MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32
SHA3-384 hash: 90f73049bc10c074dc485911664944047994efaa4c672a678651ec2f427518a4f7db233de4b18a8aa7844d04405f4479
SHA1 hash: b1cf05952487abb3b8e108cf5b46239fd59447b4
MD5 hash: 8a9963cf9a09ebfcc8eb1ac036b1f725
humanhash: four-violet-whiskey-artist
File name:Proforma Invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:805'376 bytes
First seen:2022-03-15 11:55:51 UTC
Last seen:2022-04-20 09:53:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:T9PmakwOEocE7JR70yrIxWyAWtXy+cYZM4Q25ybeVfTwHZ8p/:5PmBwORJ2WyAuc/2fTuZ8p
Threatray 1'765 similar samples on MalwareBazaar
TLSH T15D050206B2ED9F83E47BC7FA8866594843B2B419191EE38A5CC630C315F7F4057A1B6B
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250737/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.25660.2676.28704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62307edb0cd58dbd929e4f06/reports/0a48e880-89d6-4325-a8ed-cbb05b9db172/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f211d3ea-755d-4144-9e49-558c66b6bc8d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956959
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589438 Sample: Proforma Invoice.exe Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 12 other signatures 2->45 7 Proforma Invoice.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\...\wOfsGeeWUEDQ.exe, PE32 7->25 dropped 27 C:\Users\...\wOfsGeeWUEDQ.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp8CA2.tmp, XML 7->29 dropped 31 C:\Users\user\...\Proforma Invoice.exe.log, ASCII 7->31 dropped 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 11 Proforma Invoice.exe 15 2 7->11         started        15 powershell.exe 24 7->15         started        17 schtasks.exe 1 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 33 sizetekstil.com 151.106.103.125, 49794, 49798, 587 PLUSSERVER-ASN1DE Germany 11->33 35 checkip.dyndns.com 193.122.130.0, 49791, 80 ORACLE-BMC-31898US United States 11->35 37 4 other IPs or domains 11->37 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 04:18:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fjktbk2xde552zuas526tfty5rv6mbj26nsoomnovyx3tovlx4za._file
Verdict:
malicious
Similar samples:
2bb206e55c18ac896b02a8ec624d80541011174d7d1dc0257ad5a578dd871179
SnakeKeylogger
3fee0d32925b8e8b2525e9b697ef141fe0635570ad42cc8b9fd0819913983db8
SnakeKeylogger
a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d
SnakeKeylogger
bcbf8a906dcee1a2cf55c638b4fd5c815d93b764bc88038210edfd7cb635ac69
SnakeKeylogger
c1f2fc828447090bb545580ee2d46919e8a96377a792f2207af3456e119a5d05
SnakeKeylogger
c9e41839229f9f0212302fabb622b307341d9094b6f6c348b166b858012f296e
SnakeKeylogger
eee91d7774e1d15d830eb3913deea24ff70e4967fa2ae0d1adb5d5bfe95d80bb
SnakeKeylogger
f13f9e43f10104b7502bb7359d9d4f6bef97495af69be9f7b895730af56ca89e
SnakeKeylogger
+ 1'755 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220315-n32rwsbae2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/e09d620f-d306-4b00-843b-f08b3c495e00/
SH256 hash:
4aeffa353caf0d28a58c3cce0cd34bbcf1e2770f2250f3c9072a84f023b239d7
MD5 hash:
a539d8e2ea638836b072cd1edea16145
SHA1 hash:
6344b80e12226937505102b1df3d790d07bf0ac1
Link:
https://www.unpac.me/results/e09d620f-d306-4b00-843b-f08b3c495e00/
SH256 hash:
c319fe387ae2436055d38ea7ba0564da3e5cfd5c66a2efe03b92f29e88791f43
MD5 hash:
b3587bdc0884cc6020fe3b7718a4c5ac
SHA1 hash:
1ace7fa4b22e8ad48eba86c37cf80716f941dfb2
Link:
https://www.unpac.me/results/e09d620f-d306-4b00-843b-f08b3c495e00/
SH256 hash:
ce48d1ce97c46ce8fd17a414add96e8985853ef1ee77742357e07db79910e8f4
MD5 hash:
9da202e835da96159ea00fae72f72a08
SHA1 hash:
141612256ff23e1b35f51f8670723b001bc65b4e
Link:
https://www.unpac.me/results/e09d620f-d306-4b00-843b-f08b3c495e00/
SH256 hash:
2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32
MD5 hash:
8a9963cf9a09ebfcc8eb1ac036b1f725
SHA1 hash:
b1cf05952487abb3b8e108cf5b46239fd59447b4
Link:
https://www.unpac.me/results/e09d620f-d306-4b00-843b-f08b3c495e00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/250737/

Comments