MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9
SHA3-384 hash:	9d413ee28577662cbf5bd1c8dbd029f27cfd4ad93557db62e5b17070a54fcdc24dc2bb4fd9e3619eed1c2a166141d30e
SHA1 hash:	4f3d3744e35ca419b0c2cd3b84f60b388cce67fd
MD5 hash:	4bda9b469a4d685c07c2f17904f22c91
humanhash:	table-eleven-bravo-georgia
File name:	IMG-1789000-RFQ.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	673'280 bytes
First seen:	2022-12-06 10:00:46 UTC
Last seen:	2022-12-06 11:33:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:cBudvtbUNmwqqeQl2ZEFaGz+WYnKlarOaYXz18FfYYbfQ0q:5aNmJCl2uPzJYnKoHYD1ewslq
Threatray	9'329 similar samples on MalwareBazaar
TLSH	T184E4F1BEF5DBCF41C75415B7C0D7A92003E695834276E32B3B4412EA8D627E18C5ABCA
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	madjack_red
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG-1789000-RFQ.exe

Verdict:

Suspicious activity

Analysis date:

2022-12-06 10:02:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ee312fce-5a2e-434e-b396-014146fd7647

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/343349/

Detection(s):

SecuriteInfo.com.BackDoor.RatNET.2.5185.2563.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638f12e11241e6c7429987e9/reports/3643ee83-10bc-4213-bb43-d95c0dbab058/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a93e28f-f50a-42ef-98cd-f1c7f35b4634

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1128779

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-29 03:13:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 41 (75.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gp2w224pvxa7wqfjjbnm2y5hz5bnqhc2jfdzsuj7jlo5wur7qteq._file

Verdict:

malicious

SnakeKeylogger

50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0

SnakeKeylogger

658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0

SnakeKeylogger

7370349d22f65927955d817fde07a3c9e1b5235fe3091278ad6899d8026422e3

SnakeKeylogger

7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5

SnakeKeylogger

ba7fa01438610d59a23d6daaa7dac208e3a99ff8dd10dfd6d9be2a59d4ff557e

SnakeKeylogger

f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01

SnakeKeylogger

f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d

SnakeKeylogger

+ 9'319 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221206-l18fjsfh54/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

a4dea87c44153bb33ce223c0193582b6ef2e73f17d632ecb4392fcb2830fa7ec

MD5 hash:

d19ef48d7f6d470b405e3577b65131b4

SHA1 hash:

f53b620e189662da1daf92a874c5510e64a5f0f3

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

Parent samples :

a7f5873d043294de859736362df3aa0fb6c50ece6b9325c9b48cde35d9cddf8a
86b69e37fb4f94c2b24904bbb004474b8f57abecc6332ff595c1eacc7ab59bf6
460924c55f59314a09c710e31d9c215fdb471eafbb5d6bd348972fee078a316e
2e873b3c9f0817c1d492ee2b05319fdd277a4535c1623592c2c097f811ac45fc
cce8ba621c797e9782cc2c56058cbb25555b367673a5f70aff660dd0bd509390
15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d
bb6240ace6a64b0d45a7180d0b0f482597f69e270de56f7cfb47049d096b720d
15e5350ed0a3c724d2d904f87e87adadb2f658a71584b486409302c8a5b99c85
622c2192e22e7e407ee6f870dcd26689a2998571c725ac4d7f2682ec72de0fdd
30204f8d475b5d9da3ab0f5282468414fb3680aea9e171f2be3677c3531c34e7
9f8bd35c99417ab86d20781c7f4737a247ab64354e73ffbc52d5c5e35f8cdc14
2b3bc8ae8908f619944ca14696ecec764b92d6ff891838d1a7fe951580b8edea
d742297ca5cc509b66ce7090284d5a996b4bf3fb284797442402fff10ae47e74
62807c3f8896bab3bad4537ffc327dc1775e250c0f0d8822f2df585e843e3f47
454529ef92f2ff17bdfb7f8ec8df852fd1f7c7919a021adf1b6b1d41b4519ef6
a888f1a58c8c2ab3a2ae32743d0362fe01f145e76b4196c21b9c2bafc978e7fb
76cec159d26635e1caf4cd67b798904fac19e37ec5f85ca63f7a0b3d66de91e0
04a99d8b230a027d26f94dbb34a80129744482e7bf4ef5d4c94de770da6f4d84
42b6acf48bac461e6e74d778b14ff37c892369020eda38a64ff1e33ed9453206
689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c
8f5a23cb25c7cb7ec6ea3a53261ed6c7983751eabaccae62dd964b8dee5259ee
0ca6f42f7efb21a5b4a93bbe6c2c4f69e9f9381f2a858872dd82df7e01332f7a
b13ea396ab71dd043b9df28dd8c484d432382228c03c8bcf57c01040d5a39ca6
33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9
b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1
2b290eb25ebac77c8286c8bee0ca6b59898f1aac63c7aed531ce031864c29a73

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

SH256 hash:

ce1bdc0c5c0fbc9a40dd9790b61e82717e20622b12755ead75a91458fca29e6f

MD5 hash:

bf1435d0b79b575ca83738b3cca42428

SHA1 hash:

c03111f2327b9d6c7ccd95b73774d681b73c4c7a

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

SH256 hash:

34c3c38cc5a35d9fa967a1e8f4c6dec9103d1fb2a5d2a90beb10c5ae5417e2a4

MD5 hash:

6c9e6bd09d07ca82e1e2cd6a4fbc4ab3

SHA1 hash:

6966b59b2693ee234f7a4e04c5ad375d0d1212ac

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

SH256 hash:

2bf17549e86d6222d0a4c2d8837c75c6a4f34f6a20524846b3a5da555ff79d97

MD5 hash:

1f6d9584368d2bdff27553faef456bc5

SHA1 hash:

33ffe4d9170da43ffba45a0bba1fe466447a1bd4

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

SH256 hash:

33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9

MD5 hash:

4bda9b469a4d685c07c2f17904f22c91

SHA1 hash:

4f3d3744e35ca419b0c2cd3b84f60b388cce67fd

Link:

https://www.unpac.me/results/08c485c8-ec0c-4a78-8601-2c471285dbda/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/33f56d6b8fad/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/343349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample