MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
SHA3-384 hash:	5b804c668bb83a5872e24feaa2b10a933b7bb995622d5119d21747161ba9f25dddc90aea7f52364cf688b1bdf7fb402b
SHA1 hash:	8771d111792d957cbf775c7eecd743be4b49d0a7
MD5 hash:	fcbb18ac3efebbcbe42999b718ba2995
humanhash:	william-nitrogen-cat-oranges
File name:	payment-534.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Alert Create hunting rule
File size:	1'202'688 bytes
First seen:	2023-12-19 15:09:26 UTC
Last seen:	2023-12-19 16:16:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:mYrGdfC41+CruFtTRXispYjwLf1JxuAnHWsKjIo1zMh:FZ41+CraTRXikxJsAnHWsKso1zMh
TLSH	T12045493C99BD222BA4B5EAA2DBD58833F110996B311D6D7598E3C355730AE4334C363E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

318

Origin country :

NL

Vendor Threat Intelligence

CAPE Sandbox Snake

Detection:

Snake

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/468511/

ClamAV Detected

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6581b253314dbc3b9b591dbc/reports/37b25001-aedd-4917-b37e-30e95cb6dd6f/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Snake Keylogger

Malware family:

Snake Keylogger

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/45b31caf-d635-4663-b939-106c4e591a0a

Joe Sandbox Snake Keylogger

Result

Threat name:

Snake Keylogger

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364598

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected BrowserPasswordDump

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AgentTesla

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-19 15:10:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

12

AV detection:

18 of 23 (78.26%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dulcg7wxlnih6a3at3pjoix76qu7tjzynrgeicfj6r3chv5crnia._file

Threatray malicious

Verdict:

malicious

Hatching Triage snakekeylogger

Result

Malware family:

snakekeylogger

Alert

Create hunting rule

Score:

  10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/231219-sj14gabdem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

UnpacMe HKTL_NET_GUID_BrowserPass snake_keylogger INDICATOR_SUSPICIOUS_EXE_TelegramChatBot MAL_Envrial_Jan18_1 MALWARE_Win_SnakeKeylogger INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_EXE_DotNetProcHook INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Unpacked files

SH256 hash:

e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4

MD5 hash:

07e1f7163b7d8b6d80d83d1c819436ef

SHA1 hash:

ed7724c52e18b9810939327b803ca03837915836

Detections:

HKTL_NET_GUID_BrowserPass

Alert

Create hunting rule

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

Parent samples :

1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f

SH256 hash:

7ae158c50a727dd5be100b0ba2246550a9a033d03894f02bfd7f1050b7910308

MD5 hash:

0244dffd89b343f0e1e2a2e656c62458

SHA1 hash:

3a7f1950b5ba7f71eb7ee464f8ba01f7198f65fb

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

SH256 hash:

5cf95ab8199f6a41af03f1d16328d59f106cc4b391a9ecf43b9b4e7d9a1de91c

MD5 hash:

a92ccbae7afeac37a66d2c72dfdcb6ad

SHA1 hash:

edb18dd3acb691981eefbaae413f81f510e50452

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

SH256 hash:

1a88bc1d616a372f2966d96ac5b6062f9787958f6f70166151c8aa74babd77ee

MD5 hash:

5816d099db67c7382bef21894365e601

SHA1 hash:

de0630a39c3c584b4e8875806cf8076199ca2565

Detections:

snake_keylogger

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Alert

Create hunting rule

MAL_Envrial_Jan18_1

Alert

Create hunting rule

MALWARE_Win_SnakeKeylogger

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_Binary_References_Browsers

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Alert

Create hunting rule

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

SH256 hash:

1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50

MD5 hash:

fcbb18ac3efebbcbe42999b718ba2995

SHA1 hash:

8771d111792d957cbf775c7eecd743be4b49d0a7

Link:

https://www.unpac.me/results/1814a48f-7bfd-4b82-a29c-07cf83e1482b/

VMRay SnakeKeylogger

Malware family:

SnakeKeylogger

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d16237ed75b/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468511/