MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 505ecf713562780272b747f895223c5c2d69a5c4979c22c2a7f7c4ceda047325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 505ecf713562780272b747f895223c5c2d69a5c4979c22c2a7f7c4ceda047325
SHA3-384 hash: 2361bc3f5d058028e7ccde03c367ce13ad7bdc7662557179bacf0a70a6b827740bde552fbf8f39c602072be54b5c2dd1
SHA1 hash: aa1c927338bbf03d8ed12d911aef59da3aebc057
MD5 hash: e8bba4cb11150c98be68ebf2ec8a23f9
humanhash: nitrogen-pasta-solar-spring
File name:scan_invoice_2022-23-03.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'046'528 bytes
First seen:2022-03-24 02:26:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:IBCc6EKU7/fiwIkvIWQFDcqijVKhVnCDDK5+7rQ6E:j5EKU7XiQ3E9AY2Kcg
Threatray 1'143 similar samples on MalwareBazaar
TLSH T1B325E09C7240B5DFCC5BCA768A682D61AB20687B570BD607A05712EDAF0D69BCF014F3
Reporter Anonymous
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
505ecf713562780272b747f895223c5c2d69a5c4979c22c2a7f7c4ceda047325.zip
Verdict:
Malicious activity
Analysis date:
2022-03-24 03:22:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d7c83e9-f2fb-4e64-afb8-038eca346311

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/256976/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623bd713b94fb38cb4ddbbf9/reports/f1b7d540-f52e-4af5-a615-5c50ab69f50f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a048cf5f-437a-4ce6-b357-4275dd8ab2b5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963467
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595948 Sample: scan_invoice_2022-23-03.bat Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 10 other signatures 2->48 7 scan_invoice_2022-23-03.exe 7 2->7         started        process3 dnsIp4 34 192.168.2.1 unknown unknown 7->34 26 C:\Users\user\AppData\Roaming\PieJmYl.exe, PE32 7->26 dropped 28 C:\Users\user\...\PieJmYl.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmpC386.tmp, XML 7->30 dropped 32 C:\Users\...\scan_invoice_2022-23-03.exe.log, ASCII 7->32 dropped 50 May check the online IP address of the machine 7->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 54 Adds a directory exclusion to Windows Defender 7->54 56 Injects a PE file into a foreign processes 7->56 12 scan_invoice_2022-23-03.exe 15 2 7->12         started        16 powershell.exe 25 7->16         started        18 schtasks.exe 1 7->18         started        20 scan_invoice_2022-23-03.exe 7->20         started        file5 signatures6 process7 dnsIp8 36 checkip.dyndns.org 12->36 38 checkip.dyndns.com 193.122.130.0, 49777, 80 ORACLE-BMC-31898US United States 12->38 40 freegeoip.app 188.114.97.7, 443, 49778 CLOUDFLARENETUS European Union 12->40 58 Tries to steal Mail credentials (via file / registry access) 12->58 60 Tries to harvest and steal ftp login credentials 12->60 62 Tries to harvest and steal browser information (history, passwords, etc) 12->62 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/505ecf713562780272b747f895223c5c2d69a5c4979c22c2a7f7c4ceda047325/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 02:27:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbpm64jvmj4ae4vxi74jkir4lqwwtjoes6ocfqvh67cm5wqeomsq._file
Verdict:
malicious
Similar samples:
09172fefb90d27ae6b709d1571b22dee6f2741352668239da59b4c337b08c6d1
SnakeKeylogger
20a3e59a047b8a05c7fd31b62ee57ed3510787a979a23ce1fde4996514fae803
SnakeKeylogger
44050fd92ae6f48c6df67054069cb58de189e22b12ebebb53422693dbd73d92f
SnakeKeylogger
5c68d8b066f91b02abe337460d8dced6461a9d48ac9748d76139a541ed4eb3c2
SnakeKeylogger
7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e
SnakeKeylogger
c0263f4a1eca4b0890226cd24daf8e4485216b0b0fd22fffa599f1c375c3a638
SnakeKeylogger
e97150c8ea985043183f6c39dc9950380532e17f7cfdcc5396dd43636684a1c9
SnakeKeylogger
ff5ccf6c23038b7fae8a5564c14c8e272938a21453dbef3f8d0dc1ad1fc982ac
SnakeKeylogger
+ 1'133 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220324-cxe56agack/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/525cb41b-c16d-4f9a-8654-43f99700fc84/
SH256 hash:
d185986cb9b369a5f5d641c80d09adc878771b33ab020879629fb570c2cd7cec
MD5 hash:
755b1262aa6b3a6b267b41580c7e8972
SHA1 hash:
b2f0f7293cf7162895df2976eecfc1084eeba2fc
Link:
https://www.unpac.me/results/525cb41b-c16d-4f9a-8654-43f99700fc84/
SH256 hash:
56d911d3a74cd2b7229cfe8265221fa7d1b270b846063343dffa5feadd6fb6f2
MD5 hash:
866bd342ae30a964481fed3eb96e4d37
SHA1 hash:
48647ae4f54d676b8f25fcf9b20f8ae06c1986dc
Link:
https://www.unpac.me/results/525cb41b-c16d-4f9a-8654-43f99700fc84/
SH256 hash:
92f61007855969e199e3af051290ce9dc829f4497470ec040632cd81b5c3a04a
MD5 hash:
0fd2141da6e44c9a8f5e3cd910bfec80
SHA1 hash:
2ba51667b8556b3a69fdeaa9856c05a81c4c84d8
Link:
https://www.unpac.me/results/525cb41b-c16d-4f9a-8654-43f99700fc84/
SH256 hash:
505ecf713562780272b747f895223c5c2d69a5c4979c22c2a7f7c4ceda047325
MD5 hash:
e8bba4cb11150c98be68ebf2ec8a23f9
SHA1 hash:
aa1c927338bbf03d8ed12d911aef59da3aebc057
Link:
https://www.unpac.me/results/525cb41b-c16d-4f9a-8654-43f99700fc84/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/505ecf713562780272b747f895223c5c2d69a5c4979c22c2a7f7c4ceda047325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/256976/

Comments