MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e
SHA3-384 hash:	909f158b4646708f0ea3318728d08f8c63fe0051ea946430fcce1cbe371e6f2db702c5eb67386e153eed9171ce1c01f5
SHA1 hash:	3728f467ff8026872de04f3ccef78a2d4a47df69
MD5 hash:	42e3d6016d145ae5bd157bd7dbd86963
humanhash:	fillet-moon-xray-tennis
File name:	42e3d6016d145ae5bd157bd7dbd86963.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	638'464 bytes
First seen:	2023-08-26 08:14:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:3Vp0K8s6owoQCOahAbQ5hq+JJ8psQA5Uo6Bp83pazn7N3f0SHOy:3Vp0K8s6oworOahAIVJ8SQqUo6Ba3paV
Threatray	5'585 similar samples on MalwareBazaar
TLSH	T19CD41638197DA327D138C7F58FD18427F364992B3026EAE56DC367E64226B1129D323E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

42e3d6016d145ae5bd157bd7dbd86963.exe

Verdict:

Malicious activity

Analysis date:

2023-08-26 08:15:11 UTC

Tags:

evasion snake keylogger

Link:

https://app.any.run/tasks/26a6134d-240f-41f7-aee3-58e3ab62f7e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Sending an HTTP GET request

Enabling the 'hidden' option for analyzed file

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64e9b4897444d2eb09f1dad8/reports/e1e27085-cd2f-4da2-b28c-068fcd055ab5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2c9bb9a-3701-4316-a0b9-1e5ea5053338

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1297731

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-29 06:43:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jdw2wxx672ejzsaccreigf4wa5zlesboq2uw4hhkyeesq6jgc6pa._file

Verdict:

malicious

SnakeKeylogger

14bc396bc52d43f2e370a4a65ad0b08012e48b0644ed66325848e0dafd195ce4

SnakeKeylogger

9b481ce4b3cb66b4325b09a71c65f202b2da68b1cc9f04cbfd5ad2043cd9ddee

SnakeKeylogger

c4c920d6d5d253db092a28210596c60b4377224251c3d14c4558a54346a71b75

SnakeKeylogger

c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059

SnakeKeylogger

d1e6c1aa5e9ba581f78bb0270c55f94dc5013f5d546ad2524efb6b005dce36e8

SnakeKeylogger

d757716097082fdcf35033613d1736f4cf02f07afb368b1381489ba8ebba3cb0

SnakeKeylogger

db7f70227c9ba4a6977cbd919bf9aa2f611d2557b145e5a8d7f06d184dd9d5d3

SnakeKeylogger

f6bdba555d1356168f7f1581949ab5ca8d6b20e9a6495e0cfcef8d3b129638a0

SnakeKeylogger

+ 5'575 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/230826-j5kh6sgh86/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

862f3cd524b29fc5b6ced9cfc4d13756cb90d6c95ca50fd2438e2d5df44bbf05

MD5 hash:

8ade068b8a62b6173f1d3e07bf0a7e04

SHA1 hash:

b63b1dddf4358e8826dab84e4206137d41718592

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/d4e7df8a-eac7-4da3-b404-f299c4346973/

Parent samples :

6b9078cd23ba0a810bb971fde08fcbe3b4124c84846b7446ebaf7eac57da047b
db7f70227c9ba4a6977cbd919bf9aa2f611d2557b145e5a8d7f06d184dd9d5d3
d1e6c1aa5e9ba581f78bb0270c55f94dc5013f5d546ad2524efb6b005dce36e8
d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3
14bc396bc52d43f2e370a4a65ad0b08012e48b0644ed66325848e0dafd195ce4
f6bdba555d1356168f7f1581949ab5ca8d6b20e9a6495e0cfcef8d3b129638a0
c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059
d757716097082fdcf35033613d1736f4cf02f07afb368b1381489ba8ebba3cb0
48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/d4e7df8a-eac7-4da3-b404-f299c4346973/

SH256 hash:

ac99bec138b0ca3e6294c74b89484896e2d1239c982268af5a2c08eec8830f2d

MD5 hash:

ab20610826a18b5e3231781d2bc261c9

SHA1 hash:

6987f4c4406bc63a07bf9a10e2336717b9983bd1

Link:

https://www.unpac.me/results/d4e7df8a-eac7-4da3-b404-f299c4346973/

SH256 hash:

6c69c005e9f3c997b73ddde62f89d5f10c1067c6c50394ccbd812ff5fefc7914

MD5 hash:

d0921e315e964b516ebb43539f93a45b

SHA1 hash:

0bb71fef437802f9f34b3e0bc44801cd17655b99

Link:

https://www.unpac.me/results/d4e7df8a-eac7-4da3-b404-f299c4346973/

SH256 hash:

48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e

MD5 hash:

42e3d6016d145ae5bd157bd7dbd86963

SHA1 hash:

3728f467ff8026872de04f3ccef78a2d4a47df69

Link:

https://www.unpac.me/results/d4e7df8a-eac7-4da3-b404-f299c4346973/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48edab5efefe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample