MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40b929602b87afdd15d324e762862f3f107c4ea27ec0940532454af36003bb22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40b929602b87afdd15d324e762862f3f107c4ea27ec0940532454af36003bb22
SHA3-384 hash: ecc883d8194690150e156a9b249da2ac169cca5a09644985c89789a7776e2d5b281acb4a482c91c3b049764cefca5051
SHA1 hash: ca2392ef77f94d49cea95238f70ff1e995e2d5ae
MD5 hash: 14f7096bc0c3c743241a32e16646c7f1
humanhash: jupiter-washington-pip-don
File name:New-Order.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:474'624 bytes
First seen:2022-03-04 06:25:39 UTC
Last seen:2022-03-04 07:49:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:yhdK5beGRUcZ64pcRm00dT5r3TVME6ua6mj/5ByUX:becUbRmZdT1TVME6uah/Ld
Threatray 2'648 similar samples on MalwareBazaar
TLSH T18EA4D0877A354BA6D93D97346425420CCFE6E966C30EE26C7DC6B1CD01B2F4B872291B
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247214/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.42655.20781.7818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Blocking the Windows Defender launch
Enabling autorun by creating a file
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e811be5-cbc1-4453-9e20-bd5a37c00ed4
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950528
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40b929602b87afdd15d324e762862f3f107c4ea27ec0940532454af36003bb22/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 06:26:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ic4ssyblq6x52fotettwfbrph4ihytvcp3ajibjsivfpgyadxmra._file
Verdict:
malicious
Similar samples:
02a7ad6a2310a0b7dd465f40d6d81d59b3234b4f3ad8f039a866f3eac7d920a2
SnakeKeylogger
2dfa81ba2cf18424f9f735b5b7986a1c92457aecfa55169812e25c11360c3c1f
SnakeKeylogger
3a4cd75ca7cd8319e82dc86b0da07f9363c0a7f37f4058e504067a5b6a2f84aa
SnakeKeylogger
7346882ce3dbb43ec5f3193fab1ef05854a9a6c08401b3aa7b4e3dc141d8b36b
SnakeKeylogger
89126ab29977ea93c47b855e29d58d35034972c896b8717cec0c03fdc08ee4b3
SnakeKeylogger
abc9859e70631e0350f6322149cabd267fb6a11cbaae32cbc9cf5ffdc6434df1
SnakeKeylogger
d05eac168f2fb72745b37dd3727005b2059faeb26e49f974e7f51382ffaa7ac6
SnakeKeylogger
dc136fb9c85bff7e70c259e3ca16cfec72c0ea6c082d4770b3ece44bf43c25f2
SnakeKeylogger
e26cc3d980a49d53e10bd470f3939f24af1ed40124e38760c64844ff89586784
SnakeKeylogger
e66733316645cfe338015951dd78b61886eab28d02e7d7b238946967eb62d53c
SnakeKeylogger
+ 2'638 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220304-g67c8adgf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/f14fbe16-a839-428a-a0e4-635156507dd7/
SH256 hash:
2d5e8b26f5e815ae7ded91454a175a16a31dcc89e9594c68cdc792513cdaf0a8
MD5 hash:
582150cf74011fc8635508e0ff6385a3
SHA1 hash:
2137fe71b515765dc443ee8d8babede61b2db5e2
Link:
https://www.unpac.me/results/f14fbe16-a839-428a-a0e4-635156507dd7/
SH256 hash:
6aa36a126ede3b525b4536a18484085c610c9aba699c6186d2c3a87533fe966c
MD5 hash:
499149746349a02151bc78828ee11913
SHA1 hash:
130dd531aed8cc94d48837b4318bd17874404c03
Link:
https://www.unpac.me/results/f14fbe16-a839-428a-a0e4-635156507dd7/
SH256 hash:
40b929602b87afdd15d324e762862f3f107c4ea27ec0940532454af36003bb22
MD5 hash:
14f7096bc0c3c743241a32e16646c7f1
SHA1 hash:
ca2392ef77f94d49cea95238f70ff1e995e2d5ae
Link:
https://www.unpac.me/results/f14fbe16-a839-428a-a0e4-635156507dd7/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/40b929602b87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40b929602b87afdd15d324e762862f3f107c4ea27ec0940532454af36003bb22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247214/

Comments