MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a
SHA3-384 hash:	1f15c2b7dbe57507a71116424ce3e2a4b713b23b78012105285ce431485b5a9d6caf662f352924fcc8f153ca19fae4e8
SHA1 hash:	6d95773939219455665e6f9b49f4d0628f29791a
MD5 hash:	2dd2ecb8470da41499622db0c5ecc953
humanhash:	tango-october-princess-sierra
File name:	2dd2ecb8470da41499622db0c5ecc953.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'145'856 bytes
First seen:	2023-03-23 06:08:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:tqGnNNycpUAELKV5UkvvWWJFVUkXO/8BOcpEujGRDyoM1iNT8Hs:UcpFE6WWJgkBMDyoWiQs
Threatray	4'740 similar samples on MalwareBazaar
TLSH	T1DB359D0678D41AEAF77EDBF4C1E115EC03F16283940DEB2DCDC0A4DA1A247C36A569A7
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2dd2ecb8470da41499622db0c5ecc953.exe

Verdict:

Malicious activity

Analysis date:

2023-03-23 06:11:40 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/10209e27-1dd3-42b2-99ea-9126489b5626

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376768/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

86%

Tags:

packed virus

Link:

https://www.filescan.io/uploads/641bed053b01ade53e70b209/reports/a4d09274-a1e0-48e6-afab-a9846e819506/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0eb0b48-44c3-401f-bb02-0f74f30cae2c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-20 11:19:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ekz4qnksdd6qeggullcrvrj6cmrlkrtu4gn3rvbi3cjx4jdnxmva._file

Verdict:

malicious

SnakeKeylogger

08e04faa04ed269f7378476ccf3296ef3ed403817ca6ec26277a4d4fe82bce3e

SnakeKeylogger

1896efa72cff54069401ed803a33765d3f6ca525aba0be3c5d7f27c9f9e02269

SnakeKeylogger

36de80967b905a8119ff8a5f0871dc21086ff79c04ce3955662548c3e372de52

SnakeKeylogger

37060f2c77a3ef9365f60835a9a3c2e7f524095952a18bb805c6acbbd6388cd6

SnakeKeylogger

606157eb85fa1f90ad5b6def0cbddc1445298156aecb9da21bcc925e6cd7638c

SnakeKeylogger

77d6ae2c1312c08d5498931b983dc91a60721f86170ace8d47f9e3e33cc6bae6

SnakeKeylogger

b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987

SnakeKeylogger

d3277817e3f5dd9265d3797ceb8db5316f75c7f708f9ba2186d8380c7a6530c1

SnakeKeylogger

f2919d54bbf74198eb4bf4c43f7cbd394acff9af2e57f7b7ba9e59fd6a57f79c

SnakeKeylogger

+ 4'730 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230323-gwjjeafh5z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5850516910:AAGFrVyywXI7npTHbZn_GIq2nguuXg2t7Lc/sendMessage?chat_id=5716598986

Unpacked files

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/326fcc76-01d1-40f1-978a-93d1c2bb0157/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

3612166ecfd5b24152b2735127f8e2905239a598041f6b7ada5c72da26bdb022

MD5 hash:

ab54266462f5393c48c6a1117bc736b4

SHA1 hash:

8d1bf04b9472d81e03f0789a55d03bbd77c6d2bf

Link:

https://www.unpac.me/results/326fcc76-01d1-40f1-978a-93d1c2bb0157/

SH256 hash:

f16f432ec9ace1671617ecc7e065e5799a6ff3144c15f395b3010e714c380c18

MD5 hash:

a4d3ba235532cb71f793eaccc4811b4e

SHA1 hash:

896a4f7f7bb263ca909cee371ac7d1d11e235e89

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/326fcc76-01d1-40f1-978a-93d1c2bb0157/

Parent samples :

d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725
22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a
6ad28bfd77cf1575d9eb0da15c7ab9fa54f509a4733f9f05677a224243c6ddac
b3ef6a767f98d2e81a8761a794096f44942de8897d4f4565cb23da396140f0a0
9d9bfc4da819b3ea290f62b6c1d104a4bd61503d2a7f6951389e5b8047dc08b9
e2c40dfbb54a5fe183a97cb7be58ee20969e9f0f7744df829f2b02619fc529e2
1cdc9031e10db3f5dc4f931fac2c91e3ff73f75a4182888ef445f280f91c1dff
871c9c0e18ace8f981b24671bb9da121bc7bfea7704c4a0f9d672021a0567ed5
15696d741a180dacb5b3bb87cad566b4f2ffca1df0a6673d03f9b40c71ea4def
ea138d2457b49cccaf16cef8ff2a7479ed5e5207081c5d7ced0a2a3049dcdc16
b97c6335f3e28fb25346720785352929884243a545e2a4ec10abd2f6448ad176
fd6a88c61e8b5b68f3f70d8aab48dabdfc21d96d81f823647d310ccbe1fd968a
4e1584f1e68d554e1b17baaffffa392e3a5fc6e68ebb2a3325e54cd77fa96e17
964e54faf21fc7ab2cfcac2cd859efc48acfe17cbfc22bf2ca6fcec8741a0402

SH256 hash:

eb148f2022d1c965af0c9903c86dcced74be255ba38859372e5a40dfa3d8e873

MD5 hash:

fd024c19cba7023fb23063d0fafd8d60

SHA1 hash:

414b0ed7e6923fe792754a5668a29aa1d63d6f3b

Link:

https://www.unpac.me/results/326fcc76-01d1-40f1-978a-93d1c2bb0157/

SH256 hash:

a368c1fa0262c9173dbbd68cffbd818e1812ddfa6bd8e7281ef73a16181fd317

MD5 hash:

101ab5fdaf5bbc691436d4e917b1937f

SHA1 hash:

3017f3aa22ecc518dcf3e8c4cec8fd391da48750

Link:

https://www.unpac.me/results/326fcc76-01d1-40f1-978a-93d1c2bb0157/

SH256 hash:

22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a

MD5 hash:

2dd2ecb8470da41499622db0c5ecc953

SHA1 hash:

6d95773939219455665e6f9b49f4d0628f29791a

Link:

https://www.unpac.me/results/326fcc76-01d1-40f1-978a-93d1c2bb0157/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/22b3c8355218/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376768/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample