MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29
SHA3-384 hash:	fe8df7883fff2c94c5e748d48adcfd53bc124b2c3fa7cd5d3ffdb25e7c0dc4934fa307caae2e7f07a41efbd0cefd582c
SHA1 hash:	7e322b198234173d2d9a1ff78634b1547e424a2a
MD5 hash:	f6c5c013f5c16a4e97d9f63f650e5f23
humanhash:	carbon-twenty-bulldog-pizza
File name:	Swift.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	968'192 bytes
First seen:	2022-09-22 06:10:12 UTC
Last seen:	2022-09-23 06:22:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:rcTTMbQf/AyNXU7nfEEHpGkhmMgTILXqjJ5n2ghf6IC62ADQ2lhQgzna9sf7Lhh5:rwMsfxXU7cE5hwoajr2ghf
Threatray	4'325 similar samples on MalwareBazaar
TLSH	T1E525E76831E6329EF467CAB18FD87CF5DE56F972131B91B710A312498B2ED46CE900B1
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Swift.exe

Verdict:

Malicious activity

Analysis date:

2022-09-22 06:13:44 UTC

Tags:

snake

Link:

https://app.any.run/tasks/f5bb8af0-fbb3-4542-9a63-d688c189c7bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312220/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.FQW.gen.Eldorado.32289.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Reading critical registry keys

Blocking the Windows Defender launch

Enabling autorun by creating a file

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/632bfcf0865ed83c011d4c95/reports/d77db556-e871-432e-b473-322b45242d79/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4ddac7d4-b4bc-4d54-bbac-fcb1ba805f8c

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1075046

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-22 03:00:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 39 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eqzgizrxefwhcptwaushwwonmwwife3aukivdjcvdo7vblqityuq._file

Verdict:

malicious

SnakeKeylogger

95108beb38c630b45cadeecaf511fd73c31d27bfb45166dd7e0e93a41d1fc744

SnakeKeylogger

967a3750a37d88db18d1a1601adbd7c844f9234742c6b1dedf1ad358118e206f

SnakeKeylogger

a4f6d6e7308496c06e3ad10e0cddbc4bc24744eb5127624b1e707b4adfa75e06

SnakeKeylogger

b52ae5cbe34be07ffafabd43bce0d88daa2b58607bb2d20267fecd85a6bc875a

SnakeKeylogger

bc7a7312a0b437df65d203117337461ac6fb0db097fe24f9e9acdb4c42480c6c

SnakeKeylogger

c321540c7124bf9a0f4a53c0ca3e6a9c12b0190694dae8bcc41a4ddc74c51b4d

SnakeKeylogger

+ 4'315 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220922-gxlp6adhfq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot1644755040:AAGRTnph6BdO8-t1bJaOyVu9aeuJErmisqs/sendMessage?chat_id=1637651323

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bee4ce41-1d1b-497c-aafb-270d97eee67b

Unpacked files

SH256 hash:

76b2b28271ff9b457efa35987bf21523286ea1e442cedb6a0e3a27cd2777277c

MD5 hash:

eab163051bf2617f1aaf5fd86b99763b

SHA1 hash:

9481d10c076f50367c45dc2fc0e9b9c06a362543

Link:

https://www.unpac.me/results/083dafbe-6d29-452d-9f5b-72432d8fbacd/

SH256 hash:

adf5132844797507cbb4e1ee8bbb22d9b4ec6db0712be4883223787db7a48022

MD5 hash:

86282acd13ba09bb961607f49b7ab868

SHA1 hash:

7fa70b4b2df403c5c00f25d4bc1e212123639739

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/083dafbe-6d29-452d-9f5b-72432d8fbacd/

Parent samples :

ac7809299f6df99e82dde4adaabc3a5a48913c9c74f1bea07c5e3a6429eae703
603bbecc297ef3cc8ccb9c8b7497340b69599f4240ffb2723302bf4cf9e5bd2d
f893574bb0276d768d42531d27b51d546273b64c462493dc1787e646b988a6bb
e76f7a65b556163a73fb12368e9bd8eed74a1dab077ef7ef0016b2a63415d8d1
134000901cc7459ab3f5138fa0875d5e575568773b557b09206aa8ad1c61f99d
2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29
1c5933af77d575f80dc8e9a48b9ef594adab4053cca69f6838cf9bd96f8fb7fd
b201da197269f0040719bfaa75dbb960beaa80afd2a88cf0eaf6fffb00a75508
604f7fcf4a5fe22e2296b474893f6ff43ce6d0ac9dcad9c072ca40c63f7489b1
675374d30c3680c4c9323b8baa97e7419f0dfd7ed9b4f8a8f871a7f61c75c7d7
2d8db77499cedf9115b0d6f48a22543a1bdea8cd50b72f074b5d740c42e89c47
087aebbdfb77329742253993b8a9c9f8a9adb71f27941dbca560de30d84c41bf
efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760
4183c2795e2f2d7396cfad818b6b5125515b1696090b3bb3847af480ad425173
a2acce2c3d3e7b8772ae7dc3a2ad0fadfd53b58e37c091bd04961b5fd44c38ba
e9e4317a89ca227ca7a5cec8b3b1a0dc86285373ef067159f6db934ea0bda8e3
0d74f63d46e26419da4bb14b8513457ff4228655a300256055d147f6959c81f0
bdb420f8343c084ba57ab7b38eaa082f6197700180c9f0f5e5ac67e50014da98
7fba946dda2157b6113ed06e8a94e507a838001df2bab501c227490010d1dab2
8aa42907da90d0fde344aa426b76f3fa447b180870b6bfb750144cde04524175
e2b3c5b20d3f794d4030c911b6f50c32ba009cbe7d74d14879c530b1407cd112
7982f56fbeecf24db90a98a4467e7305d34557c9ad5b53dd6a5f52ece8641ad4
374006f04dcc0d09672953d3ed075ba569cecbaa1135764717bf4e6678fde42c
8399c2071ae9e9f742ef97c5e218fcc20c8787dccf867a658e328f8e2f2b7eff
fc692587b027b7079b3d977ce7d2a0ee54c7d871d396bd255a82baed734eb158
8149c65930ce8cb22dfae9e6d18506abeefd8164fa13351e034c6fc9f844308e
9c5f4f464204dee9f965c7a9649abda3cc2c374fb445937427779ad7f0a3bba9
767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06
9e5207e95ce6fafe501ea7030164023c37ac2bab285590f684d635156f1e3306
d56047b88b1cfba06f14b2bb216a34d249d852152d7cd34a6da1a1cd24750036
3b6283a00901c0709734f4d16a2fb4ad3fb93c913dbf45637664c74320c2d385
4d4be5a0fb152cb0f795f6ce36b1b3e4e69234681e36c41f3760858b4d38aa31
f7a13d11b8aee33d82ffd5a688a551b284c09bfa383b8c0159ffcb5be590dbe1
3e387ef02103719b3edb95d2e827d1bce42a66af2236d2a780bbd92fa15e07c0
4387b0fba57e249fc0d452331bc90cd3eed21bf288a56e7c447d1fa9b24adc30
015de794323aa2af01429c09f06f4e1be15cde8821788e6dc65b15c050fb9747
ce9b4ca8ce7c267993c433a2e1beffe25dc52fb167aa07519be3672b2c81f9cf
c7c4fe957dcaaa05d68315cb79441eb9159d4b4f224c4cd84d8ed8fb5d9ddfb0
9f7c7e1931a15c6306a18be0b7c6524b3fec3320517b688278856a249f04e07b
2df2f95d0b480aa7d2f86ee162298a55d7f24dbdaef2e06664ce992c35a5ab03
5257052626b2ddf18d7747e19be5425748344cc57e4b297a4d862ff5eee84e46
03fd685f6762da376a437a4c98da717c491765d6b215a01d894517abfaeaf38a
3a0b6787796ffb3c82882fff1951c0c2fd2925fc5f0d4cd2e92c0d058dfa8c10
b85aa63d88b84be274b0b6017a96d45c00e92ca0fbd3e00adbe7105f5997ec37
54f4b6fef3fb5b55f34b131be3551dfae93ff74d1946d41e8ca226d24ef6a888
a165161bb944f3bfeeeabcd2407912f651f70ca7ec558ac39f5d208854affc81
7b71dd79f9b04b7696c34eff69d3708cba187bc4b0700a18ad0ce0d1f38d4f8c

SH256 hash:

4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde

MD5 hash:

f4ba8570299eabf8fe2d02cc1dc0606a

SHA1 hash:

5d7add32313074f5a1e9b4ab379298dee8b6217e

Link:

https://www.unpac.me/results/083dafbe-6d29-452d-9f5b-72432d8fbacd/

SH256 hash:

2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29

MD5 hash:

f6c5c013f5c16a4e97d9f63f650e5f23

SHA1 hash:

7e322b198234173d2d9a1ff78634b1547e424a2a

Link:

https://www.unpac.me/results/083dafbe-6d29-452d-9f5b-72432d8fbacd/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/243264663721/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/312220/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample