MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32275e396d14199f285fe5781df3d8a11e0d50bd3cb5379f015a535aa7b6da69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32275e396d14199f285fe5781df3d8a11e0d50bd3cb5379f015a535aa7b6da69
SHA3-384 hash: 4d5594b59151c23ee66c8b39ee7ef619aae25a623b2444ef8a1501a4114da1c67e6447bfcfdd426fd5b1129774c0b1fb
SHA1 hash: 43a88e8d1c8b651292ab2bcda4c8268045b5133f
MD5 hash: 79bab85d06654a030b08bc60edef5157
humanhash: mississippi-louisiana-three-virginia
File name:TNT AWB # TNTMX988653.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:875'008 bytes
First seen:2022-07-11 14:26:51 UTC
Last seen:2022-07-11 18:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:wiBeQcA220Nqjmlz4xkeJB8sIanrtygrYs:rcALFjmizJB8sIan5Ys
Threatray 6'664 similar samples on MalwareBazaar
TLSH T16E15E1CAA054D990E126153C35BEE3D051B1AC7BC89D7DCEB962703E49F09B7242B6CB
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0ccf096c8f2ccf0 (15 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger TNT

Intelligence

File Origin
# of uploads :
3
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT AWB # TNTMX988653.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 16:20:54 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/e621497d-019d-47f5-a21a-2f3ca4220a87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286303/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.23079.13051.19794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cc334c22051a09ca71d0a4/reports/2292cb0b-3db8-46ea-8fd9-c86cf770dbcf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e4067c7-b216-4061-9c27-38be16357153
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028731
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 661234 Sample: TNT AWB # TNTMX988653.pdf.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 14 other signatures 2->41 7 TNT AWB # TNTMX988653.pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...23fZPdsRzdR.exe, PE32 7->23 dropped 25 C:\Users\...25fZPdsRzdR.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp6029.tmp, XML 7->27 dropped 29 C:\...\TNT AWB # TNTMX988653.pdf.exe.log, ASCII 7->29 dropped 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 RegSvcs.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.com 132.226.247.73, 49760, 80 UTMEMUS United States 11->31 33 checkip.dyndns.org 11->33 49 May check the online IP address of the machine 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32275e396d14199f285fe5781df3d8a11e0d50bd3cb5379f015a535aa7b6da69/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 13:34:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gitv4olncqmz6kc74v4b346yuepa2uf5hs2tphybljjvvj5w3juq._file
Verdict:
malicious
Similar samples:
1abbde2370c16b13df70225a0c251790f64f3ba70067a30e959360da730eccae
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
48b02faab7ec612b14ad80e24b2c67bfca1c1f7474cfb64066261eb6aa0ed952
SnakeKeylogger
4f7d1f1df60c29fe9eff2e75f317a316c9ddc9afe569624a466670cf396b8d61
SnakeKeylogger
675e2bcfc67dce57958c5f8acd387433bd678b2f5da5dac390f4dd2baca11d3f
SnakeKeylogger
b48c018d252b5974a13a65c6b67856d4f2059a90499f65037a63324e4a42001c
SnakeKeylogger
bfc2cfdeb6732fd82c5013684c3760c545b2e0a90aca8c36b3bb9049424d8f73
SnakeKeylogger
c043c4084860560666818264f233a8f6cc739d2e44abfcf36f5232f096dcae51
SnakeKeylogger
+ 6'654 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/220711-rse2xscch8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
0fae1855c65d635d55e5f6aa450d8c9f3bd63c5cb4ef8e7d6947757b6c4a812e
MD5 hash:
51b3e4f94acfd5f6febdeda4f4e09db3
SHA1 hash:
c526c72601e747287c80aebb4357e6091aa2a960
Link:
https://www.unpac.me/results/d062de49-9c42-42ac-976a-7446f63d2362/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/d062de49-9c42-42ac-976a-7446f63d2362/
SH256 hash:
6d2aac22cc7ec6b40a1ae130dd0be49744008886c502bc31c5b33c72422d3e14
MD5 hash:
33355f295d69ce40cc223254544035e3
SHA1 hash:
37b379cb2e5521476bc6af1cecb505e28798945b
Link:
https://www.unpac.me/results/d062de49-9c42-42ac-976a-7446f63d2362/
SH256 hash:
0b4feb33e0b349e4af927cac2790e4ce13fe73a311e7518eefd55dd487879d6f
MD5 hash:
5af09c9d42a2ea6f2ecb91a69a689943
SHA1 hash:
277910081211ce0d07070aa979b5755c015b3fdc
Link:
https://www.unpac.me/results/d062de49-9c42-42ac-976a-7446f63d2362/
SH256 hash:
d3e3cc240440e520aab2fc4e19fe078b44520a5b3dc4a3e7314ee14184debd5b
MD5 hash:
ca8149ef9f7d879620bb4aab36e329ba
SHA1 hash:
15bb5eb9d4d9954cb1d6248afdbadc4f64bbbf92
Link:
https://www.unpac.me/results/d062de49-9c42-42ac-976a-7446f63d2362/
SH256 hash:
32275e396d14199f285fe5781df3d8a11e0d50bd3cb5379f015a535aa7b6da69
MD5 hash:
79bab85d06654a030b08bc60edef5157
SHA1 hash:
43a88e8d1c8b651292ab2bcda4c8268045b5133f
Link:
https://www.unpac.me/results/d062de49-9c42-42ac-976a-7446f63d2362/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32275e396d14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32275e396d14199f285fe5781df3d8a11e0d50bd3cb5379f015a535aa7b6da69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/286303/

Comments