MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce
SHA3-384 hash: e56819138de4eae64a665aa53bce3288fc24520d415cdd13961a46be29e979353d12f71bc7b8fa83808c8194e124c078
SHA1 hash: 34bc9ae36a7440e4e63dc990c2b0440290265f9c
MD5 hash: dde846fa9473a15681edb8e3c4bbfa7b
humanhash: artist-apart-coffee-princess
File name:SecuriteInfo.com.Win32.PWSX-gen.21070.24107
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:613'888 bytes
First seen:2022-11-28 09:33:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qejc8pbKbf9BivJwgLYDNo0LqYMxHSqThW+:q/abK5I+9K0L7MNSqT
Threatray 9'276 similar samples on MalwareBazaar
TLSH T134D4F112312DC365D75C3BB1A8A297B07B70BD39E533D52F29887A9E79333504E3162A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0d0988ccca6d2e8 (9 x SnakeKeylogger, 3 x PureCrypter, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.21070.24107
Verdict:
Malicious activity
Analysis date:
2022-11-28 09:35:04 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/21550f03-9520-4440-b87c-b05e35f43df0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339357/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21070.24107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6384808e5be128ac718f3f97/reports/dc49be81-7a35-4319-9228-a8a746f3704b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c7f64d6-c824-46b1-a05a-c53dc5edb2af
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122379
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755096 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 7 other signatures 2->57 7 SecuriteInfo.com.Win32.PWSX-gen.21070.24107.exe 7 2->7         started        11 nvJUUv.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\nvJUUv.exe, PE32 7->35 dropped 37 C:\Users\user\...\nvJUUv.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp1509.tmp, XML 7->39 dropped 41 SecuriteInfo.com.W...21070.24107.exe.log, ASCII 7->41 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Writes to foreign memory regions 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 MSBuild.exe 15 2 7->13         started        17 MSBuild.exe 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 23 MSBuild.exe 2 11->23         started        25 schtasks.exe 1 11->25         started        27 MSBuild.exe 11->27         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 193.122.130.0, 49698, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 69 May check the online IP address of the machine 17->69 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 193.122.6.168, 49699, 80 ORACLE-BMC-31898US United States 23->47 49 checkip.dyndns.org 23->49 71 Tries to steal Mail credentials (via file / registry access) 23->71 73 Tries to harvest and steal ftp login credentials 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 07:15:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgdfw5oecly2ykgh3fy3aemamcamla3ebmatbp7jma6tlrlgl7ha._file
Verdict:
malicious
Similar samples:
03b965700d86e125f7e3d4a2043888cd9e2da90434660f4a21249d05caa4d02c
SnakeKeylogger
2f6e6357881973427aa992355125e2a7be58586613136a7fa4a84a49dd28dc93
SnakeKeylogger
41130c6ae73f211bab65e86f956f2c11ea1455089d21b5f18316353e5e370437
SnakeKeylogger
c498b83c2623ae4b95259430d63e9ef264941ffa0bfb7a7005f3db8244a69707
SnakeKeylogger
cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa
SnakeKeylogger
edbc2a3471d87508b3e4b9174ab90a6a04529a2cef9373e3e1b4f3d97fb3afaf
SnakeKeylogger
eee60f047d393679542dcc545a824cc4946da2ab2c836944ace74ba5044c1696
SnakeKeylogger
+ 9'266 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/221128-ljrrgahb81/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/58248d5e-13ca-4509-87fe-2ba27fe871bd/
SH256 hash:
202e13ad24d443318ab3a7d811072bf799bd7744f218ee2bd6673c2201ce56fb
MD5 hash:
5b61f5c890478a842e7cbf52231ad5fa
SHA1 hash:
8d9862f80bf631f36487073f55245f1259ee064d
Link:
https://www.unpac.me/results/58248d5e-13ca-4509-87fe-2ba27fe871bd/
SH256 hash:
4ee60523f3c5539d03eddfc2e17cbd4dbf19a18e8909d0d588ad103d6edf035b
MD5 hash:
bff6f69f0462353c9d308ccb4177a957
SHA1 hash:
7cd553cb3f39bd241ac315627c486759299fc218
Link:
https://www.unpac.me/results/58248d5e-13ca-4509-87fe-2ba27fe871bd/
SH256 hash:
c30294f97fd317905407c7f0c37908d5e7094ef8a067a6d1abb33ef83e4e2bc3
MD5 hash:
6ca9f3093d1147bdd58aaaec0bf35d17
SHA1 hash:
5fb3c64d57889dcbe8d1f8a4c6be39a0c3a0759a
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/58248d5e-13ca-4509-87fe-2ba27fe871bd/
Parent samples :
ac6b2faf121905b8980455fab8e39a7cc3bf4fd5b2bff91068b5a6b348d23ee3
cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa
29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce
a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44
4f5ea72df2ff98979013fbfe0781a01d8d487d886ebc5012e037f553527996d2
b88d6e2b1c5a0fbccf8af747e7bab2326b5bbf84ebceaec5d615a42a414c516c
0f8f70dd445fd84967a71a4d4f40e9f630b2a814e7d9107b1066ba1f8fb3bfa4
7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8
SH256 hash:
b3507f2fccd499b4d72f892942d3ac4c0b222c9236c3ad9262dfc7f8016a929b
MD5 hash:
276ef17d465f8127487d11266c0b7fea
SHA1 hash:
516bd5dce3d6ddf098f462e6d64b046ffbf7cf8e
Link:
https://www.unpac.me/results/58248d5e-13ca-4509-87fe-2ba27fe871bd/
SH256 hash:
29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce
MD5 hash:
dde846fa9473a15681edb8e3c4bbfa7b
SHA1 hash:
34bc9ae36a7440e4e63dc990c2b0440290265f9c
Link:
https://www.unpac.me/results/58248d5e-13ca-4509-87fe-2ba27fe871bd/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29865b75c412/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339357/

Comments