MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6
SHA3-384 hash:	9e54de894304b75e48908d0f3a10787c559a12b473539bc86954dbf56a3011d20d68ac49eef3a918e4265a4702877f4a
SHA1 hash:	b8d37f35e443d133a2728de4e0a6974851e48bf6
MD5 hash:	93846cad1ff4c2123914d7c8b6cb5659
humanhash:	texas-winner-zebra-autumn
File name:	Payment swift.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	729'088 bytes
First seen:	2022-09-29 15:45:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:q2iNl9qTaErpP82w2KxfFHSq0FTCwGIGhRCY:q1/ETaELqfFyjFBB
Threatray	5'502 similar samples on MalwareBazaar
TLSH	T104F4DF371BEA4B0BD125B6BC95D1C6F6A3A9CC10E463C2979FCA5C2FF08A671D621311
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314869/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6335bdbc49c58ce767c41ae0/reports/629a78e3-6aac-4f7b-b738-648f0e23be56/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7a36a551-b8a1-4a7e-b99c-e4cb6afea156

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1080272

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2022-09-29 15:46:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e5adhsq4kkayz2rlhuepdlydl7t3sic2z2t5gyhw6kkv6uixmdta._file

Verdict:

malicious

SnakeKeylogger

50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0

SnakeKeylogger

6069a9d373b71c1217c3415634dfadeed9cfa0baa4949d640fe515d92b5a8a27

SnakeKeylogger

658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0

SnakeKeylogger

7319a8d431cd1a967b517cd21b9aa7c0f86b1716e7e2492dd2e831a65406c460

SnakeKeylogger

7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5

SnakeKeylogger

a7f4f456189098240111b09c4a1564fa8d253bcbdec92f8696826717a88c9b56

SnakeKeylogger

f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01

SnakeKeylogger

f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d

SnakeKeylogger

+ 5'492 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220929-s7l98accbp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/90962cc3-b578-4124-9fef-6fb9b989498b

Unpacked files

SH256 hash:

92b19371213c00a3555a2de8fac4e35a1ae59b9542f4d898e6fb6a542d72b70a

MD5 hash:

44462bbb72ac38395f4a8cc3b0ebe37c

SHA1 hash:

f07ee51d3ae3ddc891feabb0d9430be5a1c7407e

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/ba563f15-3b97-4736-ba51-7858df907c02/

Parent samples :

d814971a8063856b595d17139a71755f921c2f40cb047022184c244d2b0fa52f
f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73
274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6
bc54750c4093359b19b8c4a698448757d2cd5b7b057d67304c676e3f6c58a9be
75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a
9559b033b86a453e358c4d4aa01dc753e302832d0f42e86ddf6a9f39ef3b92c9
4efde8646629538aa3d423e120a7b69dccec759f6d1761ad5b6ddae09b0fe04c

SH256 hash:

616f0bc832eb809469c4d4aba85684d3f257401d84cf87ccbf7c851447b8304f

MD5 hash:

18fcba9f62868e41285d3afd4302c673

SHA1 hash:

c7c29c09c9871d0dd7e87cf94e37f48bdc05b4d5

Link:

https://www.unpac.me/results/ba563f15-3b97-4736-ba51-7858df907c02/

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/ba563f15-3b97-4736-ba51-7858df907c02/

SH256 hash:

abda2872d299b8d3ee79ac554481d4325bd6f494c92c575a43e77f61100d3e46

MD5 hash:

b168d0363d72e74baace3a2b8bf99576

SHA1 hash:

2b3e26b79ad84e6640f73d1be1fdf53a3657876f

Link:

https://www.unpac.me/results/ba563f15-3b97-4736-ba51-7858df907c02/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/ba563f15-3b97-4736-ba51-7858df907c02/

SH256 hash:

274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6

MD5 hash:

93846cad1ff4c2123914d7c8b6cb5659

SHA1 hash:

b8d37f35e443d133a2728de4e0a6974851e48bf6

Link:

https://www.unpac.me/results/ba563f15-3b97-4736-ba51-7858df907c02/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314869/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample