MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b
SHA3-384 hash:	02659f505e7e44a2f6a9a193c1f248dfed7d24c70ecb19b2318c881f2b4df8cc8000d65b73c8eac54caf66a497772ee6
SHA1 hash:	f3adc1111cc8fa713d4f62ffa29795d0e878b9e0
MD5 hash:	a4edd40bebe837dd10037d9c67c014f4
humanhash:	mirror-fanta-six-asparagus
File name:	e-dekont.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	921'600 bytes
First seen:	2023-07-13 07:39:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:1x9eR5AITvJYjXaiUpCssOj2iLfSZqh/SmRp2VWmrWkN7Enyzf:1x9eDAqvJ0XcCsSCKwNr2Hr1NAnyzf
Threatray	70 similar samples on MalwareBazaar
TLSH	T1EA155DD1F150C8DBE96B0AF1BD2AA53024977E9C54A4810C5A9EBB1776F3342209FE1F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e-dekont.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 07:46:43 UTC

Tags:

evasion snake keylogger trojan

Link:

https://app.any.run/tasks/e54c49de-ba70-4368-a1fe-0fbbc4c4892c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/417279/

Detection(s):

SecuriteInfo.com.Variant.Ransom.Loki.24223.17114.601.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/64afaa57a15fc7eb4fd1d551/reports/02088ba8-b5d3-45c4-b2d0-7db64c54a5d3/overview

Verdict:

Malicious

Labled as:

Ransom.Loki.Generic

Link:

https://www.hybrid-analysis.com/sample/51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f27fb9e1-ce57-4456-b4b9-02256a032dbb

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272370

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b/

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2023-07-12 18:55:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kg5b3egcnsi5ktwg4tu7gv5t2bqeojen6lfj5ydr5mjfmw3zvrnq._file

Verdict:

malicious

SnakeKeylogger

1e28ab95c508a3b0d17dd7279384d0353cd7fa83f6f5138746ed0b44679ee1c0

SnakeKeylogger

269112122917fb39eb97b3e5b00dce49486adaf1d1417dabdbb0bf0edb52aa09

SnakeKeylogger

2dbe70cbbdcaf38adeeb141e74dd76d8c2bf2f3d3ad7d4e9b6ac2b75aac70b53

SnakeKeylogger

45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13

SnakeKeylogger

539c8b42e4c670a527dc2e3aa0154b7959c3c4a058f90582dd5e9284a27c43f8

SnakeKeylogger

590f697c02283726bc0568ab2d69a65674e7239afe60c82e00a78ddc839d77ce

SnakeKeylogger

a9e44a23646ec78c73a71a95a555f40672c18f6deb3d14324a3050cc9fd364da

SnakeKeylogger

aa5af03ce3f907fb786a8b3247b9f55e4f9e0edec98568cdb517ff1a1366aaf0

SnakeKeylogger

f754d27afe08000a5c8a4322034b6d30f7ff60d9735554e835514a52bf917429

SnakeKeylogger

+ 60 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230713-jhkknafg22/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot6099030244:AAG20Xctn1dMSsohvWQve2z3FNZZiXV7rzI/sendMessage?chat_id=6112855473

Unpacked files

SH256 hash:

91bf4013db8356450ca2712007081cb7bd492ff39e11bfb974a2411baa9e3f69

MD5 hash:

76ae95cc192d4bf05e1fbc56fc6c031e

SHA1 hash:

d96aa9ec45c8355ee03f3b7a9a45d6b8678c3e0b

Link:

https://www.unpac.me/results/aa420acd-4b6f-4ca0-917f-c00ffab8d600/

SH256 hash:

b4eb7ecd4d800b7466f8ff03d8f67cba3c3bdb1b1f4d3f221d0e082558032231

MD5 hash:

83abcebf40c9d27aef21611ac97add5d

SHA1 hash:

aa325a0cdbe7d85cc8740f23204403deba119c68

Link:

https://www.unpac.me/results/aa420acd-4b6f-4ca0-917f-c00ffab8d600/

SH256 hash:

0f77e88c0dc30b1035c3cc93be5aca39025c8dce2fc58658d55829eb309153c9

MD5 hash:

69a702a826aca70ca1f20d07d2bbff53

SHA1 hash:

a691e500d1453497208f7148e05cd022fe93c2a0

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/aa420acd-4b6f-4ca0-917f-c00ffab8d600/

Parent samples :

b11454a0c9137a7b39890ca3a5221fb602929a07f080f53a6c14e91989d853db
928e7f54ec57eff7800c64c09fc81b2d951c44f366281fa65a85da60ae98f8bb
61e078d216229dec7f1fc09d3e3276167dde775b252bead7a5e28622a68a8d68
1e28ab95c508a3b0d17dd7279384d0353cd7fa83f6f5138746ed0b44679ee1c0
51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b

SH256 hash:

670389beeac807adb7413e8406d73f9699c39faff69aba8bd6e87727f83c55cc

MD5 hash:

835d987b48a660eac6fbac597f38396a

SHA1 hash:

374c11ee634a811ea432f2eeb15e4ab85001f17a

Link:

https://www.unpac.me/results/aa420acd-4b6f-4ca0-917f-c00ffab8d600/

SH256 hash:

51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b

MD5 hash:

a4edd40bebe837dd10037d9c67c014f4

SHA1 hash:

f3adc1111cc8fa713d4f62ffa29795d0e878b9e0

Link:

https://www.unpac.me/results/aa420acd-4b6f-4ca0-917f-c00ffab8d600/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 51ba1d90c26c91d54ec6e4e9f357b3d06047248df2ca9ee071eb12565b79ac5b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/417279/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample