MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5200239c6c97dec08be49d8859e68973a475fd9b8522b79502deb6c91d2ea7ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5200239c6c97dec08be49d8859e68973a475fd9b8522b79502deb6c91d2ea7ea
SHA3-384 hash: 4aa37aeb09ea07245e6fd063967af436c3879389612183cbbc91afb5b0d87bdc1022744dab7daf1db6ac50526d222dd1
SHA1 hash: 4172f27becc56acc4517693b7cf16edee6a4a064
MD5 hash: 245186e03d9959274d62c08fd41cc3ec
humanhash: arizona-enemy-delta-texas
File name:WkAdaRtWypmlbEK.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:572'416 bytes
First seen:2022-04-11 07:10:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:O+rqFq5Z/qwqR4LmGirdmCFdGr1JUWUPQnHWLUH4+:ek5ovR4CLZkr1JUWUA2LUHz
Threatray 2'886 similar samples on MalwareBazaar
TLSH T1DAC4DF01AAB06744D87C4FF31D3A47AB5BB5C516A420C2DA2FF538CA8C71F467A3865B
File icon (PE):PE icon
dhash icon 71e89ebab2aeec70 (14 x AgentTesla, 13 x Loki, 13 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262525/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.21799.2316.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware obfuscated packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/6253d49004b81dabe27d91fe/reports/128b2665-1ab1-46ee-b7f6-cfc5af1ad0d9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e70e859-459b-46ce-82aa-a5a4118f7e79
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974292
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 606779 Sample: WkAdaRtWypmlbEK.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 7 other signatures 2->39 7 WkAdaRtWypmlbEK.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\iNrEPjXJmNxK.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpC226.tmp, XML 7->25 dropped 41 May check the online IP address of the machine 7->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 WkAdaRtWypmlbEK.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 27 checkip.dyndns.org 11->27 29 checkip.dyndns.com 193.122.130.0, 49775, 80 ORACLE-BMC-31898US United States 11->29 31 freegeoip.app 188.114.97.7, 443, 49776 CLOUDFLARENETUS European Union 11->31 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5200239c6c97dec08be49d8859e68973a475fd9b8522b79502deb6c91d2ea7ea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 07:11:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kiachhdms7pmbc7etweftzujooshl7m3qurlpfic323mshjou7va._file
Verdict:
malicious
Similar samples:
023938b0dd03eba6e0b9b40eb2245290a0068dca585a01f72e3a374e064a958a
SnakeKeylogger
1e13d2cebd5aec7fe65c06efd695ab5f13b884c47bd95385dd6dea45a8ead5a7
SnakeKeylogger
3305726cd2ac7a09f12133089d37faa8d591d0e85280588501317eb80e3c7fc8
SnakeKeylogger
34f69231e3f2f39a007e2ad3ddeef43e65667555040bdd5245e354e7c772a345
SnakeKeylogger
3a2776b0688e824317664a1b3d1f7f441b0a97f03300fc73cf317b8ec81bc6c5
SnakeKeylogger
4a0b8ea9cb38f88ad598d9b76aa9f979452edee794b99945d8b8bd84f70b921d
SnakeKeylogger
74f399bb87cc5cefcf476ed711462be2b7aa8f38300133a3c87f722fe672193f
SnakeKeylogger
cd72c90ff3b610e07cf4df339ea8ead886c57ab93f48acb7482c78fa34a9c6d4
SnakeKeylogger
da42b794294258da132963c11e8f46797ea5a1b4a677a76c94539c5465f71ea4
SnakeKeylogger
f4cdfbc0259b80794682eebd88a74ba924b3ba527ed71badbc39b54483a07e20
SnakeKeylogger
+ 2'876 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220411-hzx2msede4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5243953302:AAGFyxwcILx3S0Gq834R9NN-9m6enfFssYk/sendMessage?chat_id=5255359287
Unpacked files
SH256 hash:
007694272e71c5aa5e99bee9e6f9a48bd591a5f1d84f7e4d82b86d32570815b0
MD5 hash:
df10f342c5a36206cae9c53f0fbda9dd
SHA1 hash:
fc0e8645a7ed3fe8eb6a6ec45e34753baa2b1461
Link:
https://www.unpac.me/results/c2739081-5d55-4b66-9992-749245488762/
SH256 hash:
627d294cd07de84aec6336e00f467b7f468d247add4453bbf9882dcbad28e9a5
MD5 hash:
9f291a9564d5d803325b8ff9cda0bc76
SHA1 hash:
dfb4f41186e5509da00678dcc2f8fa382dd35daa
Link:
https://www.unpac.me/results/c2739081-5d55-4b66-9992-749245488762/
SH256 hash:
2e5331a4fd829d7082f6feaace721db62f3669fd0995093ce987df3f4dccf501
MD5 hash:
d0a32a4d672ce1a3d823f721cbd2c3b2
SHA1 hash:
b100850d4713d10a93ca8f9377292582c5ec6de2
Link:
https://www.unpac.me/results/c2739081-5d55-4b66-9992-749245488762/
SH256 hash:
c5ab196b66289c38945da072fa002b9f958d624d2b98384f5b91b02a86fcd169
MD5 hash:
0471224cc4fcda950746c7e67dd64c4e
SHA1 hash:
19cdfc96900a26dc4730569dd5f5fe7fdf433058
Link:
https://www.unpac.me/results/c2739081-5d55-4b66-9992-749245488762/
SH256 hash:
5200239c6c97dec08be49d8859e68973a475fd9b8522b79502deb6c91d2ea7ea
MD5 hash:
245186e03d9959274d62c08fd41cc3ec
SHA1 hash:
4172f27becc56acc4517693b7cf16edee6a4a064
Link:
https://www.unpac.me/results/c2739081-5d55-4b66-9992-749245488762/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5200239c6c97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5200239c6c97dec08be49d8859e68973a475fd9b8522b79502deb6c91d2ea7ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5200239c6c97dec08be49d8859e68973a475fd9b8522b79502deb6c91d2ea7ea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/262525/

Comments