MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f
SHA3-384 hash:	a5d72127091475ec9e8738aca250c772c0d9e4300564ad3ab226cf107b2c76f17152b9345d6d37b7b0b79dd7c6f65163
SHA1 hash:	5bf723db550b5e4925d6e86b209f05e901b64c54
MD5 hash:	eb629f1aa869f35c3286d4baaf54984f
humanhash:	rugby-neptune-ten-maine
File name:	SecuriteInfo.com.Suspicious.Win32.Save.a.13626.7227
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	899'584 bytes
First seen:	2021-09-09 15:29:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:3PYhPqyb7FSSMgLyqe11fxNpUATIWZBY0RHgzHpIohhiioohQ9jFl3nxHMOViQO7:3PMH3TgVjoHwl
Threatray	966 similar samples on MalwareBazaar
TLSH	T12D15F92839E6705EF173EE758EE43C96EA5AB6733707D40B5053038A4E1EA82DF90176
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/186697/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.13626.7227.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a system process

Forced shutdown of a browser

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4d8a7ad-4fec-46d9-b515-e81776978712

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/848238

Signature

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-09 15:30:07 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fdjwluf7m2hkifjben5ba3c22nfsqdwbzp6cw2s5hhwifnzohuxq._file

Verdict:

malicious

SnakeKeylogger

185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803

SnakeKeylogger

3e22ce49e987a1d097778730877bd196bca1182772dbce70d75e109e1ed64702

SnakeKeylogger

62488642461ae96d137e5f3a8cadecc900975889cc9f2c8b94894ba0cf1204c6

SnakeKeylogger

88fb6e9f1807b8010816165def64d336f7097517dfc773fc3ab39ff9868cec18

SnakeKeylogger

91e8763b50b0155b4984134d95d36fb9d92bca3a5db8d37bb75ff8faf88dbc63

SnakeKeylogger

ae37f44dfeb8e4ccee9388c6dd3b3675270af7e35cc4e2fae2193cefad209820

SnakeKeylogger

dc157362e9c0469b3d8909770c5879a1e5cbaa6ae5e0d8203c536cbce6131901

SnakeKeylogger

f8ade39a8a4d146876556bcd93a09dc4b2f1ffe5adb33cf25f633171ba1f66f4

SnakeKeylogger

+ 956 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210909-sxhjaagdc8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Unpacked files

SH256 hash:

c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

MD5 hash:

29db2e114b88ae1f6a00c9aa71690043

SHA1 hash:

ec82db71443556a5b320357b0b8b09e70ec1db9c

Link:

https://www.unpac.me/results/c0c780b5-e3e7-4a80-9260-e6eaec6a2cfb/

SH256 hash:

a3d884e8e7a29d2d6cbb926ebb5f2d085afda033ab45614ced95ade8aedb09be

MD5 hash:

b5f2f01147abc10a8a37781dc6c8a17b

SHA1 hash:

9ae4dbd61edd1225dae6b1f4e6dd46984ae3739d

Link:

https://www.unpac.me/results/c0c780b5-e3e7-4a80-9260-e6eaec6a2cfb/

SH256 hash:

022809402e429929f63611d8cc72a8a4ec219b0d77dbbb7d78db7e32f3541f38

MD5 hash:

4c2d6171aeadbfd40f54993fd525ae2e

SHA1 hash:

03ba84db7d979f36228a4a8f9670a0fd94176510

Link:

https://www.unpac.me/results/c0c780b5-e3e7-4a80-9260-e6eaec6a2cfb/

SH256 hash:

28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f

MD5 hash:

eb629f1aa869f35c3286d4baaf54984f

SHA1 hash:

5bf723db550b5e4925d6e86b209f05e901b64c54

Link:

https://www.unpac.me/results/c0c780b5-e3e7-4a80-9260-e6eaec6a2cfb/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/28d365d0bf66/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186697/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample