MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49891e3580a13926e92ef8c033faca0d1c404cad4755873c39fd7d887c3b1e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	49891e3580a13926e92ef8c033faca0d1c404cad4755873c39fd7d887c3b1e78
SHA3-384 hash:	41c0377967c4877101d88576bea3d6200dac9bafea727e613be431edb062f671e0a44abe598623b038c5dfb04579adcf
SHA1 hash:	1876c64fc4abd6e7899f001a25d5dc6d0d247331
MD5 hash:	44a1ac8fd06283098665510e368d8506
humanhash:	stream-washington-berlin-bacon
File name:	Purchase order of PO CTL-BEC21-004.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'359'872 bytes
First seen:	2022-03-29 06:41:01 UTC
Last seen:	2022-03-29 08:16:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:r1R5p2cKmJXXaa5IzZNKJ/Sf14mbcYqlWZ08nxTzzdyJNGR/WwbdO9IC:1pDKaXFalwdSf1nRqQ1RXMDGR/hA
Threatray	3'918 similar samples on MalwareBazaar
TLSH	T13C556B99365071DEC867C972CDA81CECAA207C665F1FC2076053329E9A3DA97CF146B3
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/258945/

Detection(s):

SecuriteInfo.com.Artemis44A1AC8FD062.26768.18390.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6242aa0c1f2042394848a32d/reports/218a5cbb-141d-47c2-b737-2ca9a290e676/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c3dcdf84-b10e-4c52-b98b-564f7386efb7

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/966488

Signature

.NET source code references suspicious native API functions

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/49891e3580a13926e92ef8c033faca0d1c404cad4755873c39fd7d887c3b1e78/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-29 06:42:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jger4nmaue4sn2jo7dadh6wkbuoeatfni5kyopbz7v6yq7b3dz4a._file

Verdict:

malicious

SnakeKeylogger

5ec6a0d19a4333966e28f063d24376c1e071ee0d4580e85153fd354ac239c8ab

SnakeKeylogger

600eb17d1143aa3c5c9236dcb5e17296cea89e4174ea6740b1feaf257664125f

SnakeKeylogger

742526bc4de3287b0d55149acdc82c1578cbaae2c42066e40ac5812ed9fd3159

SnakeKeylogger

ae13fe36ae25d1c276ec9efaaa8599e186f9df2b2d742c7999b895fdf2d302d7

SnakeKeylogger

d4a20f51f9ebaefc643c1760134a742bc8669945b33f62572644022cc3df5b70

SnakeKeylogger

f4a5cd70c20e32b8ed1e883e8f57d81a14b19468f711db3ccf7c1c5267b77ea7

SnakeKeylogger

f564847c393506ca4a129e84f1cf88b1e53ea9fbd58f4e24418add48a1e1b0fc

SnakeKeylogger

+ 3'908 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220329-hftj4sgchn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

ee66f5421f996441dd0d18dc9aa5932050e76a8af48f3f162da0884743984d0c

MD5 hash:

93509e1cf51faa55c635d2cb8b225eaf

SHA1 hash:

f6b5f24a7adee61d715060f60db2a3a302199b74

Link:

https://www.unpac.me/results/6a6b3a54-f247-4811-94b2-b4e1d620ab06/

SH256 hash:

97aceb1819ed845f8caf67efadfb060e24a396687f9b8597bd67bde3c6435cd8

MD5 hash:

9dd7427f1cce8ae59e058eb3266b4e7e

SHA1 hash:

891c2e4c565a818278d1b2cfc84d00a1279d24de

Link:

https://www.unpac.me/results/6a6b3a54-f247-4811-94b2-b4e1d620ab06/

SH256 hash:

613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c

MD5 hash:

3096cbaf4b5d40f9c61bf7ce13fde62f

SHA1 hash:

6b3c580e51fd306bfdc2e727ca3bc7805aba4b53

Link:

https://www.unpac.me/results/6a6b3a54-f247-4811-94b2-b4e1d620ab06/

SH256 hash:

a5fb3c9523a6327f7f12b97f5337e392391f352274c5b922f2ff6f32ad614434

MD5 hash:

9e9470003efe159468743da98fb3d971

SHA1 hash:

34874dddd0d5c73566aee4d6410c3f04e1682fde

Link:

https://www.unpac.me/results/6a6b3a54-f247-4811-94b2-b4e1d620ab06/

SH256 hash:

49891e3580a13926e92ef8c033faca0d1c404cad4755873c39fd7d887c3b1e78

MD5 hash:

44a1ac8fd06283098665510e368d8506

SHA1 hash:

1876c64fc4abd6e7899f001a25d5dc6d0d247331

Link:

https://www.unpac.me/results/6a6b3a54-f247-4811-94b2-b4e1d620ab06/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/49891e3580a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/49891e3580a13926e92ef8c033faca0d1c404cad4755873c39fd7d887c3b1e78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258945/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample