MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600
SHA3-384 hash: 0bf402b86cd2c89b3786bba2b58149f3a523dc3cbb1fcfef8b1a3c00dd6059a3589e2a2f50d8a2d171a8c7f7b2391c67
SHA1 hash: 475ad0746d63aefc3fa052c35e80c3d6aa7d4758
MD5 hash: 13e7052b360b9e4303520c89b6e18e56
humanhash: hot-arizona-alabama-neptune
File name:ORDER_MK_032998.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:390'985 bytes
First seen:2022-11-18 22:32:30 UTC
Last seen:2022-11-19 00:51:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 6144:MEa0Nr+6g2KBda+02E7qElLvwVgQkF6ForrJR73GIpnlXbFP2382vvh084DD0a10:Xr+6g2KBdaAFcF6orrJRCCufnu84DDb0
Threatray 6'045 similar samples on MalwareBazaar
TLSH T10284231570E852FFD797C331239B5B21C3FAAA241A4770E70FA41E2F69B1796D22601E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER_MK_032998.exe
Verdict:
Malicious activity
Analysis date:
2022-11-18 22:35:26 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/aca1c59d-dd62-4f11-9696-086698d379cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335872/
Detection(s):
SecuriteInfo.com.FileRepMalware.7165.21561.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6378082307c3f5e84a01e7be/reports/68d830ba-a8e1-4761-b70a-78a8795d8ca5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c29ad63-a822-42a6-86eb-7bbd3e039b41
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1116819
Signature
.NET source code references suspicious native API functions
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 05:18:27 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
27 of 40 (67.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iozfv32nuojgmxpigfmlas27obnjcpe52a57o57kmzka7c6scyaa._file
Verdict:
malicious
Similar samples:
0567cb6c296cea3b751dcdaf5929995cad17ce0c59937064c8a0f12651014b72
SnakeKeylogger
1a2bcdeb48f63761b003373d932fc7eea4702ed9b856a69ae44d54a625424081
SnakeKeylogger
3bd6eaf7910876056f5f594c6b15fd7a8b75c6eef0c0a76690ed49e72ea97366
SnakeKeylogger
5b086d5fdd4e2bcf856eb5ee73d1b139589c12d3416abf3ce75042bbdf4ed374
SnakeKeylogger
5c69938a04aa7ca2d20e4fa560acc5cd7cc6067c74e32ea771528e6e880f7491
SnakeKeylogger
b4e919a8dd061ad70552ed8e27679edda38c754a1bf6b9672ced36b1e2f3e028
SnakeKeylogger
c8875568728be64753ef434c96e365baf7954fe86a4eb3addbe6f045fc74b6f4
SnakeKeylogger
+ 6'035 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221118-2ghc1sfa2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef42a500-00c2-466d-ad76-62dd55f75c20
Unpacked files
SH256 hash:
95d17453c93b0396d5ffcdff10354df75f731d555f9446000906c955f508f260
MD5 hash:
8c7f7d627f1f3e140e3a5de37c752795
SHA1 hash:
f4d42fecebc3f2de96fc2534c8fad30c3fdd1d5e
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/1939495a-923c-4e94-9b96-e5053469d35a/
Parent samples :
43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600
f0464f5e9669b4112215874eb7df62b915fe83a00e5365da6d8ecf7be9981388
d7a6518fcbe2f5ff77ffe403bf1291c8bfaaad75d92d15f886ab37a70b9df278
SH256 hash:
eb414bdfd4e4f431f44573629add923d167f6cdf26870270380560af2a27e174
MD5 hash:
d72f17c7088230f352d5623db2eddd69
SHA1 hash:
774887a270fd28a3cb29c4dc93c38f7628341cfb
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/1939495a-923c-4e94-9b96-e5053469d35a/
SH256 hash:
43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600
MD5 hash:
13e7052b360b9e4303520c89b6e18e56
SHA1 hash:
475ad0746d63aefc3fa052c35e80c3d6aa7d4758
Link:
https://www.unpac.me/results/1939495a-923c-4e94-9b96-e5053469d35a/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43b25aef4da3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/335872/

Comments