MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe
SHA3-384 hash: 0b17fd33118ee05a7eedfca21bff7f3736aac1eb2f70933c217cc109fd7b18e71c307765e3d32efa2b28db44ec7246b5
SHA1 hash: 5514f630b428eed041d4066ac2ae328f48f6c5e4
MD5 hash: 9432f7b9c0a32d95ca4392bbd975d46a
humanhash: quebec-magazine-eleven-summer
File name:NUESTRO CARGO ABONO 31-03-2023.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:681'984 bytes
First seen:2023-03-31 15:53:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5xfqHqYCPFimOMt+VZp5rOZYGi4L7uADFINh6z2JrJi2/cMup:5xfqHqYQimXapUZm4LKBKYiDp
Threatray 363 similar samples on MalwareBazaar
TLSH T157E4F11072DE8759D526C3BD84E1D2B06336CCD6D8A2CB671FC9BDC7B2CA78A5620247
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NUESTRO CARGO ABONO 31-03-2023.exe
Verdict:
Malicious activity
Analysis date:
2023-03-31 15:58:39 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/86c64fbd-71e5-4d31-8c97-cc0bd7bbf64d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379075/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/6427021d4e6582605f077354/reports/bd3c28db-7e68-4484-92a5-b612090dd263/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/689f2e0a-70a4-4c81-add6-3d2c9bdccd52
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1205988
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 838904 Sample: NUESTRO_CARGO_ABONO_31-03-2... Startdate: 31/03/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 5 other signatures 2->53 7 NUESTRO_CARGO_ABONO_31-03-2023.exe 7 2->7         started        11 NIieKGDutKOfwu.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...33IieKGDutKOfwu.exe, PE32 7->33 dropped 35 C:\...35IieKGDutKOfwu.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9645.tmp, XML 7->37 dropped 39 C:\...39UESTRO_CARGO_ABONO_31-03-2023.exe.log, ASCII 7->39 dropped 55 May check the online IP address of the machine 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 61 Injects a PE file into a foreign processes 7->61 13 NUESTRO_CARGO_ABONO_31-03-2023.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 21 NIieKGDutKOfwu.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 NIieKGDutKOfwu.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 132.226.8.169, 49707, 49708, 80 UTMEMUS United States 13->41 43 checkip.dyndns.org 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        45 checkip.dyndns.org 21->45 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-31 06:09:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4274zof7bvaxxdcovechs3eoczzsxrzeut5biqpwx3bu6wozl7a._file
Verdict:
malicious
Similar samples:
189d5e75f300e21f30ae87cef1c384a3e33e26b5546b8404090bffe3251d4a34
SnakeKeylogger
2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
SnakeKeylogger
2e5243c0f25a508026aa4bc82e7cdddd2df91f556c8509ac6e2b60d3ef17b517
SnakeKeylogger
48b3525f35a068cb4ec4d6a9206bb06f0f44c968860b01ae3eb44342aecc43f4
SnakeKeylogger
6651fc9d40430503d651012b74149b5b99f2a6b758ee59498a21b7592722a3ed
SnakeKeylogger
87c1f33e1a2f359854fe99b0724a05efcfe41b143a3e7c5470dd3a7c63a508c1
SnakeKeylogger
90e926a50fdd51897942e407e917649f7cfdac92a9f95cc73d263c8f7fff695e
SnakeKeylogger
ae0a26ad0575bf99d4015962b33290c3bc1395b91a8355b5c9f2340fdf577db9
SnakeKeylogger
f4b21e57bb6fabca1dd4b5499d5940749346c350975dcc07cf8f40db0376acfc
SnakeKeylogger
+ 353 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230331-tb8c9acf7w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
b8c30435215d76392f396ad6e8c4464eec35ae2d9a3255ff4f66d7a1cacbb381
MD5 hash:
e0e2583a88181f91d256422d4574047a
SHA1 hash:
c91b9bad890d44693b6a97d201fb1f750d4b0b5c
Link:
https://www.unpac.me/results/160dd98c-fb27-4175-ae16-d63a53f1c4d5/
SH256 hash:
7ff60db761f810560fc223160228cfda94dcf14ee789e2f27a448fa47aa7e09a
MD5 hash:
5e5e4cac2b0374a59cd29618aeb35d08
SHA1 hash:
a5a7a7e1933dc81a02cc49ea1697a8248cca2a4a
Link:
https://www.unpac.me/results/160dd98c-fb27-4175-ae16-d63a53f1c4d5/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/160dd98c-fb27-4175-ae16-d63a53f1c4d5/
SH256 hash:
c44dc2d7c7337c905ea0ad31f99ac69f131670e47e5d89a38540042b6ea3b5c5
MD5 hash:
2ed010668365c0a58966fc050b1f1453
SHA1 hash:
6322c5ea0c30199f067172ab6865ca8f774f8cf7
Link:
https://www.unpac.me/results/160dd98c-fb27-4175-ae16-d63a53f1c4d5/
SH256 hash:
6a232f25d7fc22bd0014580eba27830fa38429b7630286af3c8b984c88460abc
MD5 hash:
59f70bc3b413fbd65f0c1cb2c04b28d6
SHA1 hash:
1e4e7e40d87290b7947f4cc9fdbdd61640b7d1cc
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/160dd98c-fb27-4175-ae16-d63a53f1c4d5/
Parent samples :
97f310bcb89ddf0a6c1582f47c46b59fa153997a11d5dedc862a62a468977e61
6651fc9d40430503d651012b74149b5b99f2a6b758ee59498a21b7592722a3ed
4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe
aa6c2ef24b150191c159fae081258ad96844a9dc1d02d4366168fc48640770ef
8ecfe073dffd0f788e9d22b4d25854b0b9f2407725988a19d0bd54ac1990ab1e
e710d551910b6751fc61ebe64138b020526a8d6d24ff282c96d7f74249da0a5b
d3b15a575e1cbb1fb69ff44063e584385027d4f6c1ce73ccaa97208c8b77fb4e
ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2
59c2f70e5cd0cd6c24c2ab51aaefb332d12dbb46dd9ffdd84d4848dc290476a8
a2c60612d5450af22322938dad549462026ec1fe256cdcaf9719f27be7fc901f
SH256 hash:
4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe
MD5 hash:
9432f7b9c0a32d95ca4392bbd975d46a
SHA1 hash:
5514f630b428eed041d4066ac2ae328f48f6c5e4
Link:
https://www.unpac.me/results/160dd98c-fb27-4175-ae16-d63a53f1c4d5/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4735fe65c5f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379075/

Comments