MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17
SHA3-384 hash: c40ca8b041e5f73ceec686b528b016c458b1e49ff2c701ba424c0d79e40f21762cb3347af23afcb9cb8eb7c40e50ecaa
SHA1 hash: a33914fc9800d4416b0181b0069bc38dbc842ffa
MD5 hash: 15c2b0ab767869aa66c0daac03a1fd85
humanhash: twelve-jersey-charlie-july
File name:PAYMENT RECEIPT_pdf.com
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:922'624 bytes
First seen:2024-12-03 17:42:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Kc3kvKB/m4Zm9PFQcSLDwUwMMRNtJhm4fEKKHGQkOcV2S3u:Hs0m9NQcwYMst64sHGp4S
Threatray 1'031 similar samples on MalwareBazaar
TLSH T13C15D0D123F48536E7FFE7B3A1391103933AB846A569820D251C54FE1C67B80EA627B7
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter TeamDreier
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT RECEIPT_pdf.com
Verdict:
Malicious activity
Analysis date:
2024-12-03 15:05:16 UTC
Tags:
evasion snake keylogger telegram
Link:
https://app.any.run/tasks/d1572b49-bd80-4236-b1df-56f7ab84ab2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.KeyloggerNET.61.24072.27760.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674f4414bc8c6beb3075687c
Tags:
remcos snake
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36fd1084-75c7-45cc-9bee-bf1ca190b9f9
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1567686
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-12-02 04:10:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e56wopz5oatyvlcv3ledweuvhyd3rhidms5ka6wtqudnel6mdmlq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
2530ced34c3c3fbc35296dd26511853d9654fc519e50bad78c8a0af3b3afb003
SnakeKeylogger
277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17
SnakeKeylogger
410add8551cd42bab8d3439c3f35430613b08deb1438e0f3b5d7959c54e7073e
SnakeKeylogger
error
SnakeKeylogger
f13526451639d7df1a8100047250b017cbfc065ce1271b6ffa30bc49de024d54
SnakeKeylogger
+ 1'021 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/241203-waka5swlbv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
404Keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/18ef3cea-1c63-462f-863c-8f543d863785
Unpacked files
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/74003b77-3371-4093-b46a-3d60722081b4/
SH256 hash:
8b1c7394a08f6425d8a245ea257c79bc58b1e36019045d031eec2e03a9026529
MD5 hash:
cc0a109cdae4053bd1987bc572a3f089
SHA1 hash:
bc5fb1af78dc7c13bfd7a61b34d58f281f99f25a
Link:
https://www.unpac.me/results/74003b77-3371-4093-b46a-3d60722081b4/
SH256 hash:
8a27e70d11a78ee602ad988875ca8a92ae379acda38d3bdb5db14d79a0f3d1c0
MD5 hash:
fb91213abcf621a320abc1fed6b33db4
SHA1 hash:
b52633bec9cebd2d237a18d153273b666c27b638
Detections:
win_masslogger_w0
Create hunting rule
win_404keylogger_g1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Link:
https://www.unpac.me/results/74003b77-3371-4093-b46a-3d60722081b4/
Parent samples :
5e8880438f921f4bd81f137cc9b4c44f1ba12b321a178d4d50a0601d75aef049
b7bbe88d2daceef7fdbd706adbdf6532976f23916701739ee0987f77f36b980a
277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17
SH256 hash:
277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17
MD5 hash:
15c2b0ab767869aa66c0daac03a1fd85
SHA1 hash:
a33914fc9800d4416b0181b0069bc38dbc842ffa
Link:
https://www.unpac.me/results/74003b77-3371-4093-b46a-3d60722081b4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/277d673f3d70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HUN_APT29_EnvyScout_Jul_2023_1
Create hunting rule
Author:Arkbird_SOLG
Description:Hunting rule for detect possible Envyscout malware used by the APT29 group by patterns already used in the past
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 277d673f3d70278aac55dac83b12953e07b89d0364baa07ad38506d22fcc1b17

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments