MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1
SHA3-384 hash:	e8dfad086de863852bc7cd05c39335e9b91616ef8a3fb2ea90e9e2379821fa87edcc4fba1a23656b1d5facbcc328e8a0
SHA1 hash:	ff077daa18b08cf1341ab1c50bbcb002b474a3fb
MD5 hash:	16140d59a42d0022be38e83637509873
humanhash:	ten-delta-winter-edward
File name:	16140d59a42d0022be38e83637509873.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	626'688 bytes
First seen:	2023-04-09 06:58:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:4RAGUow50HmGR6Y+1ZnEtWHBKa8uVKs60c7nAGBcNA/ceV:46G1HmnRL8uspHAt
Threatray	18 similar samples on MalwareBazaar
TLSH	T115D4025CB9F9A523F9BE47B708E113404B3252256236CBEBCC95B0C43DA2BC5A6F0657
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	ccb2f0d4c4f8b8c4 (7 x SnakeKeylogger, 1 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Faktura.docx

Verdict:

Malicious activity

Analysis date:

2023-04-05 06:15:48 UTC

Tags:

opendir exploit cve-2017-11882 loader

Link:

https://app.any.run/tasks/3f9894ca-a3d8-469b-82cf-7ee06def7f0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/381021/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.26719.16577.12079.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

hacktool packed

Link:

https://www.filescan.io/uploads/643262381500380d2ab6ac25/reports/681eb259-c797-4f75-9f8a-5345f175767a/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51fca5dc-1ec8-4322-91d5-03bb5592f861

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1210898

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-04-04 14:15:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e43zs6neqds6x7qa6whld4x5bgbw5ofbhj655gwbiupe54e4opyq._file

Verdict:

malicious

SnakeKeylogger

3ca1a9ee70e56cd13b3472f4263f9c480d5fa9d70a18335e28ea41b5bb048461

SnakeKeylogger

43425b23fefe22aaec815793e1df744b2854d1ad1ecd0afaf9890e43d0a7db4f

SnakeKeylogger

490a16064d8639a4637f7ee3ac2ad7bdb5f1a4db1c6f4f42cc53d11f51878bb6

SnakeKeylogger

57d95c45b96c1edf90baee8b8754a9846d9c552ba95dcde23ab4da2f2e95573d

SnakeKeylogger

6a6930904ed46de39b2d039cfbfb4249ca73081043d2cf79ff7d4d7703154ba8

SnakeKeylogger

9d0c4555f8cc20b85e53a735fb30e5c968fee9c3d7512996f17bd4f752b49aa0

SnakeKeylogger

d1a3a5f08d4e2b628880dc9982113a3c502ac26d377b0e7aa527cae7fe67a2d5

SnakeKeylogger

e0f2298d191750e9e605b5038f70b14e1bbb1091bed8e8e94837e3dbf35bfdc1

SnakeKeylogger

+ 8 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230409-hr4t8abe5s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

3f27f00b220f5374e839f6d4dd6cae231eb32efa669219ae193919b4f9384c75

MD5 hash:

63dcd8430f2d1be0715b16ac70c68018

SHA1 hash:

a39caa36b4e9ff68c6b4d9d4c3bf34c637ed4038

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/bfb2c669-a3c3-49fb-8ac7-a4267698f0bc/

Parent samples :

ffe2eeba3c307df2994455331d6c7f19cffdcda1feeceb9ac50d519685f53c48
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
96b8969e22bf1183fcc6ba3778115801dd2e6ab5d05c46d7e9b03fc95558aa43
777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8
313ad26ae426d1f3293c2d78ed3fde9093661e90dc876246e8703f0a20522a21
27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1

SH256 hash:

9f5fcd96396d27ff8ca69707875351b13c756c8e99fad4f7cc05baa892763508

MD5 hash:

706e9afff7211308ad948c6626314b5b

SHA1 hash:

98cd5ecd1a3688d05f73baa9156a61e6f9e08c3b

Link:

https://www.unpac.me/results/bfb2c669-a3c3-49fb-8ac7-a4267698f0bc/

SH256 hash:

82bf64eee6f91fa58124511607f1c4467cc71b221c24bc9ecde9dd34880bee80

MD5 hash:

7535fc2663ff24774cb601982b4364f1

SHA1 hash:

8d90af3af5970e5fe3e21e21c83716d8a9d08f97

Link:

https://www.unpac.me/results/bfb2c669-a3c3-49fb-8ac7-a4267698f0bc/

SH256 hash:

f6ca6e16ae27435af85aef09d2ea8efef7530c4571dd8eda571f6d220d31c26b

MD5 hash:

542d364abb128c287dbab1740b27bd8e

SHA1 hash:

725234c177e97a4400643d7a6ffb8db0b0bf6fc6

Link:

https://www.unpac.me/results/bfb2c669-a3c3-49fb-8ac7-a4267698f0bc/

SH256 hash:

27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1

MD5 hash:

16140d59a42d0022be38e83637509873

SHA1 hash:

ff077daa18b08cf1341ab1c50bbcb002b474a3fb

Link:

https://www.unpac.me/results/bfb2c669-a3c3-49fb-8ac7-a4267698f0bc/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/27379979a480/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/381021/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample