MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb
SHA3-384 hash: 66070e1ba38309a4634f3928509418ae4df8ab60a5a62a87d07ea9601f8cce6266bd4f71925fb25e0ab6b965846cb663
SHA1 hash: f8faee666213ddc01a83799962a73ff47bf5d1d8
MD5 hash: 1adc88b80dd9498bee4a48a62c6ad234
humanhash: fillet-missouri-magazine-stream
File name:UPS Anfrageformular 1.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'234'944 bytes
First seen:2021-07-26 10:30:25 UTC
Last seen:2021-07-26 11:52:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:WmOsBgo0q4wMyBmCmTOUd+L6kgXWFyVUblQh/wwAXPCoP:WPoHMmmCm6Ud+zgX2lcWz
Threatray 874 similar samples on MalwareBazaar
TLSH T16945AFB1091DEF22F4B706BD7871564442B49D46C96FCB68EE7332ABCDB0BC23456A81
dhash icon f0c4e86969e8d4f0 (9 x Formbook, 4 x SnakeKeylogger, 3 x AgentTesla)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UPS Anfrageformular 1.exe
Verdict:
Malicious activity
Analysis date:
2021-07-26 10:33:35 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/329a5e98-af58-4368-927c-cdc1b1de76e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174090/
Detection(s):
SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.29436.2903.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70208be8-b6cf-40c5-988f-a69ee1ecc9dd
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821705
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 10:31:04 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjtkazu4vjf2x2ityhzt6mff5qrote2fc46nzfjh5kj2vdzwopvq._file
Verdict:
malicious
Similar samples:
03d0aac6f093a70220228119cee9b391830fb5ec500c2fe95d488a037cb37f8c
SnakeKeylogger
2a91e3c56d2e6e834bdfdab27b2092386d549d5ef85536aaa76ce5829d1090e4
SnakeKeylogger
51d5a88a4ba4a668db92c2aabfae2e394bff27bd40f9693615dda48eab999d47
SnakeKeylogger
54312ea9106139b43ff7ab38cdee369e00aa1b5d6433971e167716e9a55ee4b8
SnakeKeylogger
9fb57f10806d3f0f9d89e0b74ee8ffe7fbdb93f642619d30aac24603a27d1479
SnakeKeylogger
b33baba943038aa630b333eb82a3159eaa82541b26c7f942d1b452490abc0551
SnakeKeylogger
d44a2ec092a66bec26dabf98269fab0009b8309966e7a78fb0263b8c086d0c29
SnakeKeylogger
d9ed8af079bdd7fef1daa51696fe0172d5170fd4ee668ed2f252cbe65a2ab488
SnakeKeylogger
dd779d251eb7d27fd513b44de8286b6168e7af9b741ad1d390a34dafd58e48f0
SnakeKeylogger
+ 864 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210726-rkg3dlrbse/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
CustAttr .NET packer
Snake Keylogger
Unpacked files
SH256 hash:
c93fe55a6e88de04e0ae171eea5a33440207c54f31537862cabe261b886d5db2
MD5 hash:
23263c207aad042868ee68a941a43747
SHA1 hash:
abaf140661729f4c9805c6a6bfcced9dc4eed952
Link:
https://www.unpac.me/results/cb2823de-2951-462d-83e8-103c00614d46/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/cb2823de-2951-462d-83e8-103c00614d46/
SH256 hash:
51266a405ca2fbb8c981c4620af83bea51cb34c234569214c81ec64108602a6e
MD5 hash:
8258077fb9474a27fe3fab8f57c4e64d
SHA1 hash:
3fd0c2e82517a9fc38478f77468e3c7f2990b64e
Link:
https://www.unpac.me/results/cb2823de-2951-462d-83e8-103c00614d46/
SH256 hash:
68d68e7772d909eb9a9d7737417ae3d8544ac5a80bcbeecd44d3cb926c4d30f8
MD5 hash:
855b30a1173ad29a32f55e738990c4ff
SHA1 hash:
1b6e171dd89bbff51886b7c2e7bda9fb32640ed1
Link:
https://www.unpac.me/results/cb2823de-2951-462d-83e8-103c00614d46/
SH256 hash:
3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb
MD5 hash:
1adc88b80dd9498bee4a48a62c6ad234
SHA1 hash:
f8faee666213ddc01a83799962a73ff47bf5d1d8
Link:
https://www.unpac.me/results/cb2823de-2951-462d-83e8-103c00614d46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICOIUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174090/

Comments