MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729
SHA3-384 hash: 7bdee5321a93fa574f5c5c893280d5fe56e389c158e5f81a1c88c533183e2d6978bd28edb044195b8bf2587279d63189
SHA1 hash: fb051397c929726479a6433eaa5530db57d60e4d
MD5 hash: aef876921eae9c09a362b36002e5af86
humanhash: oranges-nine-cup-jersey
File name:Clientes BBVA Comprovativo de Transferência.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:668'672 bytes
First seen:2023-05-30 07:44:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:lsIduM2iNfmFx2iqNhujGjUfiG+ldtxYSHXQGQYxSD4aPVY3Z0QX2RWzZySjtpEL:lsIduM1lmFxU0+Fx3HpxSg0QX2RWFTDq
Threatray 5'692 similar samples on MalwareBazaar
TLSH T124E4021863FC4A9BD67327BA4A725630977BFD9AB635D30E1E41B1CD6821F009A20773
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:BBVA ESP exe geo SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Clientes BBVA Comprovativo de Transferência.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 07:47:34 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/70db1b26-c8a5-4ce4-aa7e-a64b7c1f7a41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393354/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Moving a file to the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6475a981e464780675a78628/reports/cb823e1a-241c-48d1-b438-0a8449092bd2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e075a62a-347d-4df9-b137-f6a914f2100a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245264
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 07:45:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izpxukbefuv47ixklklfmz7z24ogu7trfwrxbknjfm3edahc24uq._file
Verdict:
malicious
Similar samples:
097f5dbc2976c1c2d16d12031bf0fb805f1212c695d9301877e00fc63591b240
SnakeKeylogger
1237eec0287f5d0590ef5a8d6bc33e37c3f1384ed1ee265645f8efa054255f38
SnakeKeylogger
1af9751a544e54a90c1b18ce2fb731d3f9b2e53e7143f9904622706109949abf
SnakeKeylogger
26969921baa34c10f19e16987def5c7c640214907867e51ebdd2fcfddc5b684b
SnakeKeylogger
3335efc2f973d87f8539324f664cbe0f6ac5b63f1c7fb7e0ef89cbdf5cb8174d
SnakeKeylogger
6852d72daa3cb833ad7303422696b68b2df654acab26f54f36732c3e97822cd9
SnakeKeylogger
8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c
SnakeKeylogger
978a959c5131f0e37d076b6a2b777c35cae4f58756a3d25be2662e58301f0ebd
SnakeKeylogger
cc51d10e5165cb6ba234e1ac9b831d9ba93c8cf678a12890ff712386a8346398
SnakeKeylogger
ce4538d962580d2b52a8cb68aefb500eaee8f07dd01c1fae3b50b4a40585131a
SnakeKeylogger
+ 5'682 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230530-jld72sgc48/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/d792f3cd-ad28-4071-8f1f-a4992c99706d/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
1e7a1f79353dbc8978441b5e6e6b45b92ea4de3700cadeb864081409f3287618
MD5 hash:
4d152a732f54ceda743c05d8b8f7accb
SHA1 hash:
96f72170b04d3c88cf05e9479e4c9a65685b7b0f
Link:
https://www.unpac.me/results/d792f3cd-ad28-4071-8f1f-a4992c99706d/
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/d792f3cd-ad28-4071-8f1f-a4992c99706d/
SH256 hash:
eb7b43e630ab2ab8aeae8bb451bbb9bb58b2f859e2108a4f5858584c97d3909f
MD5 hash:
86e46e2c0dd5c4f1c380daae0d700e63
SHA1 hash:
406a11d8b2dcc0e7b7d4bfb7ca28124cde865237
Link:
https://www.unpac.me/results/d792f3cd-ad28-4071-8f1f-a4992c99706d/
SH256 hash:
2ce28085a81ccca53b7a1798a247a8d6073351c7e82f1fe140a8e02ba5a6b4be
MD5 hash:
c54f8afa54219a3d8b729be9d2a30878
SHA1 hash:
3d90afa0cd694db05a30ab9be369fab5912d13e6
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/d792f3cd-ad28-4071-8f1f-a4992c99706d/
Parent samples :
465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729
c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
564b04babf3a9e21e6b6b3f5a1c7ea624e5036052382afc1ba15e206b6308f6a
SH256 hash:
465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729
MD5 hash:
aef876921eae9c09a362b36002e5af86
SHA1 hash:
fb051397c929726479a6433eaa5530db57d60e4d
Link:
https://www.unpac.me/results/d792f3cd-ad28-4071-8f1f-a4992c99706d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/465f7a28242d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393354/

Comments