MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b652a48927acff9e7e99be2d2e558f81036a400c1abbeed39d23ea8d3eea8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36b652a48927acff9e7e99be2d2e558f81036a400c1abbeed39d23ea8d3eea8c
SHA3-384 hash: c8d07ae4d5547fe635c902c2ba25a947277b09a5d888de1917ebcc97c5c4496b18225bfe583a9eb84ce07049f21d7ccc
SHA1 hash: bea2c36010e379276b853fa5a8f7525d6c37035f
MD5 hash: c5a07d20c6083158cd479b0f0a104ade
humanhash: minnesota-california-venus-gee
File name:c5a07d20c6083158cd479b0f0a104ade.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:544'256 bytes
First seen:2021-11-14 13:49:14 UTC
Last seen:2021-11-14 15:48:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'472 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:z9w3f67/0Sndc7PKWdAfBrKC9b7umzrTDeCXFkvOTMU7TEsGbY:e3fKhnqWjumzrvjXFkvOTT7TE
Threatray 2'276 similar samples on MalwareBazaar
TLSH T1D2C4706C3ED15FB2ED1DC0318D120A8BBB660F136240E996D7DB25CA8B5F1662DD7C88
File icon (PE):PE icon
dhash icon 3474c4d4d4d4ccd0 (3 x SnakeKeylogger, 2 x AgentTesla, 2 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205685/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.61073.6349.24505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
DNS request
Creating a file in the %AppData% subdirectories
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Sending a UDP request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/6191140e3edf00a722d3bb37/reports/bfa855e4-e9d5-45de-9f82-7ebff962e5c8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32623bf8-2875-4f37-8eee-da8e0ce0a069
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888938
Signature
.NET source code references suspicious native API functions
Binary or sample is protected by dotNetProtector
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521406 Sample: M7ByOb7ldG.exe Startdate: 14/11/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 7 M7ByOb7ldG.exe 4 2->7         started        10 hsob.exe 3 2->10         started        process3 signatures4 59 Writes to foreign memory regions 7->59 61 Tries to delay execution (extensive OutputDebugStringW loop) 7->61 63 Injects a PE file into a foreign processes 7->63 12 vbc.exe 15 2 7->12         started        16 cmd.exe 3 7->16         started        19 cmd.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->69 21 vbc.exe 2 10->21         started        23 cmd.exe 10->23         started        25 cmd.exe 10->25         started        process5 dnsIp6 43 checkip.dyndns.org 12->43 45 checkip.dyndns.com 193.122.6.168, 49713, 49717, 80 ORACLE-BMC-31898US United States 12->45 49 2 other IPs or domains 12->49 71 May check the online IP address of the machine 12->71 39 C:\Users\user\AppData\Roaming\hsob\hsob.exe, PE32 16->39 dropped 41 C:\Users\user\...\hsob.exe:Zone.Identifier, ASCII 16->41 dropped 27 conhost.exe 16->27         started        73 Uses schtasks.exe or at.exe to add and modify task schedules 19->73 29 conhost.exe 19->29         started        31 schtasks.exe 1 19->31         started        47 checkip.dyndns.org 21->47 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal ftp login credentials 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 33 conhost.exe 23->33         started        35 schtasks.exe 23->35         started        37 conhost.exe 25->37         started        file7 signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/36b652a48927acff9e7e99be2d2e558f81036a400c1abbeed39d23ea8d3eea8c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-07 23:54:01 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
406776bc31b30cd94d3e6e50ea5adfac4817b2787c49f02e9ac096ea128f4843
SnakeKeylogger
64e7a4dbad57f1c217a17ad6214d29230ac8ba813d001fdaa35f17fd83f62cf3
SnakeKeylogger
91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f
SnakeKeylogger
a8ee1ce45b132846cc6799449803893ff91812ceb4fbcb79fcf8b124816c249d
SnakeKeylogger
ce962e14e66b08a9d2059caf227f0fc4a6369dc684ebb753e9c8179cdcc090ab
SnakeKeylogger
d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2
SnakeKeylogger
d33e00381cdafc0c33431016e4781e12e7d335e83ba405ae242ed54044af98d2
SnakeKeylogger
e85ce681cb364a87adf7bc9db634754e2bad773f63b725218f3b68475a38d773
SnakeKeylogger
+ 2'266 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/211114-q496rsgea2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Uses the VBS compiler for execution
Executes dropped EXE
Snake Keylogger
Unpacked files
SH256 hash:
00ef451d304ee5a792705536a704bc1c006e8df81b8aa2bd312281324c2e04c2
MD5 hash:
0142580b59f39d95186a35391b181ade
SHA1 hash:
3e090cc9317517cc19470bdcf44cc994868e1a6c
Link:
https://www.unpac.me/results/08262c31-2559-486f-9aa3-cd5046da1590/
SH256 hash:
36b652a48927acff9e7e99be2d2e558f81036a400c1abbeed39d23ea8d3eea8c
MD5 hash:
c5a07d20c6083158cd479b0f0a104ade
SHA1 hash:
bea2c36010e379276b853fa5a8f7525d6c37035f
Link:
https://www.unpac.me/results/08262c31-2559-486f-9aa3-cd5046da1590/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205685/

Comments