MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d
SHA3-384 hash: 8b1728d1c903fda7e4101d2b2f23b891179a2d9ad07e272a2551b65dfa095ce4c115931a06761ccf18e9e61d231c3d27
SHA1 hash: d1951954645ab2dac450c84d7910de5758603d66
MD5 hash: fd88fcfad0a4e765e806cb1a78535859
humanhash: bluebird-potato-stream-wisconsin
File name:Deposit Slip.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:679'936 bytes
First seen:2023-08-28 08:42:04 UTC
Last seen:2023-08-28 09:39:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:UtWJp094vHZcvQUB/r4OEjIqHaADLLKyowWin:UtF9qGvxGORlAD3
Threatray 353 similar samples on MalwareBazaar
TLSH T1FDE40223FE129FADD03A87FA3C1AC51046B2DE4E6C50D758A89A36E65D70713442DF1B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Deposit Slip.exe
Verdict:
Malicious activity
Analysis date:
2023-08-28 08:42:20 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/09cea0a7-504c-4565-915b-aa6a110ce32b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444838/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Moving of the original file
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64ec5e17bf947976df451796/reports/c8cdec9b-b907-4334-8358-11f92d5dd4a5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/af03de55-e1e2-4503-9063-2d4662acb6b0
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1298527
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 00:48:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwsvy26sx5myuoodp7wxbklxoriqdb6oifmjysl4vf7i7gyxdvgq._file
Verdict:
malicious
Similar samples:
0361bde7da9104b4a09db39ac90c1af16e0aa137f4f33c57c9844066ce7c6d7a
SnakeKeylogger
15ba4f63fe43c578c10edea51d3a521efb953302d78621b92ca65e699b921dad
SnakeKeylogger
57a70c86b99cac6435ffc0fc3c93957ece656f9d92061a4ad7e06c531c0bbb4f
SnakeKeylogger
710fa86210820e8990d72fde020d01022c213ef03c036d1ed1ce96e8a07eb9ce
SnakeKeylogger
7814c75c9ddfebea34123a885417c971802505f045ed5c0103a9762b83200656
SnakeKeylogger
9ee5d34b5de79e79f492e962d73fb45d7eb63d6b5f146e29a1a27a7bcb6c9a14
SnakeKeylogger
a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5
SnakeKeylogger
bf6e98c839e903874bf78b089e4936b4294747664464be6be434dbb54ef85c08
SnakeKeylogger
c55bc8db8e2e82ba94d54b7e372cd2063608519f29815af447bacba01f4c33fd
SnakeKeylogger
+ 343 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230828-kmklwsbc9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c2747565074a0642002948879d3d7b6bf3b34f4721cfb8b2d150011c0f4420fc
MD5 hash:
da29133ed9af66720a17d19c52b99dd5
SHA1 hash:
dac3ea65aa296bde5df41ee1ecbac9704a9993da
Link:
https://www.unpac.me/results/7571d77a-159f-428e-9cd0-080b1f58c55d/
SH256 hash:
4b9d82a107976dcf00cd5d4aa9ddb92d350b0db7687d57d523c66e3c72802cf3
MD5 hash:
42d2c320c37a7f2500220d202e728f87
SHA1 hash:
c8b9173a3c0a9116229c2b52e877c66882296c00
Link:
https://www.unpac.me/results/7571d77a-159f-428e-9cd0-080b1f58c55d/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/7571d77a-159f-428e-9cd0-080b1f58c55d/
SH256 hash:
0fe2af939fae802fcedf94ddb7acf6254e590010a79aff06532578d3fcaed21e
MD5 hash:
a06fbdc5e3a3637536007b99e28d5304
SHA1 hash:
478edda6ab87ada0a127a142be816e2a8cfaa19f
Link:
https://www.unpac.me/results/7571d77a-159f-428e-9cd0-080b1f58c55d/
SH256 hash:
35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d
MD5 hash:
fd88fcfad0a4e765e806cb1a78535859
SHA1 hash:
d1951954645ab2dac450c84d7910de5758603d66
Link:
https://www.unpac.me/results/7571d77a-159f-428e-9cd0-080b1f58c55d/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35a55c6bd2bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444838/

Comments