MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23
SHA3-384 hash:	d9e785e1392afaaa60c32b8505813434dfbdef10ab4821c83ca8ff63821ca7f5230d1301c3f3bbd90efbaad20e9f5576
SHA1 hash:	f1833907ce38f01d3090a44fba6a98a1eaa67961
MD5 hash:	2c260000648353220da2b3c5d82ac53e
humanhash:	uranus-stream-blossom-alaska
File name:	Notificación-AEAT.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	562'176 bytes
First seen:	2023-10-03 06:14:32 UTC
Last seen:	2023-10-03 13:49:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:bneFQNumB0rIbFwaaiqlaITf4DmgDhQSGpJZrTwojI6:afy6IbNITHgDab1jI
Threatray	5'643 similar samples on MalwareBazaar
TLSH	T1A1C4010132AD2B2BEA76A7F81935002007F8BA2E2472F3585DC674EF5962F118F55F67
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Notificación-AEAT.rar

Verdict:

Malicious activity

Analysis date:

2023-10-03 10:06:29 UTC

Tags:

evasion snake

Link:

https://app.any.run/tasks/df30dc9c-863f-4b59-93f6-ec00e48b42f4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/651bb16ca71d9f843c2bbfff/reports/ecc101e5-e828-49ab-96ae-701f06ed2c33/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/10bdae64-fffb-4f9d-abae-8b063fe3c9ec

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318471

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2023-10-02 16:44:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ejm2hfj7fl2ei5flyfwypvcewf3wjb7fuuo4ch37jha6atpwrqrq._file

Verdict:

malicious

Label(s):

agenttesla

SnakeKeylogger

68cd899c048a9b097d438260f9a92513b6cc42fc203c8126df2bb35b86c50671

SnakeKeylogger

9c999d23bb8110f85cc977e9a697c7eb3387dbe27ae0dba92c141986893946d3

SnakeKeylogger

a33eafbcec3736e5d47d6c951a6824ed67a0e124131425f04e2e03864edf8502

SnakeKeylogger

b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1

SnakeKeylogger

b82242cf60b9f23d227f5dda48fd1e959dbc0a0bd06bccb279ff3531783873ec

SnakeKeylogger

d9eefd6741e692541008b7d71cde7d92662a6088247791f8a48e41b953324196

SnakeKeylogger

df8944cca7e607a5fe6765794fbd8c009de24cc170a99cd0cb7055b177b6a217

SnakeKeylogger

e47b7ff50e6e7dd47087235ad782bdc84255e2642e80744d34ae027a2db13aec

SnakeKeylogger

+ 5'633 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/231003-gzxkfaae54/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

d60dec072f893a5f398ba30e3a15cb61570cb724c19751afeb2c4c659b59622a

MD5 hash:

8c865d459cbe885b9611d339deb8d457

SHA1 hash:

de13418769a5c9a2cc0050abebc928dfa7b789f1

Link:

https://www.unpac.me/results/79471072-38ab-4023-86e3-1beb0bb4a3ea/

SH256 hash:

319cf0e3a531e80939594347c8c8ea04194486e71a3f9df0e22588e3f16e01f3

MD5 hash:

c584db359c2fdaecdc9e16f337eadd73

SHA1 hash:

bd51fccdcd7a37b2e4aa1cf2e995f6d4241611d8

Link:

https://www.unpac.me/results/79471072-38ab-4023-86e3-1beb0bb4a3ea/

SH256 hash:

df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c

MD5 hash:

8383b9306b9b5929b0aed1f24991d929

SHA1 hash:

6acebb9f139a62de981a3ec15ce35f61f5c3132e

Link:

https://www.unpac.me/results/79471072-38ab-4023-86e3-1beb0bb4a3ea/

SH256 hash:

3fd0bedc0411d2ef09bb38f50a70888b9db436aa3f1a3f6340b3957a8bf1cef3

MD5 hash:

f7e3ee72e28761ebde68a3d0e2aeea6f

SHA1 hash:

102da2e7659210602f3ccfbb7768d8478428a565

Link:

https://www.unpac.me/results/79471072-38ab-4023-86e3-1beb0bb4a3ea/

SH256 hash:

5960863cb09fa2652ffb8451527dd133838010a8311de52be9eb65b3c34fd24c

MD5 hash:

198cbaa708d8dc49b7a847d5dabf3e09

SHA1 hash:

0c624b94428589e8106e874d28698c3bf67f6157

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/79471072-38ab-4023-86e3-1beb0bb4a3ea/

SH256 hash:

2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23

MD5 hash:

2c260000648353220da2b3c5d82ac53e

SHA1 hash:

f1833907ce38f01d3090a44fba6a98a1eaa67961

Link:

https://www.unpac.me/results/79471072-38ab-4023-86e3-1beb0bb4a3ea/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2259a3953f2a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 2259a3953f2af44474abc16d87d444b1776487e5a51dc11f7f49c1e04df68c23

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample