MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12e9811c0f147a84152e2f39b93f0113ada404ba385277ca067ee028e7105c59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12e9811c0f147a84152e2f39b93f0113ada404ba385277ca067ee028e7105c59
SHA3-384 hash: 20bac5ee21fa9dbdfb2ba95752b2498ec1981eae825a0cc859e3ad50aabf30ab11cbac3e433b7523b8c94bbef68db549
SHA1 hash: edc4e4afd09f12d78d8555990ccc76652a04145b
MD5 hash: 68796e7c477abed051de013cc3835e4c
humanhash: march-river-hydrogen-fanta
File name:q3qhElKDnGNNjTi.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:782'848 bytes
First seen:2021-05-11 05:58:48 UTC
Last seen:2021-05-11 07:07:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:SE4yiIQF+nIDG/AtfyWmj24iOp2/lpAeYXtN1qxGaIZygKeFS8VzZ6TeK:dbWmjxRpAceYXL4FIZEe48VieK
Threatray 11 similar samples on MalwareBazaar
TLSH 37F4230327D8EA25D1FD1BB5A4113A0043F4F61AC162E79A5F9562ED90A37CBCB827D3
Reporter cocaman
Tags:exe SnakeKeylogger SWIFT

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
q3qhElKDnGNNjTi.exe
Verdict:
Malicious activity
Analysis date:
2021-05-11 07:47:40 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/56832d11-19c5-4fdd-ab5d-bfc3d8b5b90e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/154753/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Connection attempt
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779023
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411421 Sample: q3qhElKDnGNNjTi.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 7 q3qhElKDnGNNjTi.exe 15 7 2->7         started        process3 dnsIp4 28 127.0.0.1 unknown unknown 7->28 20 C:\Users\user\AppData\Roaming\PlehaaeiV.exe, PE32 7->20 dropped 22 C:\Users\...\PlehaaeiV.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp4EE4.tmp, XML 7->24 dropped 26 C:\Users\user\...\q3qhElKDnGNNjTi.exe.log, ASCII 7->26 dropped 44 May check the online IP address of the machine 7->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 7->46 48 Injects a PE file into a foreign processes 7->48 12 q3qhElKDnGNNjTi.exe 2 7->12         started        16 schtasks.exe 1 7->16         started        file5 signatures6 process7 dnsIp8 30 checkip.dyndns.org 12->30 32 checkip.dyndns.com 131.186.113.70, 49720, 49721, 80 DYNDNSUS United States 12->32 34 freegeoip.app 104.21.19.200, 443, 49722 CLOUDFLARENETUS United States 12->34 50 Tries to steal Mail credentials (via file access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 18 conhost.exe 16->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12e9811c0f147a84152e2f39b93f0113ada404ba385277ca067ee028e7105c59/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 04:01:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cluychapcr5iifjof443spybcow2ibf2hbjhpsqgp3qcrzyqlrmq._file
Verdict:
unknown
Similar samples:
1334afcecb05895ccedf182affa83c529e1416b3ceb296bd96c558a19bcc1e15
SnakeKeylogger
2bc34cf2725ceb0a4b515b050e12ac17fdc20e8605fcd602f766397a4ead7f47
SnakeKeylogger
4b5014a2cba68cc51108e7f393dd35c7e449c4644a33a9134203921f88015e84
SnakeKeylogger
8a116bfcbc1c440c1491513ee9efde46fe7f2e7f24fcdb3f43ee21d0917face7
SnakeKeylogger
8a4fc07c7377e29d097d88f0d2128233e2179f65638a9650f320e7601b205c6a
SnakeKeylogger
8deda51f5f68a5c442aef9c6538f94dc97f58f8e42fc42aa64c098b78bd70f6f
SnakeKeylogger
d6adc5fd4e50b6a75c1d1e2ad96c279c2ac31472eca3c0325ae6f83852440333
SnakeKeylogger
dd8cb0b0a45253ca00dff802d1505f6225b5bd54c742c12c0ab30aa5b3ee7c21
SnakeKeylogger
df03589933428f3850db7b91fc6cfccb3b0e57cc43af3079183c729ca9801b51
SnakeKeylogger
fd1dc434508928bc6ebdb5d29de7a1530f64b5d9eb8a9a577f97db741a62a644
SnakeKeylogger
+ 1 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210511-evqzv1nev2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12e9811c0f147a84152e2f39b93f0113ada404ba385277ca067ee028e7105c59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 6c8ee04cb1de0d415f12d8ce178d6bd579bb563625b10c1697230d0f41d3930d

SnakeKeylogger

Executable exe 12e9811c0f147a84152e2f39b93f0113ada404ba385277ca067ee028e7105c59

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6c8ee04cb1de0d415f12d8ce178d6bd579bb563625b10c1697230d0f41d3930d
Cape
Cape
https://www.capesandbox.com/analysis/154753/

Comments