MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a
SHA3-384 hash: 858d704b4a7e0dc32f1f3b0781190dd2a0c36e4082806b34ff6a73bcb1965151921e692291d667255accfe8a55e5017e
SHA1 hash: 4ee1dd0380b0e585217863133ea32a5dd48d444e
MD5 hash: 9e0f0affb0ceabd35d88978d4bd22a79
humanhash: washington-river-floor-california
File name:9e0f0affb0ceabd35d88978d4bd22a79
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:296'960 bytes
First seen:2021-07-07 18:53:01 UTC
Last seen:2021-07-07 19:44:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:vse3qV+D2dBUrNGeuRPywajDBjnWXnsAebddl8qz:04R2UpNuRcvNrAebjl3
Threatray 217 similar samples on MalwareBazaar
TLSH T17F5412916EB48762C46E437B60C691F20BA6DDF25443E78FAB407FC9827F3448BC1A46
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e0f0affb0ceabd35d88978d4bd22a79
Verdict:
Suspicious activity
Analysis date:
2021-07-07 18:57:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14838249-7719-4666-a284-2824d4838a9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170297/
Detection(s):
SecuriteInfo.com.Trojan00577e181.12908.32272.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed7a727a-6790-450e-ac89-a92e4a2fac7c
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813111
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445522 Sample: 46ixp53YOX Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Snake Keylogger 2->54 56 4 other signatures 2->56 6 46ixp53YOX.exe 1 7 2->6         started        10 office.exe 5 2->10         started        12 office.exe 2 2->12         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\office.exe, PE32 6->24 dropped 26 C:\Users\user\AppData\...\46ixp53YOX.exe, PE32 6->26 dropped 28 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 6->28 dropped 34 2 other malicious files 6->34 dropped 58 Writes to foreign memory regions 6->58 60 Injects a PE file into a foreign processes 6->60 14 46ixp53YOX.exe 6->14         started        17 46ixp53YOX.exe 15 2 6->17         started        30 C:\Users\user\AppData\Local\Temp\office.exe, PE32 10->30 dropped 32 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 10->32 dropped 20 office.exe 2 10->20         started        22 office.exe 12->22         started        signatures5 process6 dnsIp7 36 checkip.dyndns.org 17->36 38 smtp.yandex.ru 77.88.21.158, 49777, 49778, 49779 YANDEXRU Russian Federation 17->38 48 2 other IPs or domains 17->48 40 checkip.dyndns.org 20->40 42 192.168.2.1 unknown unknown 20->42 62 May check the online IP address of the machine 20->62 64 Tries to steal Mail credentials (via file access) 20->64 66 Machine Learning detection for dropped file 20->66 68 2 other signatures 20->68 44 checkip.dyndns.org 22->44 46 172.67.188.154, 443, 49832 CLOUDFLARENETUS United States 22->46 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 18:53:05 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eefen6qfkom2t7qlcu3sjrggjaggelti7x3qyz74gytnczqz22fa._file
Verdict:
malicious
Similar samples:
043c91c0f8bd07fdce3af1ccadf2afec896527684eacee91d78e7afe32173d51
SnakeKeylogger
3390c123938c77d21a6ae1dc750265427ea0fb5f5dd3571a9f2dcb069ee66812
SnakeKeylogger
3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e
SnakeKeylogger
4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c
SnakeKeylogger
4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29
SnakeKeylogger
4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2
SnakeKeylogger
500e5287dba2679bde2df8551de4a7066bf8fe9575d3bbd7d8051cec76c12501
SnakeKeylogger
6e0bef23794d4e93ef917868ab89ce22bd27e35361e4e7d2f60ad3f82455e75e
SnakeKeylogger
9cf85e58b7cb62b39376e36ebc8fadf0c40f21ce98f36fa9016521a8158b4881
SnakeKeylogger
a3ca7c4385206990d3927c273f08e4daea47887567774da579337e0966593ae4
SnakeKeylogger
+ 207 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210707-9esakgalla/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
b09e62277441726957149a877d207770542914077d6894f9352fd8a627ed243b
MD5 hash:
57d2ab2392b84a8aefd0829069f23613
SHA1 hash:
04501951381175b6710bbf20de347d5cf662d0fa
Link:
https://www.unpac.me/results/d2bd75af-426a-42ba-8777-4265441c74a0/
SH256 hash:
cc933fba93579ed15e0a8330a563fe02faba3fa799ac93b5c2c35b57cd290465
MD5 hash:
a188a8644b5654648330a26243c6d1fd
SHA1 hash:
55fcdfdd9ccff63afe825026517e88f6578c19b5
Link:
https://www.unpac.me/results/d2bd75af-426a-42ba-8777-4265441c74a0/
SH256 hash:
6faa53e1029710b668d6d5743ccd848556cf0a5bafd764a6a96b691cff1092bf
MD5 hash:
380341d6c0ae814136a507a41b70cddc
SHA1 hash:
cf608d65ce7e29f669b66a199721289a5114b8ed
Link:
https://www.unpac.me/results/d2bd75af-426a-42ba-8777-4265441c74a0/
SH256 hash:
210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a
MD5 hash:
9e0f0affb0ceabd35d88978d4bd22a79
SHA1 hash:
4ee1dd0380b0e585217863133ea32a5dd48d444e
Link:
https://www.unpac.me/results/d2bd75af-426a-42ba-8777-4265441c74a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1434051/
Cape
Cape
https://www.capesandbox.com/analysis/170297/

Comments


Avatar
zbet commented on 2021-07-07 18:53:02 UTC

url : hxxp://lifestyledrinks.hu/wp-includes/cs2/6011102781032.exe