MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
SHA3-384 hash:	7b03f6d0abbba7a1b0c1ca1c00a871ddba8f28dad1f6f24fe032d2bc133713f47b465e94b078050744a8b9540f3feece
SHA1 hash:	4d210bdcf53d555c7cf01d1dd71f9dd8c957b7ca
MD5 hash:	c2053c760811eab7cfa755ccfa53d963
humanhash:	fix-vermont-butter-fish
File name:	145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	768'000 bytes
First seen:	2023-04-04 12:56:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:WGdKdJVZz5dxKi8AvCpkF3AP7laYUlNrUgqk6u/J:WFVZ9TKgJFQI7lNrfqkr/
Threatray	232 similar samples on MalwareBazaar
TLSH	T148F41259EA606221E76A47B854E14D41D37C70E34723EB4ADD4CB0D36DF8B900A6FB8B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5

Verdict:

Malicious activity

Analysis date:

2023-04-04 12:56:30 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/b355ee0a-e275-4f94-9943-c92f2585e0bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/380022/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos snake

Link:

https://www.filescan.io/uploads/642c1e9fcda03520c8a59c73/reports/6d568b8d-556b-4401-9fef-84a58ee89ec6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/55b4d60c-47c4-4462-b887-a728e50210dc

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1208155

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5/

Threat name:

ByteCode-MSIL.Trojan.RemLoader

Status:

Malicious

First seen:

2023-03-28 06:23:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=crnyv7ywby5fbofvxhtp2o3icbwb6pahm27xn6ui7lvapb6qpp2q._file

Verdict:

malicious

SnakeKeylogger

1897da9314bfab3a6feaae55d4e82fa4f764c04593c9aedfc4fde0f7e7f7a2dd

SnakeKeylogger

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159

SnakeKeylogger

c4e5c1a9894b81e3b415adacea8105f3d84f73c10cf3bb759e4afc481fbd4d8b

SnakeKeylogger

c5881aae0402696993a36546d2fa1e44d6fb53c0b8528ea23cbb1c12e0e7c9b1

SnakeKeylogger

d2a9785bb59a18b2615a8bc600698418ffec3af79192b74cf2f0c1dd9efcadb6

SnakeKeylogger

f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059

SnakeKeylogger

f5fa7b886b1a16ab02b7edf918ece0bc04daca0a9e933b3bf63330f69d8db6c2

SnakeKeylogger

+ 222 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230404-p6xg1sfa53/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805

MD5 hash:

aca804d5d77bd73228eaa44a95402330

SHA1 hash:

fab4900d6af18796b65e1ab8f5ca4da5c933185b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/485403bf-3a49-4aea-9e04-519dc808ac0e/

Parent samples :

854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f

SH256 hash:

b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb

MD5 hash:

3c6f8b2e78f5ebf58c4f170b30c04607

SHA1 hash:

c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765

Link:

https://www.unpac.me/results/485403bf-3a49-4aea-9e04-519dc808ac0e/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/485403bf-3a49-4aea-9e04-519dc808ac0e/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

768f6f7b3d6c86ded59aa4092f320b68902a16913339152300c1436af4a1dc8f

MD5 hash:

c48055b2b78a9e5c19ff7743df88e990

SHA1 hash:

5d251b45bb7d6d9d9115a2922de78e5de175e6cf

Link:

https://www.unpac.me/results/485403bf-3a49-4aea-9e04-519dc808ac0e/

SH256 hash:

10ac362cd935f8caf32607d86d35db46ecb1a4f48028a4f961b65b8fcb742145

MD5 hash:

0a43268162b04a00e4c24423c844d17f

SHA1 hash:

0fc9f463edc37cd4b81d59da2dd6d461f16915c9

Link:

https://www.unpac.me/results/485403bf-3a49-4aea-9e04-519dc808ac0e/

SH256 hash:

145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5

MD5 hash:

c2053c760811eab7cfa755ccfa53d963

SHA1 hash:

4d210bdcf53d555c7cf01d1dd71f9dd8c957b7ca

Link:

https://www.unpac.me/results/485403bf-3a49-4aea-9e04-519dc808ac0e/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/145b8aff160e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380022/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample