MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de694a30e2faf51fcbd5a7e7054022b883bc644bc0f1df7e9723b2c879b587c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1de694a30e2faf51fcbd5a7e7054022b883bc644bc0f1df7e9723b2c879b587c
SHA3-384 hash: f9f83f1f48275070649d5c3a7fd2b4d87b9100547c863bc4bdcd17df6a09d4fb67606d2a03d1ab3648ae1f1cf717e4c1
SHA1 hash: f935dc442a130c3fb78e8688629a828258330982
MD5 hash: 51c9980a1880525cba9c3e1093da9298
humanhash: beer-item-item-purple
File name:Avviso di pagamento.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:520'704 bytes
First seen:2022-05-23 13:19:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:K+I2VDgbeFxe9oUnThuJiuIwxxwF0yXbwVHsE:LfVMbooxwxxwF0yrc
Threatray 3'390 similar samples on MalwareBazaar
TLSH T1A3B412E5EF6405ADF8A687B434371E1A16633E3AB835E9CE985EB0B96F333524003517
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3311353371511900 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Avviso di pagamento.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 00:50:33 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/0db9d91d-fd68-438a-be2d-7da8f0e65a62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273697/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628b8a0c945ebb7eb1773181/reports/4cd7dede-aee1-47a5-87ad-e6ff74c9feb1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bc213c8-51a6-4fb4-a29c-ad33bcd2c22a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000006
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632524 Sample: Avviso di pagamento.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 17 other signatures 2->43 7 Avviso di pagamento.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\cHvPkVmsHC.exe, PE32 7->23 dropped 25 C:\Users\...\cHvPkVmsHC.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp2EF0.tmp, XML 7->27 dropped 29 C:\Users\user\...\Avviso di pagamento.exe.log, ASCII 7->29 dropped 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 Avviso di pagamento.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.com 132.226.8.169, 49760, 80 UTMEMUS United States 11->31 33 checkip.dyndns.org 11->33 35 api.telegram.org 149.154.167.220, 443, 49763 TELEGRAMRU United Kingdom 11->35 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1de694a30e2faf51fcbd5a7e7054022b883bc644bc0f1df7e9723b2c879b587c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 13:00:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxtjjiyof6xvd7f5lj7havacfoedxrsexqhr357joi5szb43lb6a._file
Verdict:
malicious
Similar samples:
1deca3ca80c75f513d42c2d02e4193cdd03f1313d7d5ea3aa6751192989a6e84
SnakeKeylogger
23ec2dfcb68af1ff78e6a2c9f60f01f89e3ddbf119c2ca9a20df319fb89afd12
SnakeKeylogger
2a16d4a858c9be5c82df16d69f7490088b3071fb6f2b66b65f3ceddcf29d1590
SnakeKeylogger
581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8
SnakeKeylogger
7133536be647a4809ef0e92fc1c0ca8a49db7ed0c79aad39874ae7731bc849b5
SnakeKeylogger
b11e4827173f942813d0efac847c3446f57c77607d18d3d0933f888839400445
SnakeKeylogger
bcf37cdec10976971f5c6523814fc48cdab566fac024ce7adb58a165932ec80c
SnakeKeylogger
db8077047dd69f232e9318ca7b5c6fdbbd012390453f0be9aaf2bffe4981bb94
SnakeKeylogger
dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851
SnakeKeylogger
e40d04897171c6b9b64d69ef3eb428445b6621afb24a9a58efd3e6cf1867f8da
SnakeKeylogger
+ 3'380 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220523-qk3ycadfa2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5254575276:AAFWaXU-iUq7XUY5iCKZ19_bcweDLz5oZhE/sendMessage?chat_id=1285569317
Unpacked files
SH256 hash:
8eba89c696de02a706b609060c13b77666c90c9db858703cce44fd8ffb37a2b5
MD5 hash:
934bb0b3a6502e4965eef14d972ad371
SHA1 hash:
f112ed9c427514a3615bf320c678f4c837729d2e
Link:
https://www.unpac.me/results/828dafac-aa51-4f92-b345-2665fd94ac81/
SH256 hash:
0c6974bca2bfc9800ac7fe44921d992d944eaa5dec57d161fc8e60265a741957
MD5 hash:
8a1f735f4de6d0a28f13d67d6a3a08b8
SHA1 hash:
ef0ddfb44d0b176d863c18657a3bc106ac9e8686
Link:
https://www.unpac.me/results/828dafac-aa51-4f92-b345-2665fd94ac81/
SH256 hash:
260b5fd8c93db7bf86e36b587079483233020e755074798ddbc40821a4afe0eb
MD5 hash:
13346af03b105b0b8f593724d6dc0c1d
SHA1 hash:
85c3722ba3a0cbe36b4a8997a9476bc498b7b3e7
Link:
https://www.unpac.me/results/828dafac-aa51-4f92-b345-2665fd94ac81/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/828dafac-aa51-4f92-b345-2665fd94ac81/
SH256 hash:
8de9e509da9f506ba0ee7d511e352c4018cc44014c82fcde4fb2b5f4f86487b0
MD5 hash:
774059b66aece3e82f1734ba8eca64c1
SHA1 hash:
6c6ac3a6471969147d6bb0e56c45ffe828f02b51
Link:
https://www.unpac.me/results/828dafac-aa51-4f92-b345-2665fd94ac81/
SH256 hash:
1de694a30e2faf51fcbd5a7e7054022b883bc644bc0f1df7e9723b2c879b587c
MD5 hash:
51c9980a1880525cba9c3e1093da9298
SHA1 hash:
f935dc442a130c3fb78e8688629a828258330982
Link:
https://www.unpac.me/results/828dafac-aa51-4f92-b345-2665fd94ac81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1de694a30e2faf51fcbd5a7e7054022b883bc644bc0f1df7e9723b2c879b587c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273697/

Comments