MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618
SHA3-384 hash: fc6543cf4207978bd428ff535de9af9fd7d8d6f747b8fc13fd3fc32e3cae778917f1bea766f357c59b2eb4b402d3c6f9
SHA1 hash: 0a8a2adc4187e1a8210194167f259543c06a8ac1
MD5 hash: 14ee0c9e2ab6e6418cb312b1d7e34db4
humanhash: pasta-cup-delta-mirror
File name:4520007393 FOR TRADE.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'222'656 bytes
First seen:2023-06-19 07:28:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:xEZZl/OW/Id6lcv9VAo4iyI7qKwWA706DnxED:rW/Id6avYo43KwWA706bxED
Threatray 23 similar samples on MalwareBazaar
TLSH T187457D123A45C912C15D36F6D297603053778D82277AE309A9FA33A61E337EFDC1968E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9d9e3969696b0746 (2 x SnakeKeylogger, 2 x AgentTesla, 2 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4520007393 FOR TRADE.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 07:31:30 UTC
Tags:
evasion snake keylogger trojan blackguard
Link:
https://app.any.run/tasks/2dfc0d88-814d-4ea1-8751-f4fd010c4518

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400317/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67593354.21580.23990.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gorgon lolbin
Link:
https://www.filescan.io/uploads/649003c1691d8876d649e33f/reports/767d100a-a8bb-4fb1-8566-346a549036c4/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik_AGeneric.AXO trojan
Link:
https://www.hybrid-analysis.com/sample/153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1fa3c74-583f-463a-a0e7-a4e6d16bb57d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257131
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890154 Sample: 4520007393_FOR_TRADE.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 4520007393_FOR_TRADE.exe 7 2->7         started        11 eazBlYAXJUkKb.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\eazBlYAXJUkKb.exe, PE32 7->33 dropped 35 C:\...\eazBlYAXJUkKb.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1B03.tmp, XML 7->37 dropped 39 C:\Users\...\4520007393_FOR_TRADE.exe.log, ASCII 7->39 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 4520007393_FOR_TRADE.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        21 conhost.exe 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 23 eazBlYAXJUkKb.exe 2 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 41 tehrannotary.com 136.243.52.10, 25, 49702, 49704 HETZNER-ASDE Germany 13->41 43 checkip.dyndns.org 13->43 45 checkip.dyndns.com 193.122.130.0, 49701, 49703, 80 ORACLE-BMC-31898US United States 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 checkip.dyndns.org 23->47 67 Tries to steal Mail credentials (via file / registry access) 23->67 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 31 conhost.exe 25->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-18 08:49:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cu6x2toiut7cojlllmzai2ozxvasolfwtdtabmcbui7fqgapayma._file
Verdict:
malicious
Similar samples:
11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322
SnakeKeylogger
13a5b3d41f084cd25b4142b948e31e80a917c91fff12aa8b156ac9f23c18b0f1
SnakeKeylogger
217deeacbfd0b0a0b448fd35c2dc00797077e43f7fc2383b6e1fb86029eccc52
SnakeKeylogger
49307d98509c8c1c1dd733bf8c19cace00412eca43bde30607cc2a156accba1b
SnakeKeylogger
64d66ac60714c0fde68722e28c101fbc7f3b7237b04f2f2942f4b5f28e72c008
SnakeKeylogger
654385028b87dbf8e7387cd76dc69099cdcc344f97dc735647d429d11f7fe95f
SnakeKeylogger
792d13b4f3887733a5ca23c9cb7f8f10186a796fb05891b4ff978cb526832ca0
SnakeKeylogger
82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59
SnakeKeylogger
d4eb0b351ba85b39db243f72e6aa72111e9db00683f66dde74a5f7b845c89f02
SnakeKeylogger
+ 13 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230619-ja882scd55/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
d5936aa9752a04ddf6bb9e2a88952c4e988605eba78cdd6640173ceb3989be80
MD5 hash:
91ca089c0b91bbc34f09d3f27c3704a3
SHA1 hash:
f82f479bb95a55ca6602ac0b3ccfd87e027ee809
Link:
https://www.unpac.me/results/fd7b6245-1637-48f2-863a-d1a0e120e029/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/fd7b6245-1637-48f2-863a-d1a0e120e029/
SH256 hash:
0c01ea7472c4e61d3f7a22aa1ef493700c5bd282c9b39b5dbc8485e8fa620519
MD5 hash:
b54c633df79be2b66dd008b060f64df3
SHA1 hash:
dd36b35500c7b78a855c3cbb1e01704dca321f69
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/fd7b6245-1637-48f2-863a-d1a0e120e029/
Parent samples :
7c4d8756750ac99128b6467b57d9bf5f09fa790f239ae298ecb5e4764f90075a
49307d98509c8c1c1dd733bf8c19cace00412eca43bde30607cc2a156accba1b
11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322
654385028b87dbf8e7387cd76dc69099cdcc344f97dc735647d429d11f7fe95f
153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618
SH256 hash:
23a1319a5af999de8e9bed81b8c3af52acd94977cde1dfd9ecd962883d056032
MD5 hash:
0b331a8c2c09050a93a0399754dbce32
SHA1 hash:
54d507334f43ba047ac27db23417b18c31b553a9
Link:
https://www.unpac.me/results/fd7b6245-1637-48f2-863a-d1a0e120e029/
SH256 hash:
d424e869f67de63b5961054def65c1d79edce9279fdc970c0357d3f59d0f49ec
MD5 hash:
f4bc1e8c3a0544c19b8feb612b3193e5
SHA1 hash:
1946198996f8440daacdddff9b772a4479340e88
Link:
https://www.unpac.me/results/fd7b6245-1637-48f2-863a-d1a0e120e029/
SH256 hash:
153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618
MD5 hash:
14ee0c9e2ab6e6418cb312b1d7e34db4
SHA1 hash:
0a8a2adc4187e1a8210194167f259543c06a8ac1
Link:
https://www.unpac.me/results/fd7b6245-1637-48f2-863a-d1a0e120e029/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/153d7d4dc8a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400317/

Comments