MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c9999640440b6cc08e607397893601551fe37b32452b5c058178a24e07821f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55c9999640440b6cc08e607397893601551fe37b32452b5c058178a24e07821f
SHA3-384 hash: 5a749b47798554b8ad4725a1345850e1e4739a386d5463898daed65660348fa92a3cd97b2c39f8fea158fb29073ace91
SHA1 hash: 4ebbc6e9a181d821381a2662d68e4986f6d02d1f
MD5 hash: d94cdee4f2e60a2e951d074d9b6709e0
humanhash: virginia-lactose-spring-mike
File name:Sale Transactions Audit.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:876'544 bytes
First seen:2022-10-05 09:31:11 UTC
Last seen:2022-10-07 15:22:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:OP/ftm11HzhI9R5LiIVBZKfcWDl2exdV37Si/YR/4ve:k/fS1HlIBLiDblv37Jq4ve
Threatray 5'698 similar samples on MalwareBazaar
TLSH T19215CE3206D2D60BD4561338DCE3C3F06FE85EA5A272C3478FE9BD6BF44B1A6AA51144
TrID 54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4c4d4d4d4d4d4 (6 x SnakeKeylogger, 5 x AgentTesla, 5 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316787/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633d4f16c9e2f3435432cf42/reports/5feb5a08-f415-49a4-aac5-466b84ae2c30/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/affffbb7-aa0e-45b1-b2b6-aea61422c78f
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083999
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55c9999640440b6cc08e607397893601551fe37b32452b5c058178a24e07821f/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 07:37:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxeztfsaiqfwzqeombzzpcjwafkr7y33gjcswxafqf4ketqhqipq._file
Verdict:
malicious
Similar samples:
0c15857ade4f7702f72d5fd75a7ec9afc964e208b06a123305792e9080bbb7fd
SnakeKeylogger
0ef614e4585076fc4d0d36c55feae9e11feb7e51e5d006987621e592f3517131
SnakeKeylogger
3b8dcf7047a2d9440e4809359bec667476f816e5ca27e3fed3c072c8131b77be
SnakeKeylogger
6accaf0ba9ccc624551c840825e04c6a2cff64f967e00fe9e1715f4f8dca9d08
SnakeKeylogger
97de5c0f24a604e966402888e535bfbbe5e989a287c9bd601e91ef10a8f411d2
SnakeKeylogger
a202f5194bc6c7ca2e825590fd3ca642696fcee88441832d386918b576381371
SnakeKeylogger
bfc506f7c1bfde6a3db6c8ee32618b952731fb6e4a0c458f5009671e57b830e5
SnakeKeylogger
d305aa9539f2074ac6b663b385cd9e3905dd3f9b1755cf8d9d3b724c3831a16e
SnakeKeylogger
+ 5'688 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221005-lhl5ladhd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0202af91-d00c-486f-9b7a-60d5e74fff58
Unpacked files
SH256 hash:
b7ab1e4d3af9c4c5dcc751a773704c3371174eeb7ae6b8d1891d183a7fb6f0ef
MD5 hash:
688ebd6c9a2feaec79d7207460f0cb76
SHA1 hash:
e8832559b1d08954081b1b7d33c956f9fb3ffb79
Link:
https://www.unpac.me/results/8f0fe8b9-df86-48f7-a952-a7a0a0f148b3/
SH256 hash:
de31e6419d0f2435b74d318358ff0af12e549eaddc2660cb7d334e9f49bc17bc
MD5 hash:
ca67ebafe7624a66303e5348fbd81ab6
SHA1 hash:
99b0adcd74a9eb42630e8d5a9077443fe9b5d683
Link:
https://www.unpac.me/results/8f0fe8b9-df86-48f7-a952-a7a0a0f148b3/
SH256 hash:
5fbdcb76c77563ed3d729fdca3396169c54443253001cf9b1b6b75a0f75cdcb4
MD5 hash:
629c31e71cfa6aab7a62bef45298816c
SHA1 hash:
932da9270d08d3b97ad1fb75e3d3180481f91096
Link:
https://www.unpac.me/results/8f0fe8b9-df86-48f7-a952-a7a0a0f148b3/
SH256 hash:
b54293e88d33c92ab0e55eac91f45c793ffbf548679a3cf6a09f48bcc732534a
MD5 hash:
4dfc96115e362925b64ca7b048f3fa60
SHA1 hash:
863f521db703bced1ed717f148e09c59cb09327a
Link:
https://www.unpac.me/results/8f0fe8b9-df86-48f7-a952-a7a0a0f148b3/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/8f0fe8b9-df86-48f7-a952-a7a0a0f148b3/
SH256 hash:
55c9999640440b6cc08e607397893601551fe37b32452b5c058178a24e07821f
MD5 hash:
d94cdee4f2e60a2e951d074d9b6709e0
SHA1 hash:
4ebbc6e9a181d821381a2662d68e4986f6d02d1f
Link:
https://www.unpac.me/results/8f0fe8b9-df86-48f7-a952-a7a0a0f148b3/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55c999964044/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/55c9999640440b6cc08e607397893601551fe37b32452b5c058178a24e07821f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316787/

Comments