MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e
SHA3-384 hash: 43603e218412521180958593e369b7fcf4947f307a477c6ac24f72fe136b044c18bc3fa11f700dc8228c713b0a7d7986
SHA1 hash: cc143849dc78eec98edb255d3c3ecb2513828b3e
MD5 hash: d2dc5cd3a42d953a3bdef0908030cede
humanhash: don-wyoming-arizona-lake
File name:TT Copy 30JAN PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:804'352 bytes
First seen:2023-01-30 10:34:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:hX+0DW1z0C1K5quKsSxcmuWeh3ih9H2AQZAQImO5M:h3WxA5quxmuBYT3
Threatray 11'965 similar samples on MalwareBazaar
TLSH T15E05CF8A72DCB4DFC40A85765DB4FD2CAA213C7652178E022C53B75D893E5438AB31BE
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b4ecccccd4c4ccc8 (8 x AgentTesla, 6 x Formbook, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT Copy 30JAN PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 10:41:42 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/dd3c48d0-b02b-469e-ae09-a715f1a3fbc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/358229/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d79d2789bd67c10fdb8278/reports/63553a4e-c4f5-4aa9-890c-7d2b518d32e4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb402f89-0e35-47c6-820e-b71901c1a8bd
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161476
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 02:03:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gskiwswqp2bxqzar5afi3lbdn7qeioldqaj3vx2h3mb5ckfrhspa._file
Verdict:
malicious
Similar samples:
0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b
SnakeKeylogger
0dbf52d78ab0bb338530fa37c966bedf576b0d2cc6f841fea03ec0e396d080b6
SnakeKeylogger
2050100f2b3759aa5fc9e7bb9222b22995eb873e4ad043f9c058479475b1b877
SnakeKeylogger
2787c515f1bf23eb1f84b4d0cda93a5929f094837e83155c144346ab53d0eeff
SnakeKeylogger
406e9f07aa3bb42bcc51aab336b1a672de5abb220416451cdebc0916cbb45396
SnakeKeylogger
5fbe0c0a58f4490e4060616d0fcc58527453a27ebe95a34161a63d4dc45d875f
SnakeKeylogger
775bfe71cc319661eab3324221ff8f507df0f88dc7062133faa70c0e1969a69c
SnakeKeylogger
b224fda1120307ae20f7bc3cc954eb01e0f42d3a68ec52bebde216e0fbc2a0d6
SnakeKeylogger
cd457647c5506fa1ebd3577f1ae8e918d4c0428038cee79db004570a7fa62c20
SnakeKeylogger
+ 11'955 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/230130-ml8nfaaa82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Accesses Microsoft Outlook profiles
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/8b740341-812b-4314-8f1b-8169e54bf043/
SH256 hash:
48fba9a14fc53f0a3e275bf5e04aca08eef46e9252a4cd55dd56b0cc8780b3d9
MD5 hash:
5cc7b50d3387add8cad72f6df6630e52
SHA1 hash:
db2de7c4d4b9c27422b7f9414f6bfc15684bac36
Link:
https://www.unpac.me/results/8b740341-812b-4314-8f1b-8169e54bf043/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/8b740341-812b-4314-8f1b-8169e54bf043/
SH256 hash:
232a6142f32097b203f3b23e71081f52e29e871e0c873817f65621ed47a16859
MD5 hash:
4068db259df3749f979a50ee06ec21de
SHA1 hash:
6a5cba347d0fba19bb7f7a502a118563ad74874a
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8b740341-812b-4314-8f1b-8169e54bf043/
Parent samples :
54933c48dcb2387600abe3a527ebb21ea93927134b38a014afdb2ba44d8c1fff
34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e
SH256 hash:
6742d946b1ad4233b51e299fd85065da267726c79522c67a358bce795afcc641
MD5 hash:
d58aff1a392e4fa76f4d7b27fd4926b5
SHA1 hash:
2b5b83052a7ee327d5e9271338a8d5b2170d0c17
Link:
https://www.unpac.me/results/8b740341-812b-4314-8f1b-8169e54bf043/
SH256 hash:
34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e
MD5 hash:
d2dc5cd3a42d953a3bdef0908030cede
SHA1 hash:
cc143849dc78eec98edb255d3c3ecb2513828b3e
Link:
https://www.unpac.me/results/8b740341-812b-4314-8f1b-8169e54bf043/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34948b4ad07e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 34948b4ad07e83786411e80a8dac236fe04439638013badf47db03d128b13c9e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/358229/

Comments