MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d1b9e837d0fb87707b64e50328c39e99f6d8804ff52ec69fef842aa21d153eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	4d1b9e837d0fb87707b64e50328c39e99f6d8804ff52ec69fef842aa21d153eb
SHA3-384 hash:	895027724df37732ab5e93c5fd8b0974fbbddf8958a90b436d52fc26c8b3465c1afada111e5de9fa6c0d4bd27b1f4c60
SHA1 hash:	7b2b94003321f36c3ee397bf51fab8e547de2254
MD5 hash:	681bd63e86b46e26138f9131399c4702
humanhash:	winner-september-green-oranges
File name:	Booking7850.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	194'048 bytes
First seen:	2022-06-10 01:56:51 UTC
Last seen:	2022-06-10 02:31:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'250 x SnakeKeylogger)
ssdeep	3072:tsSALppRZwFiyc594RWDZ7E0e4Oum0an:tsSg/isyc594RWDZZbOum0
Threatray	9 similar samples on MalwareBazaar
TLSH	T1ED14E902338881E9D42B077AA6CE4AB5E1294C173C75FC1F75353EA767B0AC845E6DAC
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e0f0f0d4f4f092cc (12 x AgentTesla, 3 x Formbook, 3 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Booking7850.exe

Verdict:

No threats detected

Analysis date:

2022-06-10 01:59:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/57f32741-443a-466e-a21c-c4c11e16b42b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/278532/

Detection(s):

SecuriteInfo.com.TrojanDownloader.MSIL.NanoCore.A.MTB.10309.8527.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a2a502c6d7350cc0109c02/reports/2402be98-bf51-4137-8f36-462f5c518eca/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba9943b8-e430-45c6-a015-bae1ab339268

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1010554

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d1b9e837d0fb87707b64e50328c39e99f6d8804ff52ec69fef842aa21d153eb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-09 23:57:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=junz5a35b64hob5wjzidfdbz5gpw3cae75joy2p67bbkuiorkpvq._file

Verdict:

unknown

SnakeKeylogger

4f34ebc9996cf03118076beeb126c439e3dc355718ab85159ec3639a21ae638e

SnakeKeylogger

906b5747ba162e6a14126b4ca77bc5f6ba0bc3fec129ac8b94f0dc60685c95cc

SnakeKeylogger

ac09b75d9728cea73319605aee734b0b776e2d1677914f975674ce6674f3a5f3

SnakeKeylogger

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

SnakeKeylogger

bab1afa3cdf4c5c73be8b2890a43ac43ed1b4f3d14d1726323dc1c38a572f335

SnakeKeylogger

d83599951f0fb9e7a4abd8208db2e5e09c29e7d6cc249bb02359a95811b8a0a7

SnakeKeylogger

eb33d7e8b2effd94721dde8b2169c27cec66a2d21832ab296d7c7d82ba0619e7

SnakeKeylogger

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/220610-cc88haecfk/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

4d1b9e837d0fb87707b64e50328c39e99f6d8804ff52ec69fef842aa21d153eb

MD5 hash:

681bd63e86b46e26138f9131399c4702

SHA1 hash:

7b2b94003321f36c3ee397bf51fab8e547de2254

Link:

https://www.unpac.me/results/40ed5072-86f4-43f6-bb62-1fa892633cbf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/4d1b9e837d0fb87707b64e50328c39e99f6d8804ff52ec69fef842aa21d153eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 4d1b9e837d0fb87707b64e50328c39e99f6d8804ff52ec69fef842aa21d153eb

(this sample)

Dropped by

snakekeylogger

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/278532/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample