MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 292c106dcd8451a468b2055bf447d2fadfc3a1d800994ed8f69df657fe314f6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	292c106dcd8451a468b2055bf447d2fadfc3a1d800994ed8f69df657fe314f6d
SHA3-384 hash:	30f04f5cbeead0a4c2064647e491d7d77aaf0f596346b77c41f4b10ddeeb7084384cef656fcee8b07f5f7466933201f8
SHA1 hash:	8c31497e0fb8ee718144c256575874eea2f630b5
MD5 hash:	915ee53a8de4c4acec9cd19e43e91779
humanhash:	shade-carbon-jig-coffee
File name:	915ee53a8de4c4acec9cd19e43e91779.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'093'120 bytes
First seen:	2022-07-06 15:51:42 UTC
Last seen:	2022-07-15 03:13:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:HRb+nSeC31s51DpBZZOOitzAQAig5OqOfS0XejTDvAbVGG:4N5HZOTBAQAiggqDvWGG
Threatray	6'678 similar samples on MalwareBazaar
TLSH	T1A035AF9C360178AFDA27CF76C9441D60EA2164A66B4FE243A04705DD9A1DB9BEF043F3
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

snakewealthzx[1].exe.2.dr.zip

Verdict:

Malicious activity

Analysis date:

2022-07-05 14:24:50 UTC

Tags:

snake evasion trojan

Link:

https://app.any.run/tasks/611bc939-f715-4f37-b306-4f00cb2d08cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/285217/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.50578156.8282.21676.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c5afb6dd037e2703342bc7/reports/ae67bef0-90bf-4f8f-ae37-37674fb9aee9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a0df2ed-c262-4bec-a6b5-7b9cd1c02408

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1025776

Signature

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/292c106dcd8451a468b2055bf447d2fadfc3a1d800994ed8f69df657fe314f6d/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-07-05 22:59:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fewba3onqri2i2fsavn7ir6s7lp4hioyacmu5whwtx3fp7rrj5wq._file

Verdict:

malicious

SnakeKeylogger

8c8689ef0607b5c400a335514afad5b7f2f549a741ef3c4412c6d20f58aca9f7

SnakeKeylogger

96929d91624ef88554c7850bc57c8cfd2bb093fb8cdaad5f8865c1001c5a5d0d

SnakeKeylogger

97d6ca695325d19dba9161f676434dce87ad47769cb1f5618adc7c5122cf6d1c

SnakeKeylogger

9b575886a26dfe4f3a94ce8b18d308323b9201793790e666bb424de06cfdbd7a

SnakeKeylogger

c4d762c8087c363c890341e5a447ac3552843cbbd850634dbc7f4f37d7469096

SnakeKeylogger

dffe45189680dbc7d56ae5aa90861f798b109efc8cae5a693c0e521b08d2184a

SnakeKeylogger

e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe

SnakeKeylogger

+ 6'668 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220706-ta2t3seebm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Unpacked files

SH256 hash:

f311fedab79377895506a6997610f16417e9ca199260fc2839fed2de23d15e62

MD5 hash:

d3a2e6ebef130f3418ba9ee3e6203fe4

SHA1 hash:

f6823b091d42aa0f9abce7ad189a7ebeed29f14c

Link:

https://www.unpac.me/results/be48f721-c601-4ed0-aac1-721d86468118/

SH256 hash:

24c54536646025e3f83804c20788a67f00a9add5f93c46e4f716a8d2692ed48b

MD5 hash:

529d8eb58c735cd3812e6d42423421e6

SHA1 hash:

e2b0f7dcade40f20ea9f766a33ad6a0ca8cd91b9

Link:

https://www.unpac.me/results/be48f721-c601-4ed0-aac1-721d86468118/

SH256 hash:

77f29fcd8f13d04b2d9e54274cd163b3139ab23e340a21f5130665e7b64b107f

MD5 hash:

5ecafc2d3289559540d120051cd0f2b6

SHA1 hash:

952d1edeca6d83142375dec50bcedf76d0edbd31

Link:

https://www.unpac.me/results/be48f721-c601-4ed0-aac1-721d86468118/

SH256 hash:

70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca

MD5 hash:

30d61a3a3e26c2bca2eb766990132d7c

SHA1 hash:

94f9742d5f21b13f7d8d194fe938193cbb6a0d4d

Link:

https://www.unpac.me/results/be48f721-c601-4ed0-aac1-721d86468118/

SH256 hash:

3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae

MD5 hash:

9ea556e333e216a65aa09c102f36004f

SHA1 hash:

814c07f1dc68bd61840384aac3aa8346d9f8148f

Link:

https://www.unpac.me/results/be48f721-c601-4ed0-aac1-721d86468118/

SH256 hash:

292c106dcd8451a468b2055bf447d2fadfc3a1d800994ed8f69df657fe314f6d

MD5 hash:

915ee53a8de4c4acec9cd19e43e91779

SHA1 hash:

8c31497e0fb8ee718144c256575874eea2f630b5

Link:

https://www.unpac.me/results/be48f721-c601-4ed0-aac1-721d86468118/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/292c106dcd84/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/292c106dcd8451a468b2055bf447d2fadfc3a1d800994ed8f69df657fe314f6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe 292c106dcd8451a468b2055bf447d2fadfc3a1d800994ed8f69df657fe314f6d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2250919/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/285217/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample