MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44e2e207af6f3a96f166fa4383e96fa254cb90cb57dfe6a360576d1190b92b3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44e2e207af6f3a96f166fa4383e96fa254cb90cb57dfe6a360576d1190b92b3f
SHA3-384 hash: 67f476536ef0fb49eb1fbebe2e5adf159a9c89ec39c0574108910485f2d68808082b670b0642c958e7591a8202130884
SHA1 hash: e886f9b82a2bc037b60941102b88d9bd8fa3c5bb
MD5 hash: 658ae4aff23c6705e708c43b117bd24f
humanhash: dakota-michigan-arkansas-lamp
File name:ScanDoc002988737882_PaymentReceipt11102022.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:951'296 bytes
First seen:2022-10-12 07:27:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:6hwf6Wa4DNNIXJUI+ttrk0Pj7W+Q4boUTBaXsuWgdfO26AQSQy4AI:qWvNNIXl+tpk0PjidUtacGGAtQy4A
Threatray 6'033 similar samples on MalwareBazaar
TLSH T1DF157B7E1A994607E8153274C893D2F32AFBAD606061D1CB5AD72F6FBC502BF950334A
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9aa298d4d4b8a29a (18 x SnakeKeylogger, 10 x Formbook, 5 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ScanDoc002988737882_PaymentReceipt11102022.exe
Verdict:
Malicious activity
Analysis date:
2022-10-11 08:36:39 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/88cd6994-83ef-428d-ba42-ac83a612c322

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319230/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63466c83aab5b3e31a6ab0ab/reports/87cc7abd-6d2d-4bfa-b4eb-baee758c74e8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d15f6df-2b78-430d-9452-e12cade30bb7
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089451
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44e2e207af6f3a96f166fa4383e96fa254cb90cb57dfe6a360576d1190b92b3f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 11:33:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itroeb5pn45jn4lg7jbyh2lpujkmxeglk7p6ni3ak5wrdefzfm7q._file
Verdict:
malicious
Similar samples:
4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9
SnakeKeylogger
55c9999640440b6cc08e607397893601551fe37b32452b5c058178a24e07821f
SnakeKeylogger
73555e02148f3102c13009ff65acb7b10cb3b117256cac6cf3a8b2f176b2b26b
SnakeKeylogger
a202f5194bc6c7ca2e825590fd3ca642696fcee88441832d386918b576381371
SnakeKeylogger
a5cccf181c07d537bc3ca811ac2b4bce8fff5bf0a72bc6b35246d0ca2e420b14
SnakeKeylogger
bfc506f7c1bfde6a3db6c8ee32618b952731fb6e4a0c458f5009671e57b830e5
SnakeKeylogger
e8112291f184308282a137f0fc20ddfd45f707852d69cc69bd650f4ebae676bd
SnakeKeylogger
+ 6'023 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/221012-janbkscgh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5453475689:AAEPtYkTq-8THTeKrYW8b68w6CGTVgKvmpM/sendMessage?chat_id=5798274961
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15380bf6-b64d-4657-a1c6-66a81eda0525
Unpacked files
SH256 hash:
dfc9f64a8f53d839972443a9c345d302b5ea7110e59c3e4451767d910e7c35c1
MD5 hash:
fa22673ae01b218518c4f0947dee443e
SHA1 hash:
fcc4d41d2b9311a469199d20eb30308072a2f3d9
Link:
https://www.unpac.me/results/faad7373-e3bf-4864-91e1-2c9fc5b04d7f/
SH256 hash:
348136bbecbca4b166b58c1f17d97f937fff3bc1e684cb2d249f3f9b7b3b7700
MD5 hash:
1a6143e8512984035ced5ea26b00b69c
SHA1 hash:
d43fc455f46a904f06b4e49455851d9124783bb5
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/faad7373-e3bf-4864-91e1-2c9fc5b04d7f/
Parent samples :
73555e02148f3102c13009ff65acb7b10cb3b117256cac6cf3a8b2f176b2b26b
44e2e207af6f3a96f166fa4383e96fa254cb90cb57dfe6a360576d1190b92b3f
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/faad7373-e3bf-4864-91e1-2c9fc5b04d7f/
SH256 hash:
5b41a9a416ad585520dea2a372298f92ff966b7d89b728993e8ed19d4f1411bc
MD5 hash:
e68e49d56ccf73185e5a8989747424ac
SHA1 hash:
b04fd0c7f2b013c03f710e4c41b085f34a99feec
Link:
https://www.unpac.me/results/faad7373-e3bf-4864-91e1-2c9fc5b04d7f/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/faad7373-e3bf-4864-91e1-2c9fc5b04d7f/
SH256 hash:
44e2e207af6f3a96f166fa4383e96fa254cb90cb57dfe6a360576d1190b92b3f
MD5 hash:
658ae4aff23c6705e708c43b117bd24f
SHA1 hash:
e886f9b82a2bc037b60941102b88d9bd8fa3c5bb
Link:
https://www.unpac.me/results/faad7373-e3bf-4864-91e1-2c9fc5b04d7f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44e2e207af6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/44e2e207af6f3a96f166fa4383e96fa254cb90cb57dfe6a360576d1190b92b3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319230/

Comments