MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7
SHA3-384 hash: f6f74c4ff1d5c411efb31264dafc16f2fc234e8da0a28d3492df6f30a40740dd50f69f53ae8bc630eb36ad31a06f01e0
SHA1 hash: fac66eb32ef247669fbb1c9b1b9bceac5663493f
MD5 hash: f9583365310c9700b74d38295b090e44
humanhash: failed-emma-uranus-seventeen
File name:RQ038023.PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:635'392 bytes
First seen:2023-08-17 18:10:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:4aB5LYDl+CDg/+27lEAr/qUZjUgu3dmtZhJy3TGshoj+zonrKZg2BJPbzPK:o/g/+IlEAriModmtzJASjUorIdBhbe
Threatray 294 similar samples on MalwareBazaar
TLSH T191D4126172B95F16C87D07FE5930658007B5AB2B2576E34C8ED2A4CB35ACF845F80E2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RQ038023.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-17 18:24:35 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/478e3135-20e1-4d52-ac4b-93337bf31303

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443248/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Forced shutdown of a browser
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/807fee23-dd98-4632-9406-0f3126e14159
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292965
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7/
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-17 02:16:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqyvklvtp6aahx2mm26wicsjkhaqgf5k3ocywqwrot2gdee3j63q._file
Verdict:
malicious
Similar samples:
0246246b1452e63b1eea7a93f73e9edfde5e1b4c41d32d44ea100aa0ba7d4b3b
SnakeKeylogger
206fc7652acb64b309bb3e8d6dc46dfda7cb7f42c8730e4f8b70afd10a60a1b0
SnakeKeylogger
50ecc3b01ef9acca243b41728e62bec369d80da286281895cf3c4aadd6a1e444
SnakeKeylogger
53e446b388b5081f45daa0ee52e07b0b5123f8878148526bad39bc805a20a696
SnakeKeylogger
8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909
SnakeKeylogger
8ac62f0cf9c9abdd16eb37609a1dd5c80c3218694cd5361c78995dc5db38451d
SnakeKeylogger
a0fef35dfcd0a26bab66af912e02360f499d55297f9ce71c55abd9ef180305c8
SnakeKeylogger
bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32
SnakeKeylogger
cb836c2076849816bd40df9bb0650ab562508020fd896f446260de7c09ba3e01
SnakeKeylogger
+ 284 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/230817-wsk1dsdd2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
3b90e1b8273dfce9ab7deda7c6671fbdc099aa3d9c8968e6f74c67b90617c6bf
MD5 hash:
2a2d67e22ffffb8006d160e5a3e26ce9
SHA1 hash:
c914c2a60be7cfab79aa423dadd46ffdaff5c461
Link:
https://www.unpac.me/results/cb55f3dd-7a78-400c-a7cd-64d28677370b/
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/cb55f3dd-7a78-400c-a7cd-64d28677370b/
SH256 hash:
42e69ae21200aaeb36f6b8dbd01081f66da827e694a593fe0ddb6f291ad640f3
MD5 hash:
c95f9e9635f7270dd0da494a0057df42
SHA1 hash:
0aaad28f292aa769a8c4b2a0a8fa0cfb80b2f4fb
Link:
https://www.unpac.me/results/cb55f3dd-7a78-400c-a7cd-64d28677370b/
SH256 hash:
598a766b26fc39c1092e2f20cee1f42df6d6049d618ac5d4d331c646ab6a8b47
MD5 hash:
00c960e10d544bd0961a993c3c6dbbe5
SHA1 hash:
04018db21d1b12800f1bc413b90ccb3264955bcb
Link:
https://www.unpac.me/results/cb55f3dd-7a78-400c-a7cd-64d28677370b/
SH256 hash:
4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7
MD5 hash:
f9583365310c9700b74d38295b090e44
SHA1 hash:
fac66eb32ef247669fbb1c9b1b9bceac5663493f
Link:
https://www.unpac.me/results/cb55f3dd-7a78-400c-a7cd-64d28677370b/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4431552eb37f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443248/

Comments