MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2
SHA3-384 hash: 7496b0f8b4d31276dfb5e9f048b3f6ea378b72aa06cc1616d2fe53a0f39f912cfa48253e5f496c48983e8c342eabe945
SHA1 hash: 205038b14cdcc7ee616a2779b7bb3fe55aa750f7
MD5 hash: a84bda0aa9ef325b418396f26244d922
humanhash: yankee-uranus-emma-venus
File name:Confirming - Detalle de Facturas Cobradas.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:633'344 bytes
First seen:2023-05-15 11:37:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:EysS6sIPkCOgTm5w8yrkmYsr75PjoAGP:0sIrTANg3ZoA
Threatray 1'200 similar samples on MalwareBazaar
TLSH T1CDD4E010B1FA4477C7AD43F641581A490BB951AB7D27D6F80C8F74CAEED2B010B92EA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0c6c4c5ac4c9c0a4 (6 x Loki, 6 x AgentTesla, 5 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirming - Detalle de Facturas Cobradas.exe
Verdict:
Malicious activity
Analysis date:
2023-05-15 11:38:48 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/74f46c29-1215-4978-bdc1-c1c573d4f3f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390052/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.29757.5864.24424.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6462199b50d4f3894cdec65a/reports/166bd8e4-4b49-41bd-bd81-b1e3bc108586/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38d5e6c0-987f-458d-b113-5c3205fb9632
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233655
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 866637 Sample: Confirming_-_Detalle_de_Fac... Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 40 checkip.dyndns.org 2->40 42 checkip.dyndns.com 2->42 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 7 other signatures 2->58 8 Confirming_-_Detalle_de_Facturas_Cobradas.exe 7 2->8         started        12 nPnCvzJZlSi.exe 5 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\nPnCvzJZlSi.exe, PE32 8->32 dropped 34 C:\Users\...\nPnCvzJZlSi.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmpFBDF.tmp, XML 8->36 dropped 38 Confirming_-_Detal...as_Cobradas.exe.log, ASCII 8->38 dropped 60 May check the online IP address of the machine 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 Confirming_-_Detalle_de_Facturas_Cobradas.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        66 Multi AV Scanner detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 22 nPnCvzJZlSi.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 44 checkip.dyndns.com 193.122.6.168, 49701, 49702, 80 ORACLE-BMC-31898US United States 14->44 46 checkip.dyndns.org 14->46 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        48 checkip.dyndns.org 22->48 50 192.168.2.1 unknown unknown 22->50 70 Tries to steal Mail credentials (via file / registry access) 22->70 72 Tries to harvest and steal ftp login credentials 22->72 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 30 conhost.exe 24->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 07:15:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kr7ts4zwxy7svvigsj4y6aw3qz6ffuhc5uqcftohfwev6fm2rlja._file
Verdict:
malicious
Similar samples:
40d89b32ac24d8d4e95b6c43218f15e9a3144191786f248e963dea351f718af4
SnakeKeylogger
519c5f8d463735bc7b6c925eba0b4e92bc49501cd7ae194e5756a988dc2c8202
SnakeKeylogger
6a6d963003f74acd86334cb97012a2bc05c2bcb0b5800f0e306b0d00287f3da8
SnakeKeylogger
6e1f036dabde55dd7f9df6eafb105be9e76626a1be5a8fa773a5e7eb9975d9af
SnakeKeylogger
754f6396026e4a84814fc0714fcc530928abec25aab55f4bc83e17919e4eec41
SnakeKeylogger
78875bd0e64072dd764f4de0b576eb4f9bba96db457422699986e9542bde530b
SnakeKeylogger
aa64eab74660609d37759f40828c4d4e486c47fb8d9613c60f39d11465aa05a8
SnakeKeylogger
c4450299400ee66eff8208e7f2f65ccbcd34d29350820d7997e27ae50b408241
SnakeKeylogger
ec241a262db494a9d7ba5a4f916376fa89cec1830846ffd396fa4869cbb52f9e
SnakeKeylogger
fce6b63b365250cc6a683218c392db940ced75fdda52be9841f70220dab8d2d0
SnakeKeylogger
+ 1'190 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230515-nrpyysfa97/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/07883204-3e2e-4c5a-8560-6268f6e30391/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
d199188671289d1bb1f8ce17996294f96298fc9b48d3a86862069bd9010f2f91
MD5 hash:
0d1e5b9dd3f068ad8786864086405011
SHA1 hash:
3232fd05081d652542f9a53bd4f02686b9838ae2
Link:
https://www.unpac.me/results/07883204-3e2e-4c5a-8560-6268f6e30391/
SH256 hash:
6a232f25d7fc22bd0014580eba27830fa38429b7630286af3c8b984c88460abc
MD5 hash:
59f70bc3b413fbd65f0c1cb2c04b28d6
SHA1 hash:
1e4e7e40d87290b7947f4cc9fdbdd61640b7d1cc
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/07883204-3e2e-4c5a-8560-6268f6e30391/
Parent samples :
97f310bcb89ddf0a6c1582f47c46b59fa153997a11d5dedc862a62a468977e61
6651fc9d40430503d651012b74149b5b99f2a6b758ee59498a21b7592722a3ed
4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe
aa6c2ef24b150191c159fae081258ad96844a9dc1d02d4366168fc48640770ef
8ecfe073dffd0f788e9d22b4d25854b0b9f2407725988a19d0bd54ac1990ab1e
e710d551910b6751fc61ebe64138b020526a8d6d24ff282c96d7f74249da0a5b
d3b15a575e1cbb1fb69ff44063e584385027d4f6c1ce73ccaa97208c8b77fb4e
ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2
59c2f70e5cd0cd6c24c2ab51aaefb332d12dbb46dd9ffdd84d4848dc290476a8
a2c60612d5450af22322938dad549462026ec1fe256cdcaf9719f27be7fc901f
SH256 hash:
ea6a0af529c172fb449deca9df6cf30f35d86efae13ae9a055d95946884f53a6
MD5 hash:
ca2376110d19fc0d2e06336285e8515b
SHA1 hash:
0fc7de8ec8b121bdd71922ae68b1a7c6ea424f49
Link:
https://www.unpac.me/results/07883204-3e2e-4c5a-8560-6268f6e30391/
SH256 hash:
6722a58c81f6d11004e880bd8481acc423bf96afd46bf692f1562cfa4c5852bd
MD5 hash:
d92d2ba953be4be2d6f2bc859ec5c607
SHA1 hash:
05da51752277bd907ebcfb799524ec7655abbc3a
Link:
https://www.unpac.me/results/07883204-3e2e-4c5a-8560-6268f6e30391/
SH256 hash:
547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2
MD5 hash:
a84bda0aa9ef325b418396f26244d922
SHA1 hash:
205038b14cdcc7ee616a2779b7bb3fe55aa750f7
Link:
https://www.unpac.me/results/07883204-3e2e-4c5a-8560-6268f6e30391/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/547f397336be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/390052/

Comments