MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49265c6ec7486c9127ed1ce4f831057f3a50b0294c5341b8d56a62afffc01a18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49265c6ec7486c9127ed1ce4f831057f3a50b0294c5341b8d56a62afffc01a18
SHA3-384 hash: 3cc2e495b0bd67c7432621b56758077a9640b7b03fd6cb6298c4fdd8fb27e382f29532bb876ed3978a8c479b59f91454
SHA1 hash: f03c32d451952f4f11eb0e80a760c6c86844c4c4
MD5 hash: 4c91b4e85079882694887a18822deffd
humanhash: dakota-maine-beryllium-freddie
File name:dokumen dan pesanan pembelian.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:784'896 bytes
First seen:2022-04-22 08:56:23 UTC
Last seen:2022-04-22 09:48:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0ddFJw9gl46YaOdIbLgdQFBiVcu/uyyjp32fAAYtv/h:no451d2d0G0l/ABdh
Threatray 3'416 similar samples on MalwareBazaar
TLSH T15EF42CD1F150889AEC6B49F1BD6B943024E3AE9D54A4410C56AEBB2776F3342309FE1F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/265666/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48911424.24117.28869.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed pos replace.exe
Link:
https://www.filescan.io/uploads/62627affc7f6e2c5442cfc3a/reports/37f1fa3f-1cea-4d1f-a203-eacea32ce086/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/886f800e-0939-4add-bfe5-5042254bebf4
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981213
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49265c6ec7486c9127ed1ce4f831057f3a50b0294c5341b8d56a62afffc01a18/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 01:05:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jetfy3whjbwjcj7ndtspqmifp45fbmbjjrjudogvnjrk776adima._file
Verdict:
malicious
Similar samples:
1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b
SnakeKeylogger
32f4ed2758d54d89b86ead83702e718d654e1fa6c78b4b46c4ca6fb25077d699
SnakeKeylogger
36292b95e0ed9f03e572e60d83801bf7818d85f9e607bd6d396bda9e82d6e803
SnakeKeylogger
5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b
SnakeKeylogger
668832e8181b0270c339930a8402a735e638b8374d53e2c95a715254220e0651
SnakeKeylogger
702966eb365937eb195010449eb592a3817d74d0f7e4da14a0e9fbb13b5303b6
SnakeKeylogger
d493dca078d9747550efd2f30838858ad063f2f702878cdd67e1a84a4ff25020
SnakeKeylogger
e0c7728af846221d9c6946d4995f6af7e0dabe347deee185d1c6ba7554a7cb94
SnakeKeylogger
e4bba9c2af86f903aeecbaf44534222faf78b07bdb4c7604e747ecd6898e38e2
SnakeKeylogger
+ 3'406 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220422-kwk9sabfb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5273407003:AAG7ZG43PS1FZDrj0gADw0sr_lYis0K5EYU/sendMessage?chat_id=2028572980
Unpacked files
SH256 hash:
97f819ac978803d8b1156751bc5d52598bd51603d2ea7b8d1fb9247981ab9524
MD5 hash:
72e121191058410fe708bdbf3ee42569
SHA1 hash:
e1151409a7e073ee761e2a471900133949954c92
Link:
https://www.unpac.me/results/1499b567-0fd7-463f-8933-9d83882d5bf9/
SH256 hash:
6cd4591a793a0a7803f173947ccc74b4718e1c94b5f9ebd0e5d5dbb1b418568e
MD5 hash:
9111808d268b8de49c6ff668296a7ff0
SHA1 hash:
7ec0cfba8cd9544ce0157fe2ef0bcf690780a5bd
Link:
https://www.unpac.me/results/1499b567-0fd7-463f-8933-9d83882d5bf9/
SH256 hash:
8aea004c8bf76493d85054f56da30a4f0dbb21a7812ede3e5412941cc96c4a65
MD5 hash:
72693738d85ff9c4dd8a61ac29772fba
SHA1 hash:
6d1b0bc38f75e48d222ad7966670269a1951dd39
Link:
https://www.unpac.me/results/1499b567-0fd7-463f-8933-9d83882d5bf9/
SH256 hash:
8e1b71477c489cbc954c8d54d08284f759ab2cd1b65050128ecbda9ebe16904d
MD5 hash:
b477c0f043954b457d5f0f91327ec606
SHA1 hash:
0db8774ef3e2b8245504f66a35afcf987ebdaaba
Link:
https://www.unpac.me/results/1499b567-0fd7-463f-8933-9d83882d5bf9/
SH256 hash:
49265c6ec7486c9127ed1ce4f831057f3a50b0294c5341b8d56a62afffc01a18
MD5 hash:
4c91b4e85079882694887a18822deffd
SHA1 hash:
f03c32d451952f4f11eb0e80a760c6c86844c4c4
Link:
https://www.unpac.me/results/1499b567-0fd7-463f-8933-9d83882d5bf9/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49265c6ec748/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/49265c6ec7486c9127ed1ce4f831057f3a50b0294c5341b8d56a62afffc01a18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 49265c6ec7486c9127ed1ce4f831057f3a50b0294c5341b8d56a62afffc01a18

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/265666/

Comments