MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234
SHA3-384 hash:	f3ee53f2126f9ee04bdbc3e0f8d01cd5244c3dea3b2ee24ee13bc2d3ab8e5c1752b902c390558fceccad701af75b3c39
SHA1 hash:	34b969eaa12a1f51f2c0aacdb61ab386907f27a7
MD5 hash:	ab36c4e12791b5df2fcff6b45d232195
humanhash:	eight-colorado-whiskey-oklahoma
File name:	Jayaswal Neco Industries - Products List.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'181'184 bytes
First seen:	2021-12-08 13:57:56 UTC
Last seen:	2021-12-08 15:31:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:ACP/GsiQla5aIYZp6wly2DAIk6B54OhCdKtEVMcAjifuUrUfUsd66cF5SMO8Qsdc:AMiQEaIYxb5CVRAHcjsd/oSDP51afK
Threatray	1'791 similar samples on MalwareBazaar
TLSH	T17C450182E6106B24ED2CA7342A33C93603227DAD6D35A53D28D47D9B3FF7BD29127056
File icon (PE):
dhash icon	d4d4dad6d6dcc4e4 (34 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter	malwarelabnet
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Jayaswal Neco Industries - Products List.exe

Verdict:

Malicious activity

Analysis date:

2021-12-08 14:04:42 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/7e7aed8a-1b8e-4654-b77b-f51609734d1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/212492/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.1584.12408.16337.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61b0b9f0fa72c81b5b11c14d/reports/80433758-683f-41f6-b9f0-2c25219bdc28/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8376011a-b135-4c6b-a8b3-e2c073ab3895

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/903875

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-12-08 09:30:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=is3wjyauxrllfcr3qa6kcb2y3ffd6cwvq6bvyaieufxxs2h6wi2a._file

Verdict:

malicious

SnakeKeylogger

0efef3bb7417596ef26fb834a15d6d759a2cbc734ed484973058e1d32dff4e7a

SnakeKeylogger

17bd30ad53d7af1c727dfaa7e5a47832467c2b9e92c46e8c629ecbb8a3cb8c58

SnakeKeylogger

17e9ee6953eec4fa0a69b8c11e02d4656e41338697a435e58e0fd8bfa1f00183

SnakeKeylogger

2414029be4ce48ae27204c87ae80550ae5960b8ee908276d4ce41fae7d42378a

SnakeKeylogger

5c9c988efd5c29e9554c2e32bf48de98f10c55fdff7886f8b8113db40dee2f3d

SnakeKeylogger

80b5832b3cfb5142bfa2d3a34c0c8e5b77ec519aee7d6e0361b750df17057d7c

SnakeKeylogger

9acecc34e744fe02c1f5453d9ac6f4bab205fba7dfa13bd1396065888b083033

SnakeKeylogger

b4d2896300bf333a24f8552fd4cdd7fb233d4ec8bfdde46a54e935110f927943

SnakeKeylogger

ddd46d4c6c9e4dae72bce7dcd5576763bf912afbd8bbec4f06288bf937ea1fd2

SnakeKeylogger

+ 1'781 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211208-q9t2qsagar/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

a0f105900779762f44e82b8f243cb265990234888b0026583235963ffef22846

MD5 hash:

a941c70fbe61b39707127f81329fb719

SHA1 hash:

7d8fea063a1ff7b50e393575f6b08a42177c1008

Link:

https://www.unpac.me/results/5262dc7d-c7bc-4456-bef3-ade86ec09713/

SH256 hash:

31a24bd765a43fcc17eec06f8aeda6d636bdde04955833998540acb2bb4153e0

MD5 hash:

422ad2835ca1bedce2858588e63ec04f

SHA1 hash:

3cfa6710829002e34515e6e5aba4cc50a9b13cf1

Link:

https://www.unpac.me/results/5262dc7d-c7bc-4456-bef3-ade86ec09713/

SH256 hash:

9cd82dba6c55d901ac7d7007b7a04a30146ad7c297400d44f9d96b90c5ca25d4

MD5 hash:

d9477c36da677507cd33c6eef325d694

SHA1 hash:

330dc88b5041ca9edf57542f5a30c37eef6f11b1

Link:

https://www.unpac.me/results/5262dc7d-c7bc-4456-bef3-ade86ec09713/

SH256 hash:

44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234

MD5 hash:

ab36c4e12791b5df2fcff6b45d232195

SHA1 hash:

34b969eaa12a1f51f2c0aacdb61ab386907f27a7

Link:

https://www.unpac.me/results/5262dc7d-c7bc-4456-bef3-ade86ec09713/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/212492/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample