MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe
SHA3-384 hash:	b14a96f23a0fa330016fe4bd148196869ae219f459b0e66dd28eeb6db2cdcca664f75dddcfc02aee9abf25b1a1abda39
SHA1 hash:	fc27dd2be85f382c7688e3c8d4bb284f00010ae4
MD5 hash:	e669ef7db0760731cf0b683554cc9e6d
humanhash:	two-nitrogen-lemon-april
File name:	PO-7323_pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	983'552 bytes
First seen:	2023-03-07 12:25:24 UTC
Last seen:	2023-03-07 13:46:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:1GX3cBVmNUfqBe4c6Qak/jr0/wk2T+hifC/m3J3sX+KQU8SKWkRNp:y6YNUfqBpc6BOYIZdZ+vLXkRP
Threatray	4'547 similar samples on MalwareBazaar
TLSH	T11C259DA56F19A257E7C5A1B31804E7B6EFACBD4C5427C0882EE23D8FB0B9D2C1015E5D
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO-7323_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-03-07 12:30:21 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/0229bdd2-3b67-4eea-9644-c4a6db673df6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372204/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64072d5c7f18ce9b018060d0/reports/65f33f9a-af1f-4658-9ab8-4a356f5db4c9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/af726da5-aaf8-4b0c-9673-41dabbbac2b0

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188522

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-03-07 11:58:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dzc6js35fyhm27fjz6gei4csnuy526bwpr7aluvq6soilznov67a._file

Verdict:

malicious

SnakeKeylogger

097be91c4c13ed0f50682d1ea4506bea2d1c748606be4a42ba2b221eb32fbfe9

SnakeKeylogger

3ad0abf36d88941f6ed14a2d1b54532a619d23db9cad1831920643d41f925b7c

SnakeKeylogger

4204afba15557ddd3a55db25af90f65073c7948ad2619b2a298c40a85c892681

SnakeKeylogger

5a74ab32430162909d85d60b449e81d61e891d3be7a69404d4c2d644d773ddce

SnakeKeylogger

69e0ff8d0af4ba0a6a027aea1fa32d52d321ad1b9a4f1da70d7f9b40422c4a0e

SnakeKeylogger

81d94c6c2ef79e622d1ef007c3c0be9b218a2b418833d958c20a52ae8906dabf

SnakeKeylogger

cdae83f80ffac59a1a8422966f1971bac3fde8be2418bc1350f913ba8d322ff5

SnakeKeylogger

e45af7f5388dd4a3dedc03eb45e0323604259960647e68d2c3865d0d57e04163

SnakeKeylogger

faad2c66c89bdb9f36653c0068f3fe34c03e88b7ea0cdadbc5f14005612e409b

SnakeKeylogger

+ 4'537 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230307-pl66qahc8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Unpacked files

SH256 hash:

498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

MD5 hash:

f4e7e91d4fdda2d3feb401b5b1d53abf

SHA1 hash:

cf9e76e6418850ac853bd9c6ce82a0be7920fc1d

Link:

https://www.unpac.me/results/062a0764-781f-44de-a226-c6a5c05e47f1/

SH256 hash:

3e440bc7c23ebdf4920b18e2ab1f66f0550eba65f3e2db4c7c4f99028c409b34

MD5 hash:

c983a52f02ec1bbcd5363a5e17c3375d

SHA1 hash:

ca8bd1e1cc6dea7815196dc36301c23a3002493a

Link:

https://www.unpac.me/results/062a0764-781f-44de-a226-c6a5c05e47f1/

SH256 hash:

f2797254e72dd2af966d80372a52beae8c554b435b969d05600e81b26409fe3f

MD5 hash:

cbfa6db4d7d8f6e711e14d5f65c4f513

SHA1 hash:

9a45c7f0aca50bd278e7e0716cd6b76df947e024

Link:

https://www.unpac.me/results/062a0764-781f-44de-a226-c6a5c05e47f1/

SH256 hash:

ce51ae838119e2704448e19567162df82e3b3e656c9199e4794a41e66ead0afd

MD5 hash:

a12eab9899164983bce97337e225181d

SHA1 hash:

8b18643ad648f642975429436360226ca4f9b9da

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/062a0764-781f-44de-a226-c6a5c05e47f1/

Parent samples :

2e286d753e67d6f541fb4c115342e9dfd688b79a61aa82acf8e0d17757e3b582
1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe

SH256 hash:

8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7

MD5 hash:

7f225c69df031bf0560aed3847a1221a

SHA1 hash:

4d5f3ccdb2c6015d2b2a73326c0f32b173af2819

Link:

https://www.unpac.me/results/062a0764-781f-44de-a226-c6a5c05e47f1/

SH256 hash:

1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe

MD5 hash:

e669ef7db0760731cf0b683554cc9e6d

SHA1 hash:

fc27dd2be85f382c7688e3c8d4bb284f00010ae4

Link:

https://www.unpac.me/results/062a0764-781f-44de-a226-c6a5c05e47f1/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1e45e4cb7d2e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372204/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample