MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d
SHA3-384 hash:	b441403ed8a88f0475514adba671c8adc92be783267055a9f04186808d21f9285f8402551d42380285a7cfe51b93ed9d
SHA1 hash:	e15ca6ee43322b2b92f6fd4561475a93da8253ea
MD5 hash:	03aa087c3631c938a4016d594f2bcf6a
humanhash:	spaghetti-south-double-three
File name:	PO#001260930.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	275'280 bytes
First seen:	2022-10-28 18:02:39 UTC
Last seen:	2022-10-29 03:57:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	6144:MweEbWBcFKAOnnuJvWpIN/cS9Rj89NvpOVHvBq:vWBc6nnuJW89RIbvpOVHvQ
Threatray	5'737 similar samples on MalwareBazaar
TLSH	T1CF448A11E89A445DFA336172C4174D21A45FABCA13AF8BCB0B54D7A148B37DE4A373CA
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	72e6c2cadaaae6d6 (8 x AgentTesla, 5 x Loki, 2 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO#001260930.exe

Verdict:

Malicious activity

Analysis date:

2022-10-28 18:05:08 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/5224e972-46fb-441e-8d6e-3093f70eeebe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/325599/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.27672.2453.14565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46407/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/635c1958791bb7e48afdbf50/reports/ab9712c3-e2dc-4017-8658-c3ebda4169f7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c41e23e5-5377-4979-86ab-76ad1be520cb

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1100541

Signature

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d/

Threat name:

Win32.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-10-28 12:58:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cxtapokpwc25pti3koanf57zcy2nk5zcdd63vxx3ihs3edgovvoq._file

Verdict:

malicious

SnakeKeylogger

2a9cd913906e0f913fbf49f3eb0539baa49e83a46e578750b1da290e1662a21c

SnakeKeylogger

339539d03ce22693c391b3141e6c20b2403da4efe6e25247c87c81a2e2fe1530

SnakeKeylogger

8cf4f8f8d9a0fdebeb5a2f71057c1850aab2dce815fdd8b5e9213bc1419abee5

SnakeKeylogger

a0bafce415317d58c1a59d6a176b23a07213e080dedd628611fdd423bf825096

SnakeKeylogger

cf9f695196f7ad8e7f9e76c66cf9fec31c5eae6653feecb4c7293553aa2ba916

SnakeKeylogger

ffa7baa613ab7b993937add4e8a149776613acf884e275b51084b286d86f3045

SnakeKeylogger

+ 5'727 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221028-wm1hwshde7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e1b73f10-f2d7-4e67-a666-40515263c4ef

Unpacked files

SH256 hash:

a4dea87c44153bb33ce223c0193582b6ef2e73f17d632ecb4392fcb2830fa7ec

MD5 hash:

d19ef48d7f6d470b405e3577b65131b4

SHA1 hash:

f53b620e189662da1daf92a874c5510e64a5f0f3

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/a4a8317c-3e0f-4288-b9a8-d5f932e7bf12/

Parent samples :

a7f5873d043294de859736362df3aa0fb6c50ece6b9325c9b48cde35d9cddf8a
86b69e37fb4f94c2b24904bbb004474b8f57abecc6332ff595c1eacc7ab59bf6
460924c55f59314a09c710e31d9c215fdb471eafbb5d6bd348972fee078a316e
2e873b3c9f0817c1d492ee2b05319fdd277a4535c1623592c2c097f811ac45fc
cce8ba621c797e9782cc2c56058cbb25555b367673a5f70aff660dd0bd509390
15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d
bb6240ace6a64b0d45a7180d0b0f482597f69e270de56f7cfb47049d096b720d
15e5350ed0a3c724d2d904f87e87adadb2f658a71584b486409302c8a5b99c85
622c2192e22e7e407ee6f870dcd26689a2998571c725ac4d7f2682ec72de0fdd
30204f8d475b5d9da3ab0f5282468414fb3680aea9e171f2be3677c3531c34e7
9f8bd35c99417ab86d20781c7f4737a247ab64354e73ffbc52d5c5e35f8cdc14
2b3bc8ae8908f619944ca14696ecec764b92d6ff891838d1a7fe951580b8edea
d742297ca5cc509b66ce7090284d5a996b4bf3fb284797442402fff10ae47e74
62807c3f8896bab3bad4537ffc327dc1775e250c0f0d8822f2df585e843e3f47
454529ef92f2ff17bdfb7f8ec8df852fd1f7c7919a021adf1b6b1d41b4519ef6
a888f1a58c8c2ab3a2ae32743d0362fe01f145e76b4196c21b9c2bafc978e7fb
76cec159d26635e1caf4cd67b798904fac19e37ec5f85ca63f7a0b3d66de91e0
04a99d8b230a027d26f94dbb34a80129744482e7bf4ef5d4c94de770da6f4d84
42b6acf48bac461e6e74d778b14ff37c892369020eda38a64ff1e33ed9453206
689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c
8f5a23cb25c7cb7ec6ea3a53261ed6c7983751eabaccae62dd964b8dee5259ee
0ca6f42f7efb21a5b4a93bbe6c2c4f69e9f9381f2a858872dd82df7e01332f7a
b13ea396ab71dd043b9df28dd8c484d432382228c03c8bcf57c01040d5a39ca6
33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9
b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1
2b290eb25ebac77c8286c8bee0ca6b59898f1aac63c7aed531ce031864c29a73

SH256 hash:

70dc6dd4591985fe2850625f765c19b606073a5eee9c910c3461782412eba61f

MD5 hash:

f02ede9a737ec05f114a2d8a5b3c34da

SHA1 hash:

c6aa93ca84bd2c511a2e55c843b346bf5dd13b7b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/a4a8317c-3e0f-4288-b9a8-d5f932e7bf12/

SH256 hash:

9dc3574fe482576a7672b0a2bc9c550b0630c02b7dbe067f8ef3806aacd5f8a0

MD5 hash:

5dcf2716440c8c257141665105c49893

SHA1 hash:

495cd8032baad5d8ef3c7f8c19b2e98cdecb2931

Link:

https://www.unpac.me/results/a4a8317c-3e0f-4288-b9a8-d5f932e7bf12/

SH256 hash:

9f50aa354c32b0599c25cfd489f88f4d075772e9b98195719155475dff4f04a5

MD5 hash:

045c800d231b22ec396744a39c666e4a

SHA1 hash:

cd4897db5886ce812156d2de7db3681fa655019a

Link:

https://www.unpac.me/results/a4a8317c-3e0f-4288-b9a8-d5f932e7bf12/

SH256 hash:

15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d

MD5 hash:

03aa087c3631c938a4016d594f2bcf6a

SHA1 hash:

e15ca6ee43322b2b92f6fd4561475a93da8253ea

Link:

https://www.unpac.me/results/a4a8317c-3e0f-4288-b9a8-d5f932e7bf12/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.68

Link:

https://yomi.yoroi.company/submissions/15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/325599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample