MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844
SHA3-384 hash: 8381c029454e93f3340f00cef2f312647308cca1abb720b658cead39498881553f7121415b923b44f23e5ead06fe978c
SHA1 hash: f41124a6277eec9f55e33a846b0c1f732fcbb0a0
MD5 hash: 6c459093eb8cae7b862948c4e52299b0
humanhash: july-hotel-avocado-missouri
File name:Confirmation.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:679'936 bytes
First seen:2022-07-19 15:31:22 UTC
Last seen:2022-07-19 16:53:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:PNCWb2gb3IU3SveuEAj7lAPkHrXkAdfBPk60JJNopPNibaFlSNSf:PsO9Tu9F1HrXXfcJNopPMaQSf
Threatray 3'650 similar samples on MalwareBazaar
TLSH T12AE4121236F4D619E7AD07B6ECA998419272574536A0DB1E9FC0E3DE0EE0B464F12E33
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6403111c2e2a1568 (15 x SnakeKeylogger, 1 x NanoCore, 1 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291911/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.25681.28024.12875.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6ce907b83f958a9684518/reports/02df51fc-f3dd-4596-b32d-b2b7fa496daf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35de10a9-b0c0-4f34-9daa-a9f5b144bdfd
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036628
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 09:27:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kajgt77invhxh7h47hvjrysnpmflyazs4pjhnt3js5tqigbxpbca._file
Verdict:
malicious
Similar samples:
1bbdd6534336280436213b88cf3075db3754a027cbf39351dd81f923ed0ed137
SnakeKeylogger
1bc45f2405cdf999cc944674cb3183b6157ded7f17789a5dab48e980d54a04ed
SnakeKeylogger
4a004bc715009f1b8cab65976c991acf031f43abf665bbe538353431efa8c8dd
SnakeKeylogger
4dbd5b601bf249b13219a11acf0231f865bff52a7403b0fc19b9fb4104ccec0f
SnakeKeylogger
61fd532d935797bfba83bba3ddce6087fe9568763b00fc2fba72bd33a3327994
SnakeKeylogger
6f0b53e03949038ea08eb5e798961c86237849fa4d403808fc43b4c783c032af
SnakeKeylogger
851ad49739c7389f0088dbd7a660eea0dbec7249ae1e79da567825175ad7bcd5
SnakeKeylogger
c5009f821e656237501821184d675c1da97cd3cf3e74117f4dd33053be1f6137
SnakeKeylogger
d1ff12a3a7ebc9bcc74ac516f100f3cd5ec13f8fd527159a5674d42f083ed3fe
SnakeKeylogger
+ 3'640 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220719-sylmbsfhbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5438794068:AAGoE4bpAIHtaGy3WdbPtgtC0pMD4Rz1TZU/sendMessage?chat_id=5268739623
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/9d9323d4-949d-4adf-a4de-b916b77ccd3c/
SH256 hash:
7856a03c8c353b6d91d5aabc7553c81d57b98b46d2b6701b999f8a44e28d650f
MD5 hash:
2ec8f4d1032ba699fc541b556d824035
SHA1 hash:
ce23df7d6af5f961ed8171bd370cd3187314f854
Link:
https://www.unpac.me/results/9d9323d4-949d-4adf-a4de-b916b77ccd3c/
SH256 hash:
cca33e028af752b44a3ad612edd024251edd738396e6cbcb712636614d64a3dc
MD5 hash:
2a70684af365233857f364f594f8697b
SHA1 hash:
a4562950fe8828c3e542cdb79457b1853c47d6f1
Link:
https://www.unpac.me/results/9d9323d4-949d-4adf-a4de-b916b77ccd3c/
SH256 hash:
031fceb8f9808bf5da6b41bcadda432c64afc3af6ae1b84ad17af2e8c01d10fd
MD5 hash:
b65b9feddc05183895447f468929d78a
SHA1 hash:
3ab7f31c60158f6c24eb9a898ed3b5cd6ccc57ff
Link:
https://www.unpac.me/results/9d9323d4-949d-4adf-a4de-b916b77ccd3c/
Parent samples :
0d181712453ee8383b23234c5dc4441e28f8ac22281556b9c8f130348db5e065
cca2e9c4276c6241dd2b4f1365982b5b9efcf3ad72dcd0a68daf344496b06f06
2cd21a8a57898304d99a78d0a9308d7199450b828b50d2bd60cfe711541e7147
SH256 hash:
47e8e1fc64c7572b03f76bc5ab8d07d7f08393d4ddcbef88091a9a13e07e09a5
MD5 hash:
5b36572f68150c963167c5be07144672
SHA1 hash:
083f090184c022bb8c5a343e071bc45a89551e40
Link:
https://www.unpac.me/results/9d9323d4-949d-4adf-a4de-b916b77ccd3c/
SH256 hash:
501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844
MD5 hash:
6c459093eb8cae7b862948c4e52299b0
SHA1 hash:
f41124a6277eec9f55e33a846b0c1f732fcbb0a0
Link:
https://www.unpac.me/results/9d9323d4-949d-4adf-a4de-b916b77ccd3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/291911/

Comments