MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
SHA3-384 hash: 7d651d7e8ed7c3e059857a1cc92be0527367c5567e8f89697568d7392875551777959085873ad1e4ae117c12a122767b
SHA1 hash: ad26f8771832664617273a7d223e471ca712455d
MD5 hash: 0a0680b4cfc25a0704d45984ae136724
humanhash: zebra-fix-low-missouri
File name:854F1E97-5DBB-4A87-A566-33D9012B05E2.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:591'872 bytes
First seen:2023-05-23 07:01:02 UTC
Last seen:2023-05-23 13:40:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:U+nUsneWjQ/L7J3/WAGwKQ74j+hyDRouWUkzYaI9WMuLXTs:RNQXJPWAUaAuy6MaIUMub
Threatray 1'643 similar samples on MalwareBazaar
TLSH T135C4E06B1A5B8826C87207F99262E6F951317FE86527C32AEDE7BC33F5383435D01192
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 68ec9acaabd0dcf0 (12 x Loki, 8 x AgentTesla, 4 x Formbook)
Reporter TeamDreier
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
266
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
854F1E97-5DBB-4A87-A566-33D9012B05E2.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-23 07:03:14 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/0e93cf43-3ff9-4b89-b973-0514ac84172e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28858.17334.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/646c64b2c6dde73a25391bd1/reports/dbeda05a-29a7-47fd-b3db-3f11101760c1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51ad8518-a1cb-4bc4-8844-96668a506141
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240557
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 03:24:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjix5g3pqvtiyjbpwpdu6olyhgscrtuvvsspswds5zzrjhh4hquq._file
Verdict:
malicious
Similar samples:
03c2c605e315b7589bd9f386579027ad31d4014d5dc3d48ca9a446a5e53a3afc
SnakeKeylogger
1a3b961a9b5d76e0028382423f14a35192cda3d3a6dee88fb812c90b1971bf2a
SnakeKeylogger
26969921baa34c10f19e16987def5c7c640214907867e51ebdd2fcfddc5b684b
SnakeKeylogger
3c18c84aa93b3407f0202f0320af9621ff318c3cdd55eca9fbe0f4d7a14e5196
SnakeKeylogger
6f438e6e004889f2f85032d8d44202f2854ee8cbb884ba1005d1fdaa5b7d8f7e
SnakeKeylogger
778412788bae3d5bfa6db0153e492c048640e65accf0fb507e4882d8c2a83817
SnakeKeylogger
80a3bcecad3c5b6fe13c41124af786341400fec9cec151490d7861a3fc83be75
SnakeKeylogger
be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
SnakeKeylogger
ce5cd95b8fa530b0b8abf93e5e373a6ad04e56173a702a0ae8ff4751bea38adb
SnakeKeylogger
+ 1'633 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230523-hs782afa8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5253212199:AAG-02qWN77aEjxlYTZ-WAZ7WOi_I4kCde8/sendMessage?chat_id=2128925974
Unpacked files
SH256 hash:
2b0e7bd686693a8640e1d5cd27ec7d24d835ae99319cc718933b71d96ba509bf
MD5 hash:
1b09cc9579fe61101341ccb4bcd0644a
SHA1 hash:
d3abd49b23007096d540ebf5d04878b257c3905b
Link:
https://www.unpac.me/results/5753c122-e96c-43cc-bb3d-36b84885cace/
SH256 hash:
cb5ee4cfd7179a57298c02ce4ccc9c2ca6b0b310758a7320340cf0a40ab62f88
MD5 hash:
0dd66dbaf510e93ec00b9eadf5ec34b6
SHA1 hash:
b7e1b7bbf2d58cc03beeb7095ae98e03426f39a7
Link:
https://www.unpac.me/results/5753c122-e96c-43cc-bb3d-36b84885cace/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/5753c122-e96c-43cc-bb3d-36b84885cace/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
111d42a9ca0390c2da005690b74bb547c3be811e025ad02127706871ffd608be
MD5 hash:
393d6c4ee5dd62ecf2f0c487ccfba75c
SHA1 hash:
7573b43e8e51c4d671ee6f3851bd0cd98898ca95
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/5753c122-e96c-43cc-bb3d-36b84885cace/
Parent samples :
061ee3375dc3333d8c4266e773535e516206935d4f7dbbc3f0319d253840213d
840841b31d3ffecc2d05b7860a327ec585c142e25067fdfee90f67993bb9cce8
27d87225d2c5b22a531d89640b5346d988177a8d46b41e7977430dd8e095b20e
fc9a557c699b548774bbff4390c60fe2c9779b12dae6ff89860590e44e52f35c
8fd22f3a7bd250cdc73b4b603c085906d19f8a55b0767465bccbf7c3a5df7e81
0bcf67c52f7b210cc7a7bb304e66d221f49363e7e9e75d21f7eeab8355669e2f
dfd9c8d686cd930eb4057a2066b45cfd81d614d00f1d04aca07df18c22b96dc5
b239f9dd0c75dd4d7fa96c4c16aa35e159dc1832f5e86b2178201d353ae40f42
e25b10c6982c5ec2ede4ea1b0b0355f2ad69ebe9c5a423042e6e9c5365644f32
76f5705ac3ded6e48d0fd4106aeee4ff29c928db64475405af07c49456c4a98c
8ec589783ee99df7f41c722cd5e082a377a24d8e0f26121ade720132e09a574e
0e642ba6a80400a3687939384dbbc0a993b5ad11dbc7bccd6a0b00f091878463
01a61878fb688719bbd35d4788d8443d850e878e087d6b4949b31753089cad40
ecadf3a82456432d82fb7e6ce72761aa85253bff9e17d6ae25566132620a280c
6bef1889e2124e776aad61e98ab354d9067b25fef573bd67563d691e01ff4169
bb7ae35b61a135ad6315c7bb85c66bf7346d1c1d031bdd1053fa7c82ebd2c1ca
a1f4604ea58dce5c513639a0929b6e130783a85873bec08ab0e5b061736dd086
c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
307f012f74f209e4b8371400455ee296585a6d6a0d4c2195df2186ecaf0acd79
fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f
38a380b0ef5633beef842aabfa59f857cf9286a3e068987864d00b975d7e3253
f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8
1250f968f4c4db1b73b64223fcb95958b3c324afb330daf88d9379d2cdaeb2ce
be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
ab08bdbb5cee3c7c6fe2d7de4c8b7c383316fe7e7dd467f6dfa81dfbe443680b
e82b399e5ef3f95bfaf96d675eb290b35980e7cb2d07aff724a5b67ad4d3cef1
SH256 hash:
15c7a78d94269384ae0dafcf5b83e1217b4931f44adcca646483e34e62b26740
MD5 hash:
6d4cdcb335d4bdad6e7b6c62116c3177
SHA1 hash:
6456752998a674f393e5b2ab8ca6ec023181a369
Link:
https://www.unpac.me/results/5753c122-e96c-43cc-bb3d-36b84885cace/
SH256 hash:
4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
MD5 hash:
0a0680b4cfc25a0704d45984ae136724
SHA1 hash:
ad26f8771832664617273a7d223e471ca712455d
Link:
https://www.unpac.me/results/5753c122-e96c-43cc-bb3d-36b84885cace/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a517e9b6f85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments