MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 502b905bce618c7f4dbb77883d212958535d89e6343444eb9dbaaf4c9e1cdd89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	502b905bce618c7f4dbb77883d212958535d89e6343444eb9dbaaf4c9e1cdd89
SHA3-384 hash:	783758029a2a1d11e9747c149942db5e86749e1cb531f4b8277297ce47124ecb2367bb3443b7e4f44b7385fcd6f0eb31
SHA1 hash:	d04013dc8cd9fab3dd0c63877d7803a869a26204
MD5 hash:	ff5a0e236b67ae058f6649c2d968c988
humanhash:	vermont-indigo-solar-batman
File name:	ff5a0e236b67ae058f6649c2d968c988.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	411'648 bytes
First seen:	2021-10-16 14:12:00 UTC
Last seen:	2021-10-16 15:20:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:DpPoneGijQp8dXl4N6/WVuXsqf9FPBiB8IN+d5RNOa:lo3uYekuX1fjPBiB
Threatray	1'422 similar samples on MalwareBazaar
TLSH	T10894CF9C765075EFC867C97A9AA82C24EA20747B430FD243A45311EDEE4DA9BCF150F2
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ff5a0e236b67ae058f6649c2d968c988.exe

Verdict:

Malicious activity

Analysis date:

2021-10-16 14:13:59 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/abcfcc38-848a-48d2-80fb-c2931b8ba255

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/197875/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.30960.25499.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

keylogger obfuscated packed

Link:

https://www.filescan.io/uploads/616addb7db358dd15ebd2c56/reports/5f66dd7e-c79f-4ca2-8822-0604ee6d3fef/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/446128a0-6caa-4c49-ae74-b82bfdcbe727

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/871622

Signature

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/502b905bce618c7f4dbb77883d212958535d89e6343444eb9dbaaf4c9e1cdd89/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-16 14:12:08 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kavzaw6omggh6tn3o6ed2ijjlbjv3cpggq2ej245xkxuzhq43weq._file

Verdict:

malicious

SnakeKeylogger

3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb

SnakeKeylogger

4151897619823917cf3420046de0a8d3c0da19995acbcb134cc784250945d53a

SnakeKeylogger

51d5a88a4ba4a668db92c2aabfae2e394bff27bd40f9693615dda48eab999d47

SnakeKeylogger

54312ea9106139b43ff7ab38cdee369e00aa1b5d6433971e167716e9a55ee4b8

SnakeKeylogger

58f7a66ca4791061e9dda68df178fcb40d75da724838ff0b096a64cbc417789d

SnakeKeylogger

66086168bb7bb777fc09db800e258e14a6da543e676fb0202737a73e9aec4539

SnakeKeylogger

9fb57f10806d3f0f9d89e0b74ee8ffe7fbdb93f642619d30aac24603a27d1479

SnakeKeylogger

d44a2ec092a66bec26dabf98269fab0009b8309966e7a78fb0263b8c086d0c29

SnakeKeylogger

f8f07bd1186be13a4fd113537b6d361b5279b1d25f7adbf874e5c6ced9c3f91a

SnakeKeylogger

+ 1'412 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/211016-rhvpmacae6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Snake Keylogger

Unpacked files

SH256 hash:

8a17357463a31170d9fe85d267b1b656fece5f0d2dba00f8646cfa8ae17419d4

MD5 hash:

a8d5b32e684f0fcdb612b68352ccc550

SHA1 hash:

84e47a37508c3d45b41a393afe606d40af881b1d

Link:

https://www.unpac.me/results/b47b9cce-a037-4bdb-8570-b11e253d1c15/

SH256 hash:

312884945d57a31221692cd6b21e00c8042c64e8a4d00e34bdd68b12906d1c6f

MD5 hash:

9f84c3e35597f88f10e221e598a16930

SHA1 hash:

6acbaafe24422e0709008545adfd81bbd1493e24

Link:

https://www.unpac.me/results/b47b9cce-a037-4bdb-8570-b11e253d1c15/

SH256 hash:

cec72a9d3b01b67774519384c89e4c15e4cb2bb2e1a23f9455804f1d44721b9b

MD5 hash:

c287b031d3ed4e6e3c269ab00f4df369

SHA1 hash:

4db7f6c2fbf77d3e10e697c759e7a8e5e8c4ee3a

Link:

https://www.unpac.me/results/b47b9cce-a037-4bdb-8570-b11e253d1c15/

SH256 hash:

6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec

MD5 hash:

681eca96e4e7b513317178dc7065ef39

SHA1 hash:

24af82015bc57d125f1ccb759840118b2283d1dc

Link:

https://www.unpac.me/results/b47b9cce-a037-4bdb-8570-b11e253d1c15/

SH256 hash:

502b905bce618c7f4dbb77883d212958535d89e6343444eb9dbaaf4c9e1cdd89

MD5 hash:

ff5a0e236b67ae058f6649c2d968c988

SHA1 hash:

d04013dc8cd9fab3dd0c63877d7803a869a26204

Link:

https://www.unpac.me/results/b47b9cce-a037-4bdb-8570-b11e253d1c15/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/502b905bce61/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/502b905bce618c7f4dbb77883d212958535d89e6343444eb9dbaaf4c9e1cdd89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197875/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample