MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fd8043497a01b058aabf09d40deedfa6ca485796e1c1e62b1b404931ad83056. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fd8043497a01b058aabf09d40deedfa6ca485796e1c1e62b1b404931ad83056
SHA3-384 hash: 4d7e12664bbdfa55c6c687ea30229a060091ddfc2fe0424499ecb3df56d433c07d20e43c9c7cdccc2849b77a8591cea8
SHA1 hash: 379f40b8b615e66f522bc070c3c05c32149017b8
MD5 hash: 579187a77ea29e5ef96721ab74685759
humanhash: missouri-sierra-edward-early
File name:RfTQP.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'227'264 bytes
First seen:2021-03-26 13:40:35 UTC
Last seen:2021-03-26 15:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1LfYEz3OPO+fl6a8XUzb//z1PP2DuISufQxuk5AxEnVIDFbVKgrcl:ROP391XhPODfB0AxEVI
Threatray 432 similar samples on MalwareBazaar
TLSH 5E45F58631EDE196D016ADBCC85BD7F23792DCAB8742E74330ACF95A646779AC10340B
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
egJmA7bLenJ1Rq6.exe
Verdict:
Malicious activity
Analysis date:
2021-03-26 11:49:09 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/1729a7d2-2bb4-49d2-9b19-ed58ec908af4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127020/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.598.21084.18647.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/511736b9-ae2f-4473-8774-3f017c695f13
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655007
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fd8043497a01b058aabf09d40deedfa6ca485796e1c1e62b1b404931ad83056/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 12:25:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 29 (68.97%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d
SnakeKeylogger
180624a2fc01585360e3cdb233e251a090aa58e3c85ed5cffd9c68a09d0572e1
SnakeKeylogger
2a828598f4c66e85305d93ce56bad4c27b7bd6a446eb9b9cec27d961b2591b95
SnakeKeylogger
767d213b2083d5ba0cfb4e4d281fcce7d2233345ec7932e2d89cf303fd51b10e
SnakeKeylogger
90f47fd06de01a77ccb2ab550f369454cd837bf5694707e96c636dfa0eec1b90
SnakeKeylogger
a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e
SnakeKeylogger
a4e4dd60f923a5657aadacb3f50344cc8474c6551728fde0aad4d61418cdb738
SnakeKeylogger
b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057
SnakeKeylogger
c79c207fbde525a5b0aee8317bb5d3734b18a24f664501b57abc6eca3b41c01d
SnakeKeylogger
eca13de65c0bea59c87ad6d8fd0d4d7083badd47dd919b5d407b77298ee36a85
SnakeKeylogger
+ 422 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210326-rxh2syhvr2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
c22b9993fd6abea236edcc1bf476bcd4a09015b4af09eedf660a43bf3d29a16f
MD5 hash:
1d1234ba19c430923b22f531bb19b369
SHA1 hash:
9868c1e97a3be16100a61b5ee1f7d2838b4782a8
Link:
https://www.unpac.me/results/f097c9ea-1e45-421b-a179-60c73c80d59e/
SH256 hash:
4fd8043497a01b058aabf09d40deedfa6ca485796e1c1e62b1b404931ad83056
MD5 hash:
579187a77ea29e5ef96721ab74685759
SHA1 hash:
379f40b8b615e66f522bc070c3c05c32149017b8
Link:
https://www.unpac.me/results/f097c9ea-1e45-421b-a179-60c73c80d59e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fd8043497a01b058aabf09d40deedfa6ca485796e1c1e62b1b404931ad83056

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/127020/

Comments