MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da
SHA3-384 hash: f5dffc37bbda7f3d8bb8608039c400d5d34fd21dee1d56725475e1b70568af4bb4dd049828108ea8bbf1b1d89f67af27
SHA1 hash: c1a50db4c2372bc01bc22d7a4c116f68a6f2f0aa
MD5 hash: 803c9a57a89d47c496430420d53826fd
humanhash: five-carbon-violet-nine
File name:proforma invoice.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:819'712 bytes
First seen:2022-10-17 06:29:53 UTC
Last seen:2022-10-17 08:07:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:AwvfEuvbaPGqRw2Eb3kWjecARjnVDfgA/sG63xJ7qlKeNVw7IqHoKD8Xxt:YPGqRMbwXTgyQ3v7UK6wU
Threatray 5'833 similar samples on MalwareBazaar
TLSH T10405F6BA21D1225FE416B1758583E9B366FBAD516146D1C790D30F6FBC880BBCA1338B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70e88ee8e896e870 (15 x SnakeKeylogger, 7 x Formbook, 5 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320738/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen9.48175.27842.20305.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634cf678fdf6478a15af4db8/reports/dff20ef5-d4b3-4085-a2ef-2cf53567d2de/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45663834-3641-4bbd-b7ed-5191de382019
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091542
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 02:07:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izxoprowogse4r6tke3llnhudfai3hfiow5btqan5kyajsocdhna._file
Verdict:
malicious
Similar samples:
0c7339cf54785cd76320a0d84bf76019eb1fd5b18dfebf1d9ca7f5ee6e8e958f
SnakeKeylogger
0f1b9c97ca2d11237543964ee3fd39734c0e9cc2371aed7dd49deb4409c839d2
SnakeKeylogger
2262bf3bc3250b4bcefab73d88c2fd44b2d2fe02e4350f42e1f9bcfcab98a867
SnakeKeylogger
321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6
SnakeKeylogger
3fd707dbbf7a289a8cc02b0e3ae49cda05d20836991d0fc19723ecb42d4bcf76
SnakeKeylogger
79626acc1a4ebd2993c5f10522687e95bff00496a54d7ce8377be9d1cf92e901
SnakeKeylogger
9079a00cf539b8f9adfa046a9cf1f7c1c80fb370fb89d0a27f0fac1b0646c4c3
SnakeKeylogger
a0baf98ce28c1245d78159191bd0fafaf80c8c6b76b5e80b43bea8874af910a9
SnakeKeylogger
a55d4c3a6ff031ca6502aef0e7c59374721f9ffed5856124e583b3e433fdfb16
SnakeKeylogger
de0b6160f294319b2882dbeea5e4b7e9e1ebee17c14d8af1c964b8bfc09db1ae
SnakeKeylogger
+ 5'823 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221017-g9g8haagh5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5633581612:AAEbgoliingzrZhNwiVV1Ke-e-BfNBIzx3I/sendMessage?chat_id=5754175656
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/84234210-ec80-4680-9ff2-8ab4d97d77ba
Unpacked files
SH256 hash:
6766d9bf9db729004206719602e359647373184836fcf6fd4bdea54458510e5d
MD5 hash:
a003708280633ff7ffb4781c8ac124b8
SHA1 hash:
ebff74d69c562d5c364ee0af57867bc32c0efc7f
Link:
https://www.unpac.me/results/0efd89de-bbd1-4c03-bd8b-1ded9354b952/
SH256 hash:
45e94aa327dd24b91627ed818783db6188e586b2ba688483e48261bfec92d22a
MD5 hash:
fa1dfa95c2e3922fabd4fcd1ab61d8d5
SHA1 hash:
dc33bbbea0ba04d4846dab114b70e0774f5c0fed
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0efd89de-bbd1-4c03-bd8b-1ded9354b952/
Parent samples :
466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da
11ad5f11a03d59292b8bcd30036dd66d77830edea7c369bb7158b62bbfc08cf2
4058b407562c232f56c58d6592d9004e2395f545cffd0a249d0fa1b66a0e8247
ee6a61f1176307566990e3ac0eacef9a696929e2f1246abf9706300294cdde61
SH256 hash:
5baac84cc35b521dd82f39def057f3b591d05c8eb6ad43a4746fa8bdf6be709c
MD5 hash:
a1a9b1c7126677ecde1072e18a23cd97
SHA1 hash:
54a986494deb07b89f78edf50341b30ba5c28a39
Link:
https://www.unpac.me/results/0efd89de-bbd1-4c03-bd8b-1ded9354b952/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/0efd89de-bbd1-4c03-bd8b-1ded9354b952/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/0efd89de-bbd1-4c03-bd8b-1ded9354b952/
SH256 hash:
466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da
MD5 hash:
803c9a57a89d47c496430420d53826fd
SHA1 hash:
c1a50db4c2372bc01bc22d7a4c116f68a6f2f0aa
Link:
https://www.unpac.me/results/0efd89de-bbd1-4c03-bd8b-1ded9354b952/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/466ee7c5d671/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/466ee7c5d671a44e47d35136b5b4f419408d9ca875ba19c00deab004c9c219da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/320738/

Comments