MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35
SHA3-384 hash: 1efcb508f32343085ee2be7430b768d3b008e53b28016bdcc90abfb1d3751959ec423e792b35838babd2a3b0ed8a0157
SHA1 hash: 2ff494baa9742cce1d1f8f251ccc558b5c01d254
MD5 hash: c5d424f91e68e675532bf2bdfbeaf71e
humanhash: twelve-maryland-delaware-cardinal
File name:c5d424f91e68e675532bf2bdfbeaf71e
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:398'848 bytes
First seen:2022-07-19 18:52:58 UTC
Last seen:2022-07-19 21:37:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8zJKxxFmK74YesuK4J9i4kpNTdqEMzVVI7:8zJWxkK74Hs74J9idNoBVU
Threatray 3'417 similar samples on MalwareBazaar
TLSH T1FD8423062BAD8703CA7807F4BA54E9005B7172D7B813EB9DACE676C51723F850E067A7
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44e288ae8ace7898 (3 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/292002/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.16827.31997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6fe14ef2b0e63a826f5f1/reports/875cd1b4-35ff-4d90-bb84-03e778db8589/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3067676-f33a-4263-8493-f5686fa2b636
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036770
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 669265 Sample: jeQjXLQAuG Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 9 other signatures 2->41 7 jeQjXLQAuG.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\KuHrmBU.exe, PE32 7->23 dropped 25 C:\Users\user\...\KuHrmBU.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp3980.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\jeQjXLQAuG.exe.log, ASCII 7->29 dropped 43 May check the online IP address of the machine 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 11 jeQjXLQAuG.exe 15 2 7->11         started        15 powershell.exe 22 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.com 193.122.6.168, 49774, 80 ORACLE-BMC-31898US United States 11->31 33 checkip.dyndns.org 11->33 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 18:53:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kv2zig6zy7ezv4ep3mh3jnyoeoqsw7ztnsa77znh7hpbhcrafq2q._file
Verdict:
malicious
Similar samples:
0d97c7b92365b616cfb63bfc9d6b610fc34f7d0fd8d505dfb0f958effb756f4d
SnakeKeylogger
18e1da9245499f7c76a2495642868ce61b861cbdc961f9483fa99ce2f07a8478
SnakeKeylogger
501269ffe86d4f73fcfcf9ea98e24d7b0abc0332e3d276cf6997670418377844
SnakeKeylogger
8c0726ab5d6f41c5e8d123d8c2444eb709543ee350dcecfe6e5190ddfe32e337
SnakeKeylogger
b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e
SnakeKeylogger
b3c2f3b7b5ac0e9dbf48b6b243e98429232321f4570b5dba9e4c879d0ab78e9c
SnakeKeylogger
be855c00e706c2548c5ef6fc3da5a1b3c70633b097228f9b734eac6d69499ce3
SnakeKeylogger
cfa0310c20af141220a0cfa1e5181f491d9d61613148fac11cb22b1ee98a96d6
SnakeKeylogger
e2ee1cc8b02470d31b9cbb3fab2c223f7cb98469f882c40a652c818838414b1a
SnakeKeylogger
fdcfc64bb02504b9e1fc2ed14c2753daeb7532e8f121e3d4675d0130dccb7070
SnakeKeylogger
+ 3'407 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220719-xjl2rsggg9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
cfbf3236d96db62f151fd1cdee84128129e6717bbc844c234a4c6b03f76b4884
MD5 hash:
35639b1907990820f291ff2c6eaf42d3
SHA1 hash:
eebca019fce558df41975a014df4264bf083e860
Link:
https://www.unpac.me/results/b091798a-10c4-45d9-8dc0-8403c94aed26/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/b091798a-10c4-45d9-8dc0-8403c94aed26/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/b091798a-10c4-45d9-8dc0-8403c94aed26/
SH256 hash:
66899bbe17fec0c230efe7342495539bfe4094c4e00c22acae1c21e567a22735
MD5 hash:
dadce90404ba79b446be6c637708354e
SHA1 hash:
60487a8e9d95107497bc574535d9b1755f34aad7
Link:
https://www.unpac.me/results/b091798a-10c4-45d9-8dc0-8403c94aed26/
SH256 hash:
12bdc3269ad334f0615e0be942b6f7c3bae42fa537bbae6f1c7f8f27bce60967
MD5 hash:
6483282f797ee34ed9004bb898a3113f
SHA1 hash:
2ac9d8c441a97ea5735084af796ef50dc47af30a
Link:
https://www.unpac.me/results/b091798a-10c4-45d9-8dc0-8403c94aed26/
SH256 hash:
5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35
MD5 hash:
c5d424f91e68e675532bf2bdfbeaf71e
SHA1 hash:
2ff494baa9742cce1d1f8f251ccc558b5c01d254
Link:
https://www.unpac.me/results/b091798a-10c4-45d9-8dc0-8403c94aed26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 5575941bd9c7c99af08fdb0fb4b70e23a12b7f336c81ffe5a7f9de138a202c35

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259053/
Cape
Cape
https://www.capesandbox.com/analysis/292002/

Comments


Avatar
zbet commented on 2022-07-19 18:53:04 UTC

url : hxxp://198.46.132.183/obs/bin.exe