MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de
SHA3-384 hash:	74eb64b58c7f2eeaa03465932a7beb79ca658d93c0b805f38e5a5923fb03612e5d90372d99ca7164940e9a271b4df02c
SHA1 hash:	78cb239846c72ee097b85076452123eebefcadaa
MD5 hash:	750f4c0c83565723ebd18c326a0c5bc8
humanhash:	louisiana-apart-asparagus-burger
File name:	TT Balance USD 288,770_pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	715'776 bytes
First seen:	2023-01-04 12:12:48 UTC
Last seen:	2023-01-04 13:39:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:aXGAR9DhMRpo82Ke7pJGc+s4OuzLUK56a5pQ2LGBDExgKLNZ1y0Nz4u:ZAbeCnzgs4OdqQ2LHxggl4u
Threatray	10'464 similar samples on MalwareBazaar
TLSH	T1C4E412DF5D76C665EC3E0972D09A5FD5E622C134A082DEEC68A274148A81FCD0B2C9E7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	d1d0d4d4d4f0f0d4 (5 x Formbook, 1 x SnakeKeylogger, 1 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TT Balance USD 288,770_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-01-04 12:14:29 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/c0d5aaa7-5839-43aa-8c30-076d96154f2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/349383/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64741178.28440.9793.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63b56d4fb9b1c17375206089/reports/abfcc15e-7c7d-485b-b243-91ec4a2069bb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3bed69f1-692b-4b5a-a2dd-73b13d8b0158

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1145036

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-01-04 12:13:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 39 (43.59%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cylfluc7hakixhyby6cp4rrskgttzrqvmwxrhgx4ucjfjs3u47pa._file

Verdict:

malicious

SnakeKeylogger

540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1

SnakeKeylogger

7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd

SnakeKeylogger

81173912b2f23cadd86187b55028a628bf2731e3c4e7645f84cd8e04dd213a88

SnakeKeylogger

87e1e3d0de7af9833d3747fc07c0395759c01c157e07999965b2a90d5cf055f2

SnakeKeylogger

887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7

SnakeKeylogger

951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4

SnakeKeylogger

bdc23c4c2ebd2e221f94c6a17ffe084493dbf86f206f55fe55641cb133b337ed

SnakeKeylogger

c53982a042ba3b6bcdb766a0b174e92ac62ae9578ec4a25209c7bfea42a06880

SnakeKeylogger

+ 10'454 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230104-pdqtrsaf71/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3eae040c-8792-4204-bcf8-8edaa8ed4b86

Unpacked files

SH256 hash:

85e5fcf946851a8d7ffbd1e718b87b8d0f638478a7da8b43fe0c14e4da9bc81b

MD5 hash:

0f48ca7e7bf5e3000210bbdc4ec2a979

SHA1 hash:

d1082699697156404bd1b0db76ffb7236c56eb04

Link:

https://www.unpac.me/results/d87e6ff4-c98b-4bab-b043-46e558d2e72e/

SH256 hash:

8a613691f0f03429d881c8d4fdd805026f562b9146e57711ab9a1375a04bd3f4

MD5 hash:

b187ff132911a180b53823dbf077b877

SHA1 hash:

b4fec822bc2397ded05612166c1c36594af34de1

Link:

https://www.unpac.me/results/d87e6ff4-c98b-4bab-b043-46e558d2e72e/

SH256 hash:

67f290dc8b19ab7a9985c40f7f5a3bdfc17b1f2f65d63a311b22afa4fc80095c

MD5 hash:

7e76b90ee79c23b5d0fed05f03caf0d6

SHA1 hash:

3857042a703ca82fb9caf41397c08a89b5ae9d07

Link:

https://www.unpac.me/results/d87e6ff4-c98b-4bab-b043-46e558d2e72e/

SH256 hash:

691e1fbbdfeda55fcb9843868ede4d4d382f90d399a25204431d2eaf0ef17b70

MD5 hash:

fa272760ff5f1f2fe5c314c5c6b0f5ea

SHA1 hash:

30e8db0b4439c06f840dee145563e4b26c56b5dc

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/d87e6ff4-c98b-4bab-b043-46e558d2e72e/

Parent samples :

e9faa5274584e032c139a819383b077635114e8d4fbf786e61fb0205698bfd94
bdc23c4c2ebd2e221f94c6a17ffe084493dbf86f206f55fe55641cb133b337ed
161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/d87e6ff4-c98b-4bab-b043-46e558d2e72e/

SH256 hash:

161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de

MD5 hash:

750f4c0c83565723ebd18c326a0c5bc8

SHA1 hash:

78cb239846c72ee097b85076452123eebefcadaa

Link:

https://www.unpac.me/results/d87e6ff4-c98b-4bab-b043-46e558d2e72e/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/161655d05f38/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/349383/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample