MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 193adb1c4bba45e5a5daffd25a1ef5c830b6e6ae34d8aec80482619afd862a35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 193adb1c4bba45e5a5daffd25a1ef5c830b6e6ae34d8aec80482619afd862a35
SHA3-384 hash: df9dc91529a2bddc76abb138dd79090f0793a2c1e85bca1f6c14a71105b56b69433cdf1713a6343e074de33222705afe
SHA1 hash: f25c7830b55f6aaa8ded25c2972b337639014380
MD5 hash: 52757942734a95026f4499e2747f8007
humanhash: quebec-comet-fillet-bluebird
File name:52757942734a95026f4499e2747f8007.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:275'952 bytes
First seen:2021-06-07 15:13:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:LpQOp3dv6xBHHv9FxaDytPh/ajCzJHTYNUM89UvVHy2YPtQkeX2lMJzMp25tD3yr:LpQKi/vhFIWdqEWvcTe2YU1
Threatray 152 similar samples on MalwareBazaar
TLSH 0944AEA20309C9DDF25A0B78482CDB6309663E560CD55CCD9A9DBEB43CB26DE518F07E
Reporter abuse_ch
Tags:exe signed SnakeKeylogger

Code Signing Certificate

Organisation:Telegram FZ-LLC
Issuer:COMODO RSA Extended Validation Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-10-07T00:00:00Z
Valid to:2022-10-06T23:59:59Z
Serial number: 1f3216f428f850be2c66caa056f6d821
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e31f1b9c3ddd0edefdf96f85b8ffd1db976573bb262cc6e1154ad8fdc4d55449
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52757942734a95026f4499e2747f8007.exe
Verdict:
No threats detected
Analysis date:
2021-06-07 15:28:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72339cfe-9fd3-4e12-8dc8-ffc23150aa84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165066/
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.BCR.genEldorado.6386.20595.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798223
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/193adb1c4bba45e5a5daffd25a1ef5c830b6e6ae34d8aec80482619afd862a35/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 10:20:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 29 (62.07%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
022027a63efa586c0c5d7db241dd679418d270ef4393245fbf3a3aeb2a299e13
SnakeKeylogger
0718648927fe37ba115ab36d5f869bcefb6b274cce2a79e6715961a0bd136237
SnakeKeylogger
48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908
SnakeKeylogger
501ae3563c8ea293fa41ae9d7aa2b4d6271cbf32404bb3544996e94d126dd6d3
SnakeKeylogger
69e411368f9407c3c25b453792bd383fed96eb6bb6a7e9d0cf06d980add295c6
SnakeKeylogger
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
SnakeKeylogger
78baec19444d923fde30977dacb85fada9247b9e3ae150f32a1137e7fc0b8dfb
SnakeKeylogger
b87b28a8f83442cb616dd3da7e520617a8b57280ca0098fb3721d6142978cc5f
SnakeKeylogger
c3bf2dd2d53f2ac2dcf5e59aa8d234efdf24fb7f5eca9e2a9cb1a4536979bed4
SnakeKeylogger
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
SnakeKeylogger
+ 142 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210607-4ggr3w1g92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d09b8799d0e584d6ce5eb584cac4b0a6b2f43af6a77314e4274e7bc25f6de278
MD5 hash:
5259a6b16e9c52eaf92565fb1944db58
SHA1 hash:
7a81c7f1031076d826f4faf122bf2205cadf1e70
Link:
https://www.unpac.me/results/dab7c3a6-ab61-437e-b6f5-1692cfed6b62/
SH256 hash:
cdc2fb592eb9f3f52fbd6a7cea6e93895a92016e2139a386ec90ce4c234e445c
MD5 hash:
ff29e71527ff06c1de382a640c0cae95
SHA1 hash:
e633997f636a3e91a2f2cbf95d7f8f4d524cddcd
Link:
https://www.unpac.me/results/dab7c3a6-ab61-437e-b6f5-1692cfed6b62/
SH256 hash:
26d33fb55efdd7763ead17793011a248e98a09df2197a4a97caa866700947643
MD5 hash:
c5e02b40eabe31c4980c6b573dd5d301
SHA1 hash:
fc81755e5cb3fe5fa7c1748c82996d461a7e714c
Link:
https://www.unpac.me/results/dab7c3a6-ab61-437e-b6f5-1692cfed6b62/
SH256 hash:
193adb1c4bba45e5a5daffd25a1ef5c830b6e6ae34d8aec80482619afd862a35
MD5 hash:
52757942734a95026f4499e2747f8007
SHA1 hash:
f25c7830b55f6aaa8ded25c2972b337639014380
Link:
https://www.unpac.me/results/dab7c3a6-ab61-437e-b6f5-1692cfed6b62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/193adb1c4bba45e5a5daffd25a1ef5c830b6e6ae34d8aec80482619afd862a35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 193adb1c4bba45e5a5daffd25a1ef5c830b6e6ae34d8aec80482619afd862a35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335657/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165066/

Comments