MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13
SHA3-384 hash: f90d9ed20a647521344ac9390078f9eabcb07f93d501c8907dc834532a576793dc7b0bbe7068641c045faadf8f61cf27
SHA1 hash: bca3b5df15c87f56684e6c05bd46840307c87f98
MD5 hash: 2704ce3c622c4b04dc8f739ec3e90648
humanhash: colorado-nebraska-chicken-california
File name:2704ce3c622c4b04dc8f739ec3e90648.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:803'328 bytes
First seen:2023-07-12 06:04:02 UTC
Last seen:2023-07-12 06:43:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:9NfHklc5Sk5kjgJ/WbV5fkkqbrsOEtdOatQamaQp8dUTF8iR4xAA9euCLJy9DpBj:9NKMCjT5c3sOEmpKg8dS+saf7
Threatray 5'350 similar samples on MalwareBazaar
TLSH T14E053BD1F151C99AE96B46F27C3BA53020D76E9C54A4810C569EBB2B66F3342309FE0F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2704ce3c622c4b04dc8f739ec3e90648.exe
Verdict:
Malicious activity
Analysis date:
2023-07-12 06:08:20 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/e43c3496-eaff-48c0-b5a4-c8ad733dce57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416247/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.101687.24893.7164.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo loki lokibot packed
Link:
https://www.filescan.io/uploads/64ae425e057bff26cf2329f1/reports/126c07fb-5b00-4fb5-8e9c-fc9bfe92ca19/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6e9977c-07f6-4949-a3a3-297ed8747863
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271424
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-07 07:48:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwqv5jaypf4c3wocteoci2i4lctwamjzez36mxuv5rpntb7jtujq._file
Verdict:
malicious
Similar samples:
0dfed6a80612475d64b34d2c0264f41ee06da61747fd3086786bcbc61212daf3
SnakeKeylogger
2cb7c9dc87cd618a4a307a8f7a054fc0acbb375e0dc2b3d041e5f5b9f138b601
SnakeKeylogger
2f0c79ee01767d02ed23922dd9d7c12715c971029fc61466629c79908385d85b
SnakeKeylogger
3105a7886bb62b4a95672ed5a801e8063dfba87139195dfc5a7cfe32f3b4edf2
SnakeKeylogger
3dedd91d5d734fdea8fa04714e99b1fdcac4c06626ad2e10aa825e71fc18c3c3
SnakeKeylogger
4290a78ffba42133cf4952389a5945a4961961056425284fe2142784bf4af9a7
SnakeKeylogger
5d6c03383955c4784c08bcc14b863537f7fb451fd94a1fe7706b84576fb3819b
SnakeKeylogger
6e6f28265a65efc29248f1bc10513f4c2320edba637d87f8341df71fa113dcd3
SnakeKeylogger
90b37ea81aba9787a883970ff011dbbf5da729fc915bf3dc104704111fbc2848
SnakeKeylogger
+ 5'340 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230712-gslvcsca96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6090295523:AAEyjwZD26AH_SRrG-u0j6a84BNMFOOSjkI/sendMessage?chat_id=6381937612
Unpacked files
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/d13afc29-9b8a-4641-b6ce-899d33b7fb24/
SH256 hash:
cef2b1ac6f28e2afdc69e9d6566562032bd6e69701ca610168602220d77aaee5
MD5 hash:
03fb6ab59745bd1c530a11b0437854bf
SHA1 hash:
2a3a6d07eee9f0c8577f4b1e73c67e6797a65ad9
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/d13afc29-9b8a-4641-b6ce-899d33b7fb24/
Parent samples :
e5fe74a699fdee524980b0ccdfe82a6a98abd5c011ba909822455b831720b686
aa5af03ce3f907fb786a8b3247b9f55e4f9e0edec98568cdb517ff1a1366aaf0
45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13
aa2d0f4b6445d3f0f50a54a10d357abf7a51cf14cb63ab99f357ea3564f84e7c
SH256 hash:
c0f478fbb45f259f5451131a509941dee01f5bf9012624772e81648b0259d000
MD5 hash:
8a7f0dedf94b9b304cfb862a5dcba289
SHA1 hash:
298d12a3b2e7fb430831f3d35cd53506193977ed
Link:
https://www.unpac.me/results/d13afc29-9b8a-4641-b6ce-899d33b7fb24/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/d13afc29-9b8a-4641-b6ce-899d33b7fb24/
SH256 hash:
45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13
MD5 hash:
2704ce3c622c4b04dc8f739ec3e90648
SHA1 hash:
bca3b5df15c87f56684e6c05bd46840307c87f98
Link:
https://www.unpac.me/results/d13afc29-9b8a-4641-b6ce-899d33b7fb24/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/416247/

Comments