MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
SHA3-384 hash: cf3b3857b6f6248e5dde745398096dd71ea2fd2c3131162bd2f60b3dca95381ecbfc856ae696509c192ef4b48ce0bd5f
SHA1 hash: cd1b1439cb476912b4d684624b82bd6a558a0149
MD5 hash: 0cefce923cc54b86196b2cc432f9687c
humanhash: gee-sixteen-zebra-december
File name:854F1E97-5DBB-4A87-A566-33D9012B05E2.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:612'352 bytes
First seen:2023-05-24 10:04:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:W2N8jiZ4zypIPsotPplTY6RhKuMlZ0/UPo7CKKOo11HqJdDBV4rV8xW+CuFToKL1:W2N8jiZ4zypIPsoJTDEZlG8mCrNynWxg
Threatray 5'469 similar samples on MalwareBazaar
TLSH T15BD4028463BEAB8AD5B797F504449678077EA866F032D3471D93F0C6AA64F140F42F2B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
854F1E97-5DBB-4A87-A566-33D9012B05E2.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-24 10:05:39 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/d61cf4b1-cae3-484c-8f7d-5d6d48685544

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391106/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2128.19920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646de14ff6a79f3319269ca0/reports/3f684017-f7ad-4a5c-9776-00e88737e086/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/394fe2db-fa52-4ba2-82c4-833c26ee36ce
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241557
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 10:05:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=getbupowpckfqdeto7nfz7l7exqczppncfgey47l2feudsirqbna._file
Verdict:
malicious
Similar samples:
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
SnakeKeylogger
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
SnakeKeylogger
95a4f31cf9b3c1876798edc24aa9323d84e35a3c6d0fccbdde059e4062e50f78
SnakeKeylogger
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
SnakeKeylogger
+ 5'459 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230524-l4g3rsbh69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5253212199:AAG-02qWN77aEjxlYTZ-WAZ7WOi_I4kCde8/sendMessage?chat_id=2128925974
Unpacked files
SH256 hash:
3a3838acef5c891035cdcc94051633f3388322ae44cf64e09249f3fced5a635e
MD5 hash:
cf92a743434cc7bcf437903b1c17ff29
SHA1 hash:
d9cb038ea102a71d54beaf304a9108e621911bc2
Link:
https://www.unpac.me/results/d49f9b0a-5242-4896-9500-4d911ae1267f/
SH256 hash:
63b484009516e7a4abc724826d453e595ea19f64cdb3b7ad6129bd50efd24276
MD5 hash:
72073edb681caf79e8673d5410d8e08f
SHA1 hash:
d77883a81f8ca07969b42e60acb5e76e0c6f863f
Link:
https://www.unpac.me/results/d49f9b0a-5242-4896-9500-4d911ae1267f/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/d49f9b0a-5242-4896-9500-4d911ae1267f/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
111d42a9ca0390c2da005690b74bb547c3be811e025ad02127706871ffd608be
MD5 hash:
393d6c4ee5dd62ecf2f0c487ccfba75c
SHA1 hash:
7573b43e8e51c4d671ee6f3851bd0cd98898ca95
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/d49f9b0a-5242-4896-9500-4d911ae1267f/
Parent samples :
061ee3375dc3333d8c4266e773535e516206935d4f7dbbc3f0319d253840213d
840841b31d3ffecc2d05b7860a327ec585c142e25067fdfee90f67993bb9cce8
27d87225d2c5b22a531d89640b5346d988177a8d46b41e7977430dd8e095b20e
fc9a557c699b548774bbff4390c60fe2c9779b12dae6ff89860590e44e52f35c
8fd22f3a7bd250cdc73b4b603c085906d19f8a55b0767465bccbf7c3a5df7e81
0bcf67c52f7b210cc7a7bb304e66d221f49363e7e9e75d21f7eeab8355669e2f
dfd9c8d686cd930eb4057a2066b45cfd81d614d00f1d04aca07df18c22b96dc5
b239f9dd0c75dd4d7fa96c4c16aa35e159dc1832f5e86b2178201d353ae40f42
e25b10c6982c5ec2ede4ea1b0b0355f2ad69ebe9c5a423042e6e9c5365644f32
76f5705ac3ded6e48d0fd4106aeee4ff29c928db64475405af07c49456c4a98c
8ec589783ee99df7f41c722cd5e082a377a24d8e0f26121ade720132e09a574e
0e642ba6a80400a3687939384dbbc0a993b5ad11dbc7bccd6a0b00f091878463
01a61878fb688719bbd35d4788d8443d850e878e087d6b4949b31753089cad40
ecadf3a82456432d82fb7e6ce72761aa85253bff9e17d6ae25566132620a280c
6bef1889e2124e776aad61e98ab354d9067b25fef573bd67563d691e01ff4169
bb7ae35b61a135ad6315c7bb85c66bf7346d1c1d031bdd1053fa7c82ebd2c1ca
a1f4604ea58dce5c513639a0929b6e130783a85873bec08ab0e5b061736dd086
c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
307f012f74f209e4b8371400455ee296585a6d6a0d4c2195df2186ecaf0acd79
fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f
38a380b0ef5633beef842aabfa59f857cf9286a3e068987864d00b975d7e3253
f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8
1250f968f4c4db1b73b64223fcb95958b3c324afb330daf88d9379d2cdaeb2ce
be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
ab08bdbb5cee3c7c6fe2d7de4c8b7c383316fe7e7dd467f6dfa81dfbe443680b
e82b399e5ef3f95bfaf96d675eb290b35980e7cb2d07aff724a5b67ad4d3cef1
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/d49f9b0a-5242-4896-9500-4d911ae1267f/
SH256 hash:
31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
MD5 hash:
0cefce923cc54b86196b2cc432f9687c
SHA1 hash:
cd1b1439cb476912b4d684624b82bd6a558a0149
Link:
https://www.unpac.me/results/d49f9b0a-5242-4896-9500-4d911ae1267f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31261a3dd678/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391106/

Comments