MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f796de093192ec7d9d5cc2e0dcf0e70a1e6ec99cbbaa71335b9a0fa1ffe75dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	4f796de093192ec7d9d5cc2e0dcf0e70a1e6ec99cbbaa71335b9a0fa1ffe75dd
SHA3-384 hash:	d9e2db7eb8fd45f01c667a4e361d6026d16f5d320fc74541e54e7e716588f7d0a2fb49521234b5784d30cd28c5f53109
SHA1 hash:	02d4117f3d247782c62d62ce2e3abf781cf18af0
MD5 hash:	375bd23bd866ba51952f4146071fbe39
humanhash:	table-gee-winter-november
File name:	SWIFT gelen mesaj bildirim- dekont.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	945'152 bytes
First seen:	2022-04-12 11:43:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:i5Wotjau4q42dZCTK54eH1+GgmXnKZpNxqhninlg2g6:ijaFqbdgKmeHgmXCpNQhi2h
Threatray	2'981 similar samples on MalwareBazaar
TLSH	T120153C91F590C896E96B06B3ECEB543012F3BE4D9465C20D6699B7162AB3353208FF1F
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

314

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SWIFT gelen mesaj bildirim- dekont.exe

Verdict:

Malicious activity

Analysis date:

2022-04-13 04:52:33 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/53068d81-abeb-4108-9e76-e8ee83e348c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/262982/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.27163.18115.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe expand.exe obfuscated packed

Link:

https://www.filescan.io/uploads/62556607ffe27d5119b5087f/reports/08e89d84-2b78-42b2-8184-bc7aad76fb38/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3cb26e14-3201-4bfe-b37c-600c6dba4baf

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/975283

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/4f796de093192ec7d9d5cc2e0dcf0e70a1e6ec99cbbaa71335b9a0fa1ffe75dd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-12 07:19:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j54w3yetdexmpwovzqxa3tyoocq6n3ezzo5koezvxgqpuh76oxoq._file

Verdict:

malicious

SnakeKeylogger

459ffd564cff546baed72dc2ba79fff156b533600495098f319eed8239d0bb21

SnakeKeylogger

4fcb2f07521077077f50ae8068724da515e6d5594cf7a8cabf193300fee5bf79

SnakeKeylogger

742526bc4de3287b0d55149acdc82c1578cbaae2c42066e40ac5812ed9fd3159

SnakeKeylogger

7529261b01e2f6d420aa0239c584a7d6c0022ea71ce562335d1384a03d529bbd

SnakeKeylogger

ae13fe36ae25d1c276ec9efaaa8599e186f9df2b2d742c7999b895fdf2d302d7

SnakeKeylogger

c15a83bff3c8bcc0e48254ea814726d372eaa0e11d83a7246f18690c93b3a7cc

SnakeKeylogger

f4a5cd70c20e32b8ed1e883e8f57d81a14b19468f711db3ccf7c1c5267b77ea7

SnakeKeylogger

+ 2'971 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220412-nv5tksbcap/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5166529015:AAHmXMIWF4K9IarF05CZj5gCu_oVRj3zFHc/sendMessage?chat_id=5170122971

Unpacked files

SH256 hash:

c6d327f20503ba9c780ebad208343f519140f16bbaf7e8136e7751cb914fef6b

MD5 hash:

3c02d1852808f8e1febe3c2b0afbc9ff

SHA1 hash:

fd4524b9951acdcc1be22c1485f892d183414da7

Link:

https://www.unpac.me/results/b868b6f8-8b54-41a6-ba07-24fb4cc0aab4/

SH256 hash:

cace56b122b802296f38cba40430c949f03bf9015cf566c60efa475b76a63355

MD5 hash:

8b0993263cab897f832aa2f433d00b68

SHA1 hash:

ba4084d4e663eee708067d57d91f3f2b747da2aa

Link:

https://www.unpac.me/results/b868b6f8-8b54-41a6-ba07-24fb4cc0aab4/

SH256 hash:

b4364bba1d1c0f9cd4f07899b646ab90c1fcee31a985cea8377960da1692903a

MD5 hash:

42d633e43e81a4b3b1e7c3e61a2bbcb4

SHA1 hash:

9e459eedfcd7d56b3917372066a55279e35a60fc

Link:

https://www.unpac.me/results/b868b6f8-8b54-41a6-ba07-24fb4cc0aab4/

SH256 hash:

1173b79c93f4e7c140b1ca6473d49da9b000a54a30198b24749653d3dc63b49a

MD5 hash:

52bf0a7a5ad721b9fe4a96c22009c116

SHA1 hash:

512c2d095a3b698d687452c8e473d2cc345d61a7

Link:

https://www.unpac.me/results/b868b6f8-8b54-41a6-ba07-24fb4cc0aab4/

SH256 hash:

4f796de093192ec7d9d5cc2e0dcf0e70a1e6ec99cbbaa71335b9a0fa1ffe75dd

MD5 hash:

375bd23bd866ba51952f4146071fbe39

SHA1 hash:

02d4117f3d247782c62d62ce2e3abf781cf18af0

Link:

https://www.unpac.me/results/b868b6f8-8b54-41a6-ba07-24fb4cc0aab4/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4f796de09319/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/4f796de093192ec7d9d5cc2e0dcf0e70a1e6ec99cbbaa71335b9a0fa1ffe75dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/262982/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample