MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27c70be39e64e6cbae7f9197da1b5e6ab7a20973496a47d354411fb345737369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments 1

SHA256 hash:	27c70be39e64e6cbae7f9197da1b5e6ab7a20973496a47d354411fb345737369
SHA3-384 hash:	de9125c82a075ac3356ed6bce2e76883644dba3a540be5b7cc7f907b603d7009f16db151769d49fa6d78df53a5693afd
SHA1 hash:	678a03b2bcc4277a1159c824ac74d821db386d66
MD5 hash:	a371b9f6d9b4d631c7c453731d52fc8a
humanhash:	three-carpet-table-muppet
File name:	a371b9f6d9b4d631c7c453731d52fc8a
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	817'152 bytes
First seen:	2022-08-25 19:47:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:BT/0shbH1kT/0shbRzMTTQkLrEnoznYFHW:X5gAnQkLxznYl
Threatray	4'471 similar samples on MalwareBazaar
TLSH	T11105E009B6E6CD53C27A2773C9D256144330E64AEA13CB4F36C416AE09137EF8D4A79B
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

purchase order 25.xlsx

Verdict:

Malicious activity

Analysis date:

2022-08-25 19:01:18 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan evasion snake keylogger

Link:

https://app.any.run/tasks/f8717343-2aa2-4a05-9e02-51ccce961066

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301253/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed wacatac

Link:

https://www.filescan.io/uploads/6307d24e05ef0c24e425fcb5/reports/b8a019fb-48ee-42ee-aa1f-835263aa3396/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c64c7050-beef-48d8-8fc9-d9d93d5a7853

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1057964

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/27c70be39e64e6cbae7f9197da1b5e6ab7a20973496a47d354411fb345737369/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-08-25 18:17:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e7dqxy46mttmxlt7sgl5ug26nk32ecltjfvepu2uiep3grltonuq._file

Verdict:

malicious

SnakeKeylogger

5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35

SnakeKeylogger

6c2d7bf785f0f1ef265830ec8e8999e3af2636b4f19d01ce5363d669d797a234

SnakeKeylogger

6dfcff052e814a7d04a6b6f063f47fb468f2d75cfb99dcc00af5cfcdae0cb9d1

SnakeKeylogger

806bfede204f2390d3e142735dfb3ee25d440eef2ef1966ee1caca991ca5a60a

SnakeKeylogger

879097a31884cec00c8dd40bce58606a81f0c729eb754be0aec33865f25da4f0

SnakeKeylogger

b40e62d021b7afb10e857a899e28e51d25445fb12f0fad51856dce0bf944a190

SnakeKeylogger

c08579f2a76fdfedc690ff7dacb3c561702900876f18723f94056feb18566b06

SnakeKeylogger

f38ee5e07bb763cd82cec42999e6e975322e387a2c84db981a01c0273bf8aa80

SnakeKeylogger

+ 4'461 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220825-yh4e4aaagk/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/2228f77e-f8dc-4745-8ef0-e831ec72722e/

SH256 hash:

753698c5f1176544f0e065e3d4e78d26626d87251e5d130afaede1e7973b5779

MD5 hash:

0ff800cf39097d9c5b00f40bb946f554

SHA1 hash:

335ff029216df9b857b3b4e9d687d5e437419478

Link:

https://www.unpac.me/results/2228f77e-f8dc-4745-8ef0-e831ec72722e/

SH256 hash:

0c962a4aa1cd374d32fc2fffd3831b511522b471d56bd415de5020cc5aadb3b5

MD5 hash:

0ca8ef12189cbcdd08c861acba061dcd

SHA1 hash:

359645620bdb9f31258464b38fc2970f1948f8d0

Link:

https://www.unpac.me/results/2228f77e-f8dc-4745-8ef0-e831ec72722e/

SH256 hash:

333c8156400fbfd514951b8253ad979ddd115929c2c5a2582e652307d9f479da

MD5 hash:

057a07d3e6ddaf4689ca772983b0d106

SHA1 hash:

84805925f1a937a905f089090aeef473f913f748

Link:

https://www.unpac.me/results/2228f77e-f8dc-4745-8ef0-e831ec72722e/

SH256 hash:

ceda93fdfce3ad8e4f800d4f2d940d793b68b4b0b254b652bf42e13dbd189ba7

MD5 hash:

786afe844ec1723b635cace747b60efd

SHA1 hash:

fa647a584a7fcad392147a182e3a2435b3ad5bb9

Link:

https://www.unpac.me/results/2228f77e-f8dc-4745-8ef0-e831ec72722e/

SH256 hash:

27c70be39e64e6cbae7f9197da1b5e6ab7a20973496a47d354411fb345737369

MD5 hash:

a371b9f6d9b4d631c7c453731d52fc8a

SHA1 hash:

678a03b2bcc4277a1159c824ac74d821db386d66

Link:

https://www.unpac.me/results/2228f77e-f8dc-4745-8ef0-e831ec72722e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/27c70be39e64e6cbae7f9197da1b5e6ab7a20973496a47d354411fb345737369

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.