MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5
SHA3-384 hash:	6efcb6acccb76aff3812464150a2cd1d6fd8ccd8528766515585520594c0bb23d64d759c692ae35cb20d376be9e59071
SHA1 hash:	b42fad473a9f232553550f1f9625008ab419260b
MD5 hash:	561cb8f4159c9020f2606ef501a2b8a3
humanhash:	foxtrot-yellow-eighteen-december
File name:	SecuriteInfo.com.Variant.Strictor.113361.10266.24713
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'196'544 bytes
First seen:	2023-03-22 05:37:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:7Iu8/kcrUF4bWfFJkCojwYlbTFQDl06MFkI6:7389WfFCCmDlmDlL8kI6
Threatray	589 similar samples on MalwareBazaar
TLSH	T14545F57CB580AE8DF4C68AF1877838B0A5615991FB37E14B2C323C9785DB6C64A34B53
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4e4d4042438248c (1 x AveMariaRAT, 1 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Strictor.113361.10266.24713

Verdict:

Malicious activity

Analysis date:

2023-03-22 05:39:19 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/807b6308-6577-4d07-88a6-addab4953837

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376338/

Detection(s):

SecuriteInfo.com.Variant.Strictor.113361.10266.24713.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed strictor

Link:

https://www.filescan.io/uploads/641a943de78a9d304299652f/reports/ba39ff2f-246e-4775-8544-90b7b6816fc2/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e220f17-dd64-4dff-a782-f3fe3c274a66

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1199031

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-22 05:38:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 37 (43.24%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ewiahxijv4ijgsmx2jh3slcrpkq6dca3abvhd5denluf62tmnlsq._file

Verdict:

malicious

SnakeKeylogger

11448a58a01b27a0f74213c3c46c751abf0847cdc6bd22e8c59ac880605eb057

SnakeKeylogger

44e90dc0d1ece69f2d0c57a54984110927e97a3491ed20047963467f4edbdf1c

SnakeKeylogger

5ffb244711e8ec708e7de260f6ca122591ee5859c51a770ca5bfc37563920fcb

SnakeKeylogger

8ab1910d7f3de293954247ef8f06fc69669c9049735fef3e324935c925ec19ca

SnakeKeylogger

aa1dc065f798952f199efd19aae9ffa6c4c13f388eca7dcf298c7a73de2cdb7b

SnakeKeylogger

c80241ea11e21a083fc390af690cc0e6b2ee1ef91df4aaed6c44b10a753a1230

SnakeKeylogger

f2cb2f48de23111c8477b2883c21fd301c8522e6e1a84ead29a73ac3e1c1002e

SnakeKeylogger

faf4503a0fc8c04099cb58151b308a2586bbe923bfcc78531198973995b8c536

SnakeKeylogger

+ 579 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/230322-gbqf8aha5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Uses the VBS compiler for execution

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

b3989d4d18d05065dd8bc0d989e0ad0fd01d00b36725463391ea9f84d216022e

MD5 hash:

97db6cd8b591dbd4acb5b473043b4d84

SHA1 hash:

d293b10d89063db8b5532ea55d5242c646fde36c

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/2acb6945-4f8a-4359-9142-379b1310d8d2/

Parent samples :

529570238c49330b949a4cc1a6623e05bfe5ac9af493b701321d786e6d838068
c975e6ea0c4d29a77b8fb8cc4ca15453387a066b4b237c45076b35b2475480aa
077c21196f9977ccbb68c78ec7c2687bda9b3be0ac0a387080e337d841ee1fac
259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5
008a18d1c20cb7b7bf26846bafe486b277c90bbb0cc7d1380645513818f5041c
d0a101d03dba528a94c83f78c965018dee7fbc198ebfa5c251ad788672b7a127
218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56
4d83125a53744cf0b65a3fc7160965548b504348d1d26146e35420aecf5d26c2

SH256 hash:

d4db32b0e030597d6791ce1206022f00a46b53041f45ccc40e77804bc87a95ce

MD5 hash:

a3c0375309ea5ac800cf15b0dfba82ec

SHA1 hash:

94dc60ce3553d985192723ab02d3150eff1abd84

Link:

https://www.unpac.me/results/2acb6945-4f8a-4359-9142-379b1310d8d2/

SH256 hash:

94dd0d60ea5d8feaa78152ad130becd61c9c476d0f62dbc1d6435da3573e74c4

MD5 hash:

7dd02d289e0b88ec061d930462d4f72c

SHA1 hash:

7d68e3ab46e0345649437818725b0343623c7229

Link:

https://www.unpac.me/results/2acb6945-4f8a-4359-9142-379b1310d8d2/

SH256 hash:

d873bf1f29a4b16b6cfed03c84789249ef4f1112dab1a28bad4bafe073588ef9

MD5 hash:

7335e66f31deaaca5bedf76e4a947208

SHA1 hash:

75365bf390d922916e72b6c59cb484360cd32cd6

Link:

https://www.unpac.me/results/2acb6945-4f8a-4359-9142-379b1310d8d2/

SH256 hash:

8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c

MD5 hash:

e5b073b30db1b058298f5df032164e4d

SHA1 hash:

15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca

Link:

https://www.unpac.me/results/2acb6945-4f8a-4359-9142-379b1310d8d2/

SH256 hash:

259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5

MD5 hash:

561cb8f4159c9020f2606ef501a2b8a3

SHA1 hash:

b42fad473a9f232553550f1f9625008ab419260b

Link:

https://www.unpac.me/results/2acb6945-4f8a-4359-9142-379b1310d8d2/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/259003dd09af/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376338/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample