MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644
SHA3-384 hash: 590452e8050271c5bd4360be71c9a898df3b3cbe770b3bbc80f2945ab02631ff163c469c0703a0bba7a7cb1509188150
SHA1 hash: 5a816de3e22a4b4e0b080bcb207c66237e13f95d
MD5 hash: f5cfdd8373c311851b4625b22128e297
humanhash: papa-coffee-kilo-iowa
File name:PRODUCT_INQUIRY_PO_0009044_PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:808'448 bytes
First seen:2021-04-08 08:48:56 UTC
Last seen:2021-04-08 10:21:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:r43IIK2eES1KQCHBOjT2VpaKqgiaZSDXpQc3s8wgYkOiIKK5mH:r4YIV3QiciVIKHzZ4h3jOqIi
Threatray 429 similar samples on MalwareBazaar
TLSH 6905F5E17158FB7ACC0406F26C9334E7CBB36C1B901DC7AD24E6A5D52C985A28D3F266
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.244
From: t.efremova@lidkon.by
Subject: QUOTE REQUEST
Attachment: PRODUCT_INQUIRY_PO_0009044_PDF.rar (contains "PRODUCT_INQUIRY_PO_0009044_PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRODUCT_INQUIRY_PO_0009044_PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-08 08:56:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3a198b7-bc59-423d-8c22-29a47c55c401

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133128/
Detection(s):
SecuriteInfo.com.ArtemisF5CFDD8373C3.27422.650.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669949
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383923 Sample: PRODUCT_INQUIRY_PO_0009044_... Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 8 other signatures 2->39 7 PRODUCT_INQUIRY_PO_0009044_PDF.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...behaviorgraphsLRAGQCWowQ.exe, PE32 7->19 dropped 21 C:\Users\...behaviorgraphsLRAGQCWowQ.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp9D48.tmp, XML 7->23 dropped 25 C:\...\PRODUCT_INQUIRY_PO_0009044_PDF.exe.log, ASCII 7->25 dropped 41 May check the online IP address of the machine 7->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 7->43 45 Injects a PE file into a foreign processes 7->45 11 PRODUCT_INQUIRY_PO_0009044_PDF.exe 15 5 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.greentrading.com.pk 192.185.164.148, 26, 49715, 49717 UNIFIEDLAYER-AS-1US United States 11->27 29 checkip.dyndns.org 11->29 31 2 other IPs or domains 11->31 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 08:49:08 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy3zjm433oawzlpxxugja62hmc3bhpgo4odhpngsmcbv76asuzca._file
Verdict:
suspicious
Similar samples:
07599c2094171db70e00c3f917808769d676b406b7c6842ed75cfbe2186e044b
SnakeKeylogger
0b55a1e1d624408e21aba91fc437c256dee64731ea9454700cc0f5448dd00f52
SnakeKeylogger
242045c07ffb6427b046939045d9312f3beaa954ef3ec60316247f7dfdfbca3e
SnakeKeylogger
91c38249ac49fe69a70d20e74b88c801c94fc63c1772f07e82e21fdcff268e8e
SnakeKeylogger
94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b
SnakeKeylogger
b8d0f5a88fd8d100cc6dc0f63e31c14c9fda07be97422b0ee2355cb73c14bd97
SnakeKeylogger
d04ab5688b6093908786418a2767df4c7b0c99324fad4fba37036df9b7673e01
SnakeKeylogger
e5d8c5c382b01a400205b1477e89b12f9eea14fdf10c5e4d31640954910661b6
SnakeKeylogger
e8857f3c129389648cc055df349d05083e58280f19941f4608d2f9b0251ed0f7
SnakeKeylogger
f64ecad45aae27f037e819a6adfaeebbdf0f769690a46a89a29d4f0da22b6cd4
SnakeKeylogger
+ 419 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210408-d4re4m948e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
c5519ef771321d62260735c62622297b284e823d97b29eed0dae704d89bb4c5f
MD5 hash:
0158502a4a1ee47ae2abfe604f2fd748
SHA1 hash:
3dec24548c89d943f3fe9a4dd0b8663cbdcf6e0d
Link:
https://www.unpac.me/results/2f890ac5-08de-4639-a381-0b2e88746d94/
SH256 hash:
163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644
MD5 hash:
f5cfdd8373c311851b4625b22128e297
SHA1 hash:
5a816de3e22a4b4e0b080bcb207c66237e13f95d
Link:
https://www.unpac.me/results/2f890ac5-08de-4639-a381-0b2e88746d94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 5e5b30bd0c14d47be60777b5abae640193b3adb1a1a3310c81c91aab2fac4b74

SnakeKeylogger

Executable exe 163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644

(this sample)

  
Dropped by
MD5 de953dc61a6284efc33416822d675f02
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133128/
  
Dropped by
SHA256 5e5b30bd0c14d47be60777b5abae640193b3adb1a1a3310c81c91aab2fac4b74

Comments