MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b
SHA3-384 hash:	666702897a666096f10b186c54f3ace1277c51fb0a0776e3f36cac2eac1145824b7ce3d77297d107f4be11c721cf7143
SHA1 hash:	64662321642ba7ab2bc0e8536454e3e9e573786b
MD5 hash:	3786c6c27067ae1b21ebd0ad9569ee5d
humanhash:	single-equal-failed-wisconsin
File name:	Doc 45 AAB 979 - 45 AAB 850.exe
Download:	download sample
Signature	SnakeKeylogger Alert Create hunting rule
File size:	577'536 bytes
First seen:	2023-05-11 18:30:25 UTC
Last seen:	2023-05-12 10:42:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:5qUgmEcfPefSHHAUkxmoISx5oYavvdAz7TqVVigwd5i:ZgmEcCSHuDfodvvmzKVVigwdM
Threatray	4'838 similar samples on MalwareBazaar
TLSH	T108C4CE85123BBFE2DA6417F0210534924B7DA11A35B8F0BC7D5BB4CAC8EAB115BD4B63
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

---

File Origin

# of uploads :

3

# of downloads :

256

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Doc 45 AAB 979 - 45 AAB 850.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 18:41:33 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/99d74910-f2b9-4f1b-8be1-a033d68bdb88

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Snake

Detection:

Snake

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388473/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645d34708723e91f5525a297/reports/857ea273-f9df-4798-87b3-1dfd83076c49/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Snake Keylogger

Malware family:

Snake Keylogger

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82b41897-bc38-4a1a-89d5-be5030afe0e4

Joe Sandbox Snake Keylogger

Result

Threat name:

Snake Keylogger

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1231180

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b/

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dih7yf2yhjvtdxvngxl27jesjcz7zfymo7n2tebwpkqtb6fmji5q._file

Threatray malicious

Verdict:

malicious

Similar samples:

17f48160e5a9e6bd0ee34d7216346fc3165f5428421e9312a2d12382401bca49

SnakeKeylogger

4e67418ff70c2ce08a1a5aeb51eff88c987ea416ee626bf00b08b6377f941973

SnakeKeylogger

5bbeb09102c0876fc3d18a31c5aefdfc6f42a4354422611bfefedba2d51da208

SnakeKeylogger

6897412732ce8f38317aefff9c2bb19b15a91caccb0922c53fe29c36474de665

SnakeKeylogger

6c82b21664ffc3883933ae0a1610bd5b5126d1ace96e434bcdbbe40c78de6e40

SnakeKeylogger

6f0b53e03949038ea08eb5e798961c86237849fa4d403808fc43b4c783c032af

SnakeKeylogger

7f84e33755bb2df640edb35bd2f346135e80bdc5cd7a012596f3284e76e48c16

SnakeKeylogger

f7b5512ca0d67dbe16d59a5ccfc7bbd5f59021adcb6fac0b09dd5533aac6e820

SnakeKeylogger

fa6901852ed9fd26b1adf6140ea9f8fe498edcf73f6b2350f825c10d71783a15

SnakeKeylogger

+ 4'828 additional samples on MalwareBazaar

Hatching Triage snakekeylogger

Result

Malware family:

snakekeylogger

Alert

Create hunting rule

Score:

  10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230511-w52tnshb22/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5519372058:AAEQzlnVdrLo6pt_R7VJyv-Tbte5lUyTQBY/sendMessage?chat_id=5557063310

UnpacMe snake_keylogger

Unpacked files

SH256 hash:

14a309e31bbd0856aaf73b6b1e5cf0f6aea899e1cc4e95392a4aca0922d9cdcc

MD5 hash:

d93c730409e92c4940cfb1ed3444dc65

SHA1 hash:

d015637b7967a000f15bb229ebf64e084ce93bb2

Detections:

snake_keylogger

Alert

Create hunting rule

Link:

https://www.unpac.me/results/426cd19b-2784-46d1-b6ae-05bcb1b9298d/

Parent samples :

486beb1ea2f92f9f7b097cc37407b852ae3910bcd0d93e3f4a64ee0e9cb9ab2a
d1002023bc21124f3d49a6b6e3e957ec6679031525cce7b4e698af3db9c2d418
24e5e059f51fe20d5ba4655d4eb6530740eeaa0464710af26efc6f143294ba13
7f67d68e60053f36c54541fb5485491e3db0c418b615e6d5d738afa715a250fc
dafd3ed55d5c4319b8d0efc9f2c7c65ecbb042000438c56deadf40d33e580a05
cc485a2ac8fd59090c4bb77d2e66be5fe082922a6559a3fe3be7060722c8652e
6e21c799f14d0104ee3fc1f6142aab3b1cd8b00260c3a8100386a0f44405b967
bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a
3ae45c91266fe6bdd2d48f8b9d6ddc09e896239545256e00960fc792a41c061e
1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b

SH256 hash:

c1ae6a2befbe549d13683adc7cc7f573072774d65d38bd33299f48582bd99c13

MD5 hash:

332a91e5e9153e9b5edb976c7c616312

SHA1 hash:

65ffd4cebe9e1c468c7e0a147ede0ea0f6245b88

Link:

https://www.unpac.me/results/426cd19b-2784-46d1-b6ae-05bcb1b9298d/

SH256 hash:

d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218

MD5 hash:

e5d93dadd08b8bc727e4f4853c6881ba

SHA1 hash:

27e0e057d33f01586193b0cbf06561c2863951f4

Link:

https://www.unpac.me/results/426cd19b-2784-46d1-b6ae-05bcb1b9298d/

SH256 hash:

5640723e3ce36a7da4990c0345a233eee79bd040c668e3ef0482ef3830bc97d5

MD5 hash:

caa2fd4180b063525b2adcda16a2fd56

SHA1 hash:

24565eff9b0cd7c509514eabaa426b37144c436a

Link:

https://www.unpac.me/results/426cd19b-2784-46d1-b6ae-05bcb1b9298d/

SH256 hash:

591b2b43587bb489edde30775136f973df792a29c5fc617ce0f372f1758951c4

MD5 hash:

61d0eaf3248b7a7c940a3253902b2e1b

SHA1 hash:

01144a8e4c246231a73acc5bb7f6b9598779e675

Link:

https://www.unpac.me/results/426cd19b-2784-46d1-b6ae-05bcb1b9298d/

SH256 hash:

1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b

MD5 hash:

3786c6c27067ae1b21ebd0ad9569ee5d

SHA1 hash:

64662321642ba7ab2bc0e8536454e3e9e573786b

Link:

https://www.unpac.me/results/426cd19b-2784-46d1-b6ae-05bcb1b9298d/

VMRay SnakeKeylogger

Malware family:

SnakeKeylogger

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a0ffc17583a/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Password Stealer

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388473/