MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
SHA3-384 hash: 9711a68519b8303da91f802ff4920753ac8509f90f9aecdf87430255ca232af1bf33ab5260a2460f6e9483250eb17419
SHA1 hash: 385ba1dad2877c6a712cda30dbb4cd47007d93ce
MD5 hash: 8e841cfc7f7abab974f8adbc4e260346
humanhash: angel-maine-table-sodium
File name:Payment copy_Usd 163,500.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:953'856 bytes
First seen:2023-09-29 08:50:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:IwMf2oD5HOhpMmKHeErwqFSVSd+i92MScNXVbzQn:IBzODMmAeswqIHMtNX2
Threatray 380 similar samples on MalwareBazaar
TLSH T11D156B9C311175DFC95BCC7ACA982C68FA60647A470BC21391270AFD9A1DAABDF141F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e8f0e0e2b2dc71 (10 x AgentTesla, 2 x IcedID, 1 x NanoCore)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment copy_Usd 163,500.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 08:59:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/749dd57f-5a21-4a57-9410-98b1a15245ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65168ff833582f234e06b7a2/reports/1456aee9-d514-469a-82f0-2c8bc2c9b9c8/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc2e3f15-9b79-4ca8-8220-848fe6380781
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316287
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1316287 Sample: Payment_copy_Usd_163,500.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 40 checkip.dyndns.org 2->40 42 checkip.dyndns.com 2->42 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 9 other signatures 2->52 8 Payment_copy_Usd_163,500.exe 7 2->8         started        12 IpqdQJORbvHjRe.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\IpqdQJORbvHjRe.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp343F.tmp, XML 8->38 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Detected unpacking (overwrites its own PE header) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 14 Payment_copy_Usd_163,500.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Injects a PE file into a foreign processes 12->66 22 IpqdQJORbvHjRe.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 44 checkip.dyndns.com 193.122.130.0, 49760, 49761, 80 ORACLE-BMC-31898US United States 14->44 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        68 Tries to steal Mail credentials (via file / registry access) 22->68 70 Tries to harvest and steal browser information (history, passwords, etc) 22->70 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 08:52:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djkswxnwndbsdz7vqtqpfu3zv7cbyadqpzh6zljdfaruiw547c7a._file
Verdict:
malicious
Similar samples:
0f25306693110deb7fd3d0f27a8bc3c2160247b3e05620d8a09550226cd6c09f
SnakeKeylogger
32ab70a0b9837a3a959859ae34b2b8d5c195298fce995370f8df8ce0094279d1
SnakeKeylogger
4ff54bc771dc97403996794c50ded1a97b000c3f6eeff64afe3d049735e6bcdc
SnakeKeylogger
59a8979d512482bc6a656efb0445fbd1ad97b6c07e6b4353204c6992daca3e35
SnakeKeylogger
61f4eee705342f7e875adc36c259693ec40a7682db74ab040b79dd189fffdf5a
SnakeKeylogger
9c091fdb1a1329094aa1902a066869bf18541c3fbaec9ee69153c790dc568e89
SnakeKeylogger
d37b94cc6dbda1ab0be4125b9399716800149a27665acc13b62f62d9a5d29334
SnakeKeylogger
d8c49ba8b26cbf93164e1051bd1322d0e855b4b15357fcad7a05edbb40564078
SnakeKeylogger
ee40e7f0beeae7021f622dc30baec78d41b7759b0c2bd2c2ca331162973c9d07
SnakeKeylogger
+ 370 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230929-krmbaagh5x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
6ca78f43d3e480c44dfcd8e0a42be6ec98230bd3bbf046b7bcf6c13a6f38e74a
MD5 hash:
bbe3b62f1224b9a3244864fe27230152
SHA1 hash:
a9022919a8a5a181dcf00533a84c442bc4ef7c3d
Link:
https://www.unpac.me/results/8e3131ba-8927-4b5b-bfd6-aa7a5208b990/
SH256 hash:
513d832b6414ca92f71ea7abb910113140519f343c8fee079825d19bec37cae6
MD5 hash:
128feef2cd97a2ee0d369655ab39f214
SHA1 hash:
90d82fff31ca1510bdc670c400faa2893c918341
Link:
https://www.unpac.me/results/8e3131ba-8927-4b5b-bfd6-aa7a5208b990/
SH256 hash:
abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82
MD5 hash:
491a7170bd8a7ed81d03a64ff2598bdf
SHA1 hash:
8325a5bccba80878a14032c06b78b34db808b910
Link:
https://www.unpac.me/results/8e3131ba-8927-4b5b-bfd6-aa7a5208b990/
SH256 hash:
301671f7789068fbf11b7d0139acc99081af36a3cfee64dc92dc23d416170d91
MD5 hash:
ce383dd0ed8ed4f14fbbfc034036bf7b
SHA1 hash:
656f6d651741399bc8bf30a059d96e3bc345e4c6
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8e3131ba-8927-4b5b-bfd6-aa7a5208b990/
Parent samples :
7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124
1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
SH256 hash:
1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
MD5 hash:
8e841cfc7f7abab974f8adbc4e260346
SHA1 hash:
385ba1dad2877c6a712cda30dbb4cd47007d93ce
Link:
https://www.unpac.me/results/8e3131ba-8927-4b5b-bfd6-aa7a5208b990/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a552b5db668/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments