MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d7cbed41fbf3a7948b941f7a633d8f05a263828e1f38104186a764292638133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	1d7cbed41fbf3a7948b941f7a633d8f05a263828e1f38104186a764292638133
SHA3-384 hash:	9195167864d720cd20b2500b962694335d03602b052346b4c6b9449e52a30c65af3da245de8e55832744c93947885331
SHA1 hash:	1e920e16be0cca301799a3e91df593ceff6e704b
MD5 hash:	6bd6470f1d4307fc7d76d98f2d7e0aac
humanhash:	uranus-wyoming-xray-angel
File name:	Purchase Order No. GN-205603-004.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	553'472 bytes
First seen:	2021-10-05 06:50:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'605 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:2pvLxlTt+YAudElYXX88s6I7miEnt5jItqo0J7:0vLvTyK8ehB
Threatray	1'195 similar samples on MalwareBazaar
TLSH	T1E9C429AC321371FECDD7C1B58A586D60AB14646F530B82135037DDA9B93FAA6CF5C0A2
File icon (PE):
dhash icon	cc963355553396cc (4 x AgentTesla, 1 x SnakeKeylogger, 1 x Loki)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order No. GN-205603-004.exe

Verdict:

Suspicious activity

Analysis date:

2021-10-05 06:52:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/521a3f63-e8ec-4225-bd18-f261cf0cc27e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194891/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615c067fe3d213d202b76e22/reports/24b9023c-d7e4-41be-905c-3218c8176d9f/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/515229cb-2fdc-446a-ae31-280ef4ad210f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/864569

Signature

.NET source code references suspicious native API functions

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d7cbed41fbf3a7948b941f7a633d8f05a263828e1f38104186a764292638133/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-05 01:40:47 UTC

AV detection:

16 of 45 (35.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dv6l5va7x45hssfzih32mm6y6bncmobi4hzycbaynj3efetdqezq._file

Verdict:

malicious

SnakeKeylogger

2757283204541417f05f64637d4313b9580b47a867ca14bc0728665ef043fff8

SnakeKeylogger

28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f

SnakeKeylogger

3c2d13bed08fb1f1161870188f6e3bd192ff27f6d7d4ec51e81ba984cbab90e8

SnakeKeylogger

470f6539b8ee00569951c0d37d02afe1b7dab5c57e3a9279ea3a18d399e47e82

SnakeKeylogger

558c85e2b7da5f09f5207380878f37bec4b3437b8717fd3215f1d37a9894d8d6

SnakeKeylogger

629e9ec1106e34b10209da91c1394d15c7c0ed2a5f71553c7d00a4836bd91c03

SnakeKeylogger

7a9c56075abcdbf871f11581ec725fb7794fefc3cb7087bacf1d48a3aabb035a

SnakeKeylogger

8613eb4859c1db523505c3814aa707ec65928adef641985045eb68e479c4dfeb

SnakeKeylogger

f260c80e685986ac80122c63fcc494891baf4d688668da8f7fa11e38d7f8d1b8

SnakeKeylogger

+ 1'185 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/211005-hmjy9ahfdp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Unpacked files

SH256 hash:

0ff32ba3f973718271491390cb7010856d2c038d85fd2912d48e0ed2edd7cdb3

MD5 hash:

774d63a481fe718aa2df7848da73810d

SHA1 hash:

7f5641d82c541bf131be812e15b154e3d901fca1

Link:

https://www.unpac.me/results/7b6aaff8-9249-40b0-92ae-997efe3958e5/

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/7b6aaff8-9249-40b0-92ae-997efe3958e5/

SH256 hash:

f9cdc94440766f0afca53d08732725e5eb5be0414337f930abba67ac0a2fd207

MD5 hash:

68274d19e239b6a653c4fb43b0ef7887

SHA1 hash:

00684f7690b39c87792ec0ecc0230351e74e59ec

Link:

https://www.unpac.me/results/7b6aaff8-9249-40b0-92ae-997efe3958e5/

SH256 hash:

1d7cbed41fbf3a7948b941f7a633d8f05a263828e1f38104186a764292638133

MD5 hash:

6bd6470f1d4307fc7d76d98f2d7e0aac

SHA1 hash:

1e920e16be0cca301799a3e91df593ceff6e704b

Link:

https://www.unpac.me/results/7b6aaff8-9249-40b0-92ae-997efe3958e5/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1d7cbed41fbf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/1d7cbed41fbf3a7948b941f7a633d8f05a263828e1f38104186a764292638133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194891/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample