MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f
SHA3-384 hash:	c72e82d5c251ca752a9c5bfbd5e29d429e7a790b67c23513cc55acc29f7f87cac2c1b1c6168637a9f2dac3f63e338e80
SHA1 hash:	809f6e875fb69da2f4b322099ecae20ae7a8fca9
MD5 hash:	0b8564dfcd8149f7c5e38efba3e3d8ae
humanhash:	massachusetts-zebra-shade-red
File name:	7elmqWHBcmfCfOP.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	721'408 bytes
First seen:	2023-03-15 15:15:55 UTC
Last seen:	2023-03-15 16:56:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:MCt3mcDQ7Rp51yKxYWE6TuQuKZwAPOZ3bXp3RLPJGRTw:MCt3HkF7weY9cuQulAPOlTvjJT
Threatray	80 similar samples on MalwareBazaar
TLSH	T1B8E4020CB2691629C62F777F82A12648C335EE29CB21E76E1DC964731DF2FC9DA41C46
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7elmqWHBcmfCfOP.exe

Verdict:

Malicious activity

Analysis date:

2023-03-15 15:19:09 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/d29440b4-7d30-4524-9d46-8a86f4dbc7c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/374568/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1889.11721.28968.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6411e13b589154fc977db63e/reports/3a46ec70-cb27-4f8a-9897-f0c9668bbf61/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce095079-21cb-479f-8496-3c9071bb57e8

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1194266

Signature

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-15 09:08:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 39 (51.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jfzeziyilws2e4xb24o3b6ufnd52ldt4fl5sphwahdn3v3tfsu7q._file

Verdict:

malicious

SnakeKeylogger

30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258

SnakeKeylogger

3468917c0bfb8bb5c07753482c3c69ff14f8a3d71aa4852478e68753654248d0

SnakeKeylogger

5d2841d221d5f4b73591f9972ece12a9382fb40146caa6e8691eba12ae138049

SnakeKeylogger

9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682

SnakeKeylogger

bd3704c36cc99d990c773ae12328f7938e7a5bf230e18501f2f8b869532b28d5

SnakeKeylogger

c7ea53e57251629a3485c588848a8f99362035170807b2aa95355be6fb8055f4

SnakeKeylogger

d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f

SnakeKeylogger

d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725

SnakeKeylogger

d7573c48df121d2209f33f38cbbe52b37ca66f60584bf3161a1c2df4c9e0a404

SnakeKeylogger

+ 70 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/230315-snf9vsga4w/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot6094595254:AAHm5DV1HkFQ1Wlz87nCZ7yt4M_2BynwYWw/sendMessage?chat_id=5582419717

Unpacked files

SH256 hash:

7bed8f50a422573a64642fbe86276c031593041f8318ce4733305e68d59fd836

MD5 hash:

db6420be29f5cdd1638fbbfcf7d04a71

SHA1 hash:

feaec3a9aba5c6924c736b97337fa21bb5dc7313

Link:

https://www.unpac.me/results/ffca108f-d0a9-4d37-9fc7-a76b9db3ef1a/

SH256 hash:

8b65ae9c53a9730545936c945af22ddbf7b83e9c6485e97b24490299264e97eb

MD5 hash:

c5207503e649e4e2f5e09d58a65a55a5

SHA1 hash:

c7e96192166289b1efbc2fd6ffb4ae877085aae2

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/ffca108f-d0a9-4d37-9fc7-a76b9db3ef1a/

Parent samples :

33351fc9d35b21e9cba9a840886ad40fe046c4f23010850f2f14b5cd89cc440a
49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f
3fd2b3c66c8673586d4573c3cd434c65be4e4eae0fad1ee19989ad6e94408109
0ed333ca8332a025c80a3824fee4a5e66ad39e1a66c9a8f9fbf18ce9d9c49b1f
89f3250563d9548740f1682f4f79b7b515e8af4e09a63a868ea53cf59cb90f1a
2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
3f532c71983108b99522f1a36b7f02c8b026181bc90acd813a7d4b506969873b

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/ffca108f-d0a9-4d37-9fc7-a76b9db3ef1a/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

033a17ef4ab663277d313e5998eab7d006f39a6e107fe2acc0edefcaf63491ca

MD5 hash:

09434bdcf29935dbcdfffb9067086f3c

SHA1 hash:

2df6f747f27ac57b0d6958468e202b3d668e7fd1

Link:

https://www.unpac.me/results/ffca108f-d0a9-4d37-9fc7-a76b9db3ef1a/

SH256 hash:

7db31a9e5ecbe405d69376d913ce38c983da766dc514cfaf23a9e663bfdcbf1c

MD5 hash:

61f90460e7596c39f3b891e4abb0ffc6

SHA1 hash:

0c7834c2b1de478b9c4082bef783bfb6f770cb02

Link:

https://www.unpac.me/results/ffca108f-d0a9-4d37-9fc7-a76b9db3ef1a/

SH256 hash:

49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f

MD5 hash:

0b8564dfcd8149f7c5e38efba3e3d8ae

SHA1 hash:

809f6e875fb69da2f4b322099ecae20ae7a8fca9

Link:

https://www.unpac.me/results/ffca108f-d0a9-4d37-9fc7-a76b9db3ef1a/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49724ca3085d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/374568/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample