MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4abb470a78c432cc2f4a2001eb2c5188b4c6f31fcc557fdace4e35222d976300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	4abb470a78c432cc2f4a2001eb2c5188b4c6f31fcc557fdace4e35222d976300
SHA3-384 hash:	7fc48ea1341173313ad91cc62432ee09efab988b5fa473e0ed832da77b0913c181b37042add978659f09e14d73a189a0
SHA1 hash:	dc590b0ecebcb8ed17ffa330729a4a66991337b9
MD5 hash:	7b62969003889358d4f80971a2750b1e
humanhash:	zebra-harry-ohio-foxtrot
File name:	vbc.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'199'104 bytes
First seen:	2022-10-11 13:02:43 UTC
Last seen:	2022-10-11 20:18:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:w9AI9VRUsuAJTNRo0JGnScGNg4cAAh0nIsO13y6Ivxahw8a/AQSQy4ABRYcZbezc:81pX3JGShFcB0nkFzwAtQy4ABRBY
Threatray	2'801 similar samples on MalwareBazaar
TLSH	T1714505793A854906D8153135C4B3DDB326F66D146059C28B26C33F1FB9EE3BEBD0268A
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b270f0f0f8f07092 (19 x SnakeKeylogger, 4 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318953/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.62688407.6662.31551.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6345698767135c9da246572f/reports/921a9fe5-7842-4cec-b561-8194ce10bfb6/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4ab5049-d6be-41e5-9afb-6b222cf9ca3a

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1087999

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4abb470a78c432cc2f4a2001eb2c5188b4c6f31fcc557fdace4e35222d976300/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-11 12:14:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jk5uoctyyqzmyl2keaa6wlcrrc2mn4y7zrkx7wwojy2selmxmmaa._file

Verdict:

malicious

SnakeKeylogger

5f35ca42912431ff5592f1a2913e4136a888fc9c04f1655a2c52998a5d2161ac

SnakeKeylogger

93e390a0b385cbe75e53b89b22f597e9cbb339c33fccebba1a7c1d3a05b48cf9

SnakeKeylogger

afae56ccb5ceb87d28c33dcf87270f668300cc79f42756759844f664f67b933e

SnakeKeylogger

d40f32f81438c0c6bad28f8b8b08ebb452871640a691cb879ea1a4220b452017

SnakeKeylogger

+ 2'791 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221011-qaccmsfcdq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d61b2a51-7ba3-4b72-9628-00afde0451d4

Unpacked files

SH256 hash:

af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110

MD5 hash:

f696dc0e00cb8f70799ac3fcaa5f9f6a

SHA1 hash:

cde2283de5b89639ea52f6388feef8f77efc63ce

Link:

https://www.unpac.me/results/ba495433-3bc3-4692-973e-5a468de07d16/

SH256 hash:

4b58e1aa180ce8b2db9d9c4c0554e65c2c08bda4a8ba4533c0a1a155ad4c8906

MD5 hash:

4268190ba918526ebdc005481649c4e8

SHA1 hash:

8cdd45420dcb6435f1e72a084bf02fc74ac3deab

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/ba495433-3bc3-4692-973e-5a468de07d16/

Parent samples :

9ffd3e503dba0ae38fb340be6ae9ca2d091e9de4b34e52a4ba939085c6ebeb92
976fc03514a14ae7aad8298ef82b1ae3805c1707bf9c3b7d4afcb53883b4c081
3b7b4ef071bf7db6cdf5be21c0ab645e03ad70277b101785534ef8da35b354ca
b1e886e95c76a7a0dccc3d15bc383bc4e87ec8b8d37e83d77c12b139d57e6d9f
c4297dbff68f1694d7290ff7956c5a1304d257b451539a5f72cc6b7e0e6e3dbb
4a0533ec0be699006a52b5bf38bd9e3398344d418539d55643abf915ebc478c1
50839e417be89600af4b8f90a4b464c41956339f9ea396f4bedd3fcd1204d73e
e037deaf181b7ce9682cf00c9b09bf69a6858d5c1ba4fc8868ae43ba354b709c
339e52d55e2c529203ebba9d668b1a696bae78622bdc316f14b303e3d3e92fb7
4abb470a78c432cc2f4a2001eb2c5188b4c6f31fcc557fdace4e35222d976300
ce870c665a8c373e39c5c25faf13c0ad8686c0f18008f901e42f49a983127fbc
ddd63a48a7d4180b5cce88d85c3ed1b6aa0b6ad0e2cf91c155b4b21680845440
419e48dee3df38fa9c9f7a6e2f412d5b4d6e900d52f4a9b3547810b4d6f7b6c9

SH256 hash:

869f17a4516c236831a5239284ad03c134c9717a09a5f48f86e12ac063222df9

MD5 hash:

63c4e70d1996a578b07ddbd223405587

SHA1 hash:

51812e6c100eebb1ecc59d5f880986acaf670756

Link:

https://www.unpac.me/results/ba495433-3bc3-4692-973e-5a468de07d16/

SH256 hash:

66345fde3b67f2197f3be83f1c742284007a29fcb66d26c99e01a7bef8696618

MD5 hash:

a124ccf0ecb435b1af6cd3f15978a0b3

SHA1 hash:

133e25f4b893d118641bf8433c64881cf26e8db7

Link:

https://www.unpac.me/results/ba495433-3bc3-4692-973e-5a468de07d16/

SH256 hash:

edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e

MD5 hash:

574597554c69083c1af2b742a97a92b6

SHA1 hash:

043eea660b8650c5a0042f842fd8db3516d37a2c

Link:

https://www.unpac.me/results/ba495433-3bc3-4692-973e-5a468de07d16/

SH256 hash:

4abb470a78c432cc2f4a2001eb2c5188b4c6f31fcc557fdace4e35222d976300

MD5 hash:

7b62969003889358d4f80971a2750b1e

SHA1 hash:

dc590b0ecebcb8ed17ffa330729a4a66991337b9

Link:

https://www.unpac.me/results/ba495433-3bc3-4692-973e-5a468de07d16/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4abb470a78c4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4abb470a78c432cc2f4a2001eb2c5188b4c6f31fcc557fdace4e35222d976300

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/2359953/

Cape

https://www.capesandbox.com/analysis/318953/

URLhaus

https://urlhaus.abuse.ch/url/2360286/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample