MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b68beee5436ba3af6c92c7a6ef60dc02d2b57aa5520ba007ba8b84d71c7d3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	43b68beee5436ba3af6c92c7a6ef60dc02d2b57aa5520ba007ba8b84d71c7d3b
SHA3-384 hash:	5c8d5e4dec57a9781367e7e253201267827d905ca86feb9a5bd87233438ea7923e02cfb9528ade1fa63893d77058eaa7
SHA1 hash:	965dfc4780eb08ea45a1beccbe4c5c221d01c262
MD5 hash:	6769d5cf50a7af84090017bd0d30d53f
humanhash:	zebra-india-fifteen-enemy
File name:	Dekont,jpg.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	841'216 bytes
First seen:	2022-02-14 16:02:10 UTC
Last seen:	2022-02-14 17:36:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:C36CqDXz8o7T7R+PBDAvY2jFOPJatXhVb1u507KQU/mHjj+VAoLJakKX:+6738QgV3H2XhVb12a5H/+3Lf
Threatray	2'763 similar samples on MalwareBazaar
TLSH	T17505020173EAAB23C5BB0F7BE4B242016370E94A1107D73B688536FD5C4B3A91E72676
File icon (PE):
dhash icon	f8a4b2b4b4b4b2c0 (20 x AgentTesla, 8 x Loki, 6 x Formbook)
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/241416/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1197.18609.2939.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/620a7d0c54047500bb543a4c/reports/a7beaf9a-8d20-40c2-b1c2-fb61015992b5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba9ad139-704a-492e-961e-fd51649866ab

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939590

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/43b68beee5436ba3af6c92c7a6ef60dc02d2b57aa5520ba007ba8b84d71c7d3b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-14 16:03:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=io3ix3xfinv2hl3msld2n33a3qbnfnl2uvjaxiahxkfyjvy4pu5q._file

Verdict:

malicious

SnakeKeylogger

2261cc4b5ebba0be2abb1cc13a4d4be2990bb4f627e546172429a5ad0478f829

SnakeKeylogger

23b482ed9007975bea94a8e5847a5cc2ed3e1c628cb33aec704110795448f1c8

SnakeKeylogger

463a558653c43ed0fa666ea78e6c81fc542e4acd587014e8bb6b2a3504753bf8

SnakeKeylogger

60cf45262b59092f3dff9c5fa83a6a3e7d8008ad0e19c3469099e0978426d329

SnakeKeylogger

8fc699b7c8e1b4b8450ca3b873bfbe47294a87eb3bf982aa3e6730697fd67cb2

SnakeKeylogger

b0430be9c4cf8e7331d4d111e500725399be2ea892e573d44f77af3a453ac014

SnakeKeylogger

b1aea37a6d2fdd3e3d8c646441891848969d92a2f4b88bfc084b4f7a51a88b28

SnakeKeylogger

d8079b19aa1f119485291950ae0580757618dd23c4d18eed64e06aa3a86c1751

SnakeKeylogger

f92f056a8e1f7eda199a8ffb78a8d9646f218e052ca0b452786c87283082151b

SnakeKeylogger

+ 2'753 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/220214-thcj6ahhe9/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

2c9ddf7a499332d9de3fe06b55b876af2778e2ddee70b90471f8808371dfb5ec

MD5 hash:

c81acb37c6e9436616f9c118cc04ff34

SHA1 hash:

f529dadeeac37b3884ba7f5548c87a8814263e23

Link:

https://www.unpac.me/results/6f6bd2c7-eefc-4026-8336-d554f5c8719c/

SH256 hash:

3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44

MD5 hash:

4e35b541f3d9162d0ac93d336df67779

SHA1 hash:

bb9e65761186806d4bada659e9d5db0c070501d4

Link:

https://www.unpac.me/results/6f6bd2c7-eefc-4026-8336-d554f5c8719c/

SH256 hash:

6e38d348f55b346b14820dbb77a1643cc2b1ed5d0af49d8062009170a043c073

MD5 hash:

3d6fd2a2eec73e08e7c3cedde9434f3d

SHA1 hash:

44208bd65644b3baec78f6585bd8bfa4d38d17b3

Link:

https://www.unpac.me/results/6f6bd2c7-eefc-4026-8336-d554f5c8719c/

SH256 hash:

e853f28169ab4aa00edc4c6e2b94493879dc85c6144a0d5cc2c1691110d947d4

MD5 hash:

778f9b247a06c079653055293e0dd870

SHA1 hash:

02a8d3ad7ce5388d252f002ed1fa1720fefd3b9a

Link:

https://www.unpac.me/results/6f6bd2c7-eefc-4026-8336-d554f5c8719c/

SH256 hash:

43b68beee5436ba3af6c92c7a6ef60dc02d2b57aa5520ba007ba8b84d71c7d3b

MD5 hash:

6769d5cf50a7af84090017bd0d30d53f

SHA1 hash:

965dfc4780eb08ea45a1beccbe4c5c221d01c262

Link:

https://www.unpac.me/results/6f6bd2c7-eefc-4026-8336-d554f5c8719c/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/43b68beee543/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/43b68beee5436ba3af6c92c7a6ef60dc02d2b57aa5520ba007ba8b84d71c7d3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/241416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample