F33D2D59A141772DE5852A3EB0D6A8D73E90D327C704C3B92
File icon (PE):
dhash icon	2f3e0e0c03130a07 (28 x SnakeKeylogger, 2 x Loki, 2 x NanoCore)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Puchase Order.exe

Verdict:

Malicious activity

Analysis date:

2022-04-08 23:26:24 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/b2808d39-ced2-4041-bc34-85e7c40b143a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/261965/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/624ff4fdd53a7479dad9410c/reports/1cd32121-ff99-4bb0-b06d-f6fc67e9f2a9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee9ef0fd-92bb-4f63-8ad4-bb87faf4f8a0

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/973479

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/1224acc15643267fe1c2f4585b3439037e65c819ca2cfc306b1dac95b2479b5f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-08 08:41:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 42 (42.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ciskzqkwimth7yoc6rmfwnbzan7glsazziwpymdldwwjlmshtnpq._file

Verdict:

malicious

SnakeKeylogger

0a67ff35add751a754db8f7d55515b0dbac034b87274cfd1cc351f7679a98b2f

SnakeKeylogger

3ae224c94e8887513a9d90b432825eb35718a013107685e181d274cc5fdaf82b

SnakeKeylogger

be67149051cd685b5aa56bdbee718412157f65ff953ae7261dfa9fedfdd3e08c

SnakeKeylogger

be93f1181fd377c66d3178b695dbb69dfbda5ef9e03edbee7696d257cb970832

SnakeKeylogger

e0d8a6f6cf1ae2a22795dee543f0ae51855e9ca21bf614df1e294976a3f1efa9

SnakeKeylogger

eecb2904ac3b26aa730dc310741832f18a241754357cbd222b0497e414088a8f

SnakeKeylogger

f8b59f465b80ecd38fb2662d92011216ff99c89f7467c728a1d317735a655ec2

SnakeKeylogger

+ 2'798 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220408-klfljsahc4/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot1946015608:AAFeRb266kuzpU623CGRUfV1cvLL7eUGrJw/sendMessage?chat_id=632358613

Unpacked files

SH256 hash:

b6926a79b550cea4c899787748e8c2506c8e3cb004902b2d0d679318ac2d91b4

MD5 hash:

97ec013e62f5b5f09616001b3784bad3

SHA1 hash:

8b5f47daa190effec2d0433282f8870592023d03

Link:

https://www.unpac.me/results/2d424550-0651-4e74-bbe6-2bbee6317026/

SH256 hash:

e11871df824c3130e35f2c94d672404e18ebefddf3172d166f2e640ad3686c73

MD5 hash:

4379771ccd9b927712ef2505214161df

SHA1 hash:

6636b7b80e279de67c60b52277f566463afebf8e

Link:

https://www.unpac.me/results/2d424550-0651-4e74-bbe6-2bbee6317026/

SH256 hash:

ab7e400cf2d46035c27f6539c649311a65302e413a5f7d1d7ae7c88081950263

MD5 hash:

dc308040db2ba83327dfea96fdcc632d

SHA1 hash:

57d72b164d38bdcd80c553b77a64741049ba3c0e

Link:

https://www.unpac.me/results/2d424550-0651-4e74-bbe6-2bbee6317026/

SH256 hash:

e0d60216c491cc94784ff30e19b1704438fff8c9fa289e15df22b49d1cd27ac4

MD5 hash:

775b57788df5f5a9d6e37f3d99f12f5a

SHA1 hash:

01b3e8b7058ccd679fd80bec559b1cf42c793714

Link:

https://www.unpac.me/results/2d424550-0651-4e74-bbe6-2bbee6317026/

SH256 hash:

1224acc15643267fe1c2f4585b3439037e65c819ca2cfc306b1dac95b2479b5f

MD5 hash:

ec1fc428f9c0635a34dee7fa42a63703

SHA1 hash:

014a2d9bd6e8f62f35b455e1d7e607066fa48a44

Link:

https://www.unpac.me/results/2d424550-0651-4e74-bbe6-2bbee6317026/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1224acc15643267fe1c2f4585b3439037e65c819ca2cfc306b1dac95b2479b5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/261965/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample