MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f
SHA3-384 hash: 903041c9d1c3b0efc3dc9935f38987e341ec413699e9f00591f388ba754eedaafab34537201eaa38df4778962370fa69
SHA1 hash: 24585c7a4a5c1cd1d7cf8bb6aac3910458709b61
MD5 hash: 6219b374945e8918b16eeb12c09deba2
humanhash: twelve-arkansas-batman-paris
File name:TT copy.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:380'416 bytes
First seen:2022-05-17 10:41:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:83fN6P0I2W5kbcAG3uY0mVHHcX8JrVCWrAAxyihflz5Gcy3g/B4KxDAFHvtnEqJn:I6P0lbRGzLF1VNVt1B4k855
Threatray 3'638 similar samples on MalwareBazaar
TLSH T17684CF113B5C3D02CAAFD6B95160C2015275809F7D63F32AAFA34CFEA945B8597D0E3A
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT copy.exe
Verdict:
Malicious activity
Analysis date:
2022-05-18 04:49:02 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/171af4ba-c8c4-4765-967f-80d33d059b9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271503/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/62837be1fd71ca8b2eeab386/reports/e41b081d-b777-48f2-be09-8f18b76b3e9c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/240db382-0efa-404a-9cc5-3431ab690cea
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/996281
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 07:03:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d56nbsyvkuh5lpy2je2tvz2iiwlfzm6tcp23rztpjpjigvtbsf7q._file
Verdict:
malicious
Similar samples:
14fcb8a4565e90550de5237fccbf8b283c970055ba9b11e206fdf7329c3ad51d
SnakeKeylogger
2d2d52ba1a0550416131412156d24dcf1e556ecd94feb13f770af0466cafa32a
SnakeKeylogger
4f13b3bb65c3c0b9a52cce7f5ad403907f39d6540623d8f0259ca05ebe240454
SnakeKeylogger
89126ab29977ea93c47b855e29d58d35034972c896b8717cec0c03fdc08ee4b3
SnakeKeylogger
b8c5637959b9cfac40d936a24f591db4492babd891f76274e15e81de8d65e219
SnakeKeylogger
ed052e3c7b1c95b65533b5547921f84331d2b77e5bb55f238f7c08623ec3ebf0
SnakeKeylogger
fe84e1a62e57213249801372834a30d3d218f122889258bdd83e5f016ed4f209
SnakeKeylogger
+ 3'628 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220517-mrnv8aafd8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
733563834afe539c19be892575f768a308188bde86b7ee9b9aaed10dcc75fd6f
MD5 hash:
ab6dd3758fe66e41911beaa098b80eee
SHA1 hash:
c565f96147743d6dcf32d17a8b6cb7bd7ddbcb87
Link:
https://www.unpac.me/results/03d01f54-53db-4332-ad02-912a4a2753e0/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/03d01f54-53db-4332-ad02-912a4a2753e0/
SH256 hash:
d71d2b6986fbd69c3598995048c70fa600cd6001fb1434b4afeda6a616aad958
MD5 hash:
0ae6c3dbf6ab586230669e8948ffc5c9
SHA1 hash:
105cf7e8e41d4d230a6b972ea947592d48276cb7
Link:
https://www.unpac.me/results/03d01f54-53db-4332-ad02-912a4a2753e0/
SH256 hash:
1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f
MD5 hash:
6219b374945e8918b16eeb12c09deba2
SHA1 hash:
24585c7a4a5c1cd1d7cf8bb6aac3910458709b61
Link:
https://www.unpac.me/results/03d01f54-53db-4332-ad02-912a4a2753e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/271503/

Comments