MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689
SHA3-384 hash: 24da5ef74112a216c9c1d1b0bcb55a5401570f662ec17a1a56602c877bbf5c1ab0cfd5a69e7305ce10b7fcdf46e4d2c8
SHA1 hash: 16da07a9f50c6cd1f720aa0d73ba88b3054f7330
MD5 hash: 5e4daea9f86df8748694932fb94711ae
humanhash: tango-fish-football-blossom
File name:5e4daea9f86df8748694932fb94711ae.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:697'344 bytes
First seen:2023-01-30 10:33:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:/b0oqhrScTAOFZ4ts0bNe1JfVabaHGRWeh3ih9HMA:/4oqxScLFX0Re1qGQBYTl
Threatray 10'890 similar samples on MalwareBazaar
TLSH T10EE4026943788FE3C56543FA34F410692B3026A7B093EB490E99ACD5CD473F18A3766B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e4daea9f86df8748694932fb94711ae.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 10:44:29 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/bdb8989a-3161-49c0-aea7-cc45d909911b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358222/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d79d1f905a5ac3b9092a10/reports/2991a418-9b45-46f7-a788-9f52d8d9228a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c956bacc-250a-4165-9f24-170b04a4769e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161496
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 10:34:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3loybhg3iw2bnzva4qnlx3jqcp6f2re36wikdv5r55orekz62eq._file
Verdict:
malicious
Similar samples:
0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b
SnakeKeylogger
0dbf52d78ab0bb338530fa37c966bedf576b0d2cc6f841fea03ec0e396d080b6
SnakeKeylogger
2050100f2b3759aa5fc9e7bb9222b22995eb873e4ad043f9c058479475b1b877
SnakeKeylogger
2787c515f1bf23eb1f84b4d0cda93a5929f094837e83155c144346ab53d0eeff
SnakeKeylogger
406e9f07aa3bb42bcc51aab336b1a672de5abb220416451cdebc0916cbb45396
SnakeKeylogger
5fbe0c0a58f4490e4060616d0fcc58527453a27ebe95a34161a63d4dc45d875f
SnakeKeylogger
775bfe71cc319661eab3324221ff8f507df0f88dc7062133faa70c0e1969a69c
SnakeKeylogger
b224fda1120307ae20f7bc3cc954eb01e0f42d3a68ec52bebde216e0fbc2a0d6
SnakeKeylogger
cd457647c5506fa1ebd3577f1ae8e918d4c0428038cee79db004570a7fa62c20
SnakeKeylogger
+ 10'880 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230130-ml5xjsbf51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/a5d9ce88-0707-4de5-9bb2-43cb510edd16/
SH256 hash:
a208e75a21479d352a405b20ea7971bbaa0f56298697cce1243fa8dc40e2c7a2
MD5 hash:
2e8e2f8c4644744257f705e6bffccd07
SHA1 hash:
40bed7d58d5409b54724abfa24546a5e34672cf4
Link:
https://www.unpac.me/results/a5d9ce88-0707-4de5-9bb2-43cb510edd16/
SH256 hash:
dea51202cc2ab5f41a6184a431878a0916c9da342500adf254c84f3e8a3308bc
MD5 hash:
69b8b0beaa0f31e2c068bfc92f552147
SHA1 hash:
207de80412dc4e94613cd7738603bda206fbbe58
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/a5d9ce88-0707-4de5-9bb2-43cb510edd16/
Parent samples :
54d7590201b896cf43690362e083fb71afba0f102b23ca5c90990072a89ec011
82ab49f2560c1880f313f39bee79cee6429f5a360111448656c4b06f48349a59
37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81
2250ca2a6bd489bd69203a366b7a4572c23d8e9ec8eec6872d090c9528864090
ca5f23445d505071a55fea65975102914af4581c9aad0ae52da7c717639c5f03
5b93e1d0dba1385503522fa0fe6d595aa4c5d9e5d2fc12707536213444242d54
4de319cf407f802ea199b9904863a7c0da9071e5024470e069d7ebddc065a8dc
8cff398b16e8e2a230d61b4a8a3a9bff3180c52d42917808bde8dc3cc13baa33
0a7da056adc4dfa4ae6ca6cf29f9bb01e9d4745a02b1cb27e1ea3e231b5c4a04
64ef899448c228e4d02af5b452876418353d1633f55eb7776cd398ea86e8b2eb
707714c25c9050ce571a4decc3b6b10fbf8378ece2b29410397a5450da0e354e
8161e804d97adf2fbf82fffb3118ddeddb6e747eaa8322855cd461aaa3d5b0c1
882b7341097daf24a557e47628146f30fcea8278d6bda89395a99d4e221ce192
f3e57a4cf14c8fdcf105d76b3b76ec4366635799bf8267a370aa93f5aecb325e
86688e23e7f4912f816aa6d171fce70e5a3e3d079b2d65a354177b220f9e0c17
9791da4d42ba695fafd7a83c623ff8031e01187f0954302e40fadf922b62dbfe
985dd3f7e6155348ccb6d8e7d00bd79e1ed45524556e5e93c4f34145668f9bf5
4553f4bb88ac13c2945aa862fa8e251f2b511f1829577c9760e7046f2dec9a66
c61af53a6fb230424ba602c18ca23c785a1ad71338b061a8e68f75cbee7887b1
9b02e3cc4a73d9073ce484bdbd86bffd07da113b79a73382abccdb9fbe598635
b0ed7f500763e2e7852add02e1383799d76e71c96dbe860048a4559d7b5f754a
0da48a414780250e5e46c82f23370253f7fa66bb760e0a77d4f19142668917a3
61c198f39256af893b4c601253f5f3012a8a48fa20d090c922d35936c6504e77
6d07ef231c728f37b5c8b04440d7329cab83cd2193edc13b9077b6dc73a3c272
0dbf52d78ab0bb338530fa37c966bedf576b0d2cc6f841fea03ec0e396d080b6
4ed6abbbd38140886ff8ede3d099888908a5bb9686615d7e318c59e1cdf0e529
2050100f2b3759aa5fc9e7bb9222b22995eb873e4ad043f9c058479475b1b877
b224fda1120307ae20f7bc3cc954eb01e0f42d3a68ec52bebde216e0fbc2a0d6
5fbe0c0a58f4490e4060616d0fcc58527453a27ebe95a34161a63d4dc45d875f
dcd805dc19654c2b0a0998ca6e2f7154798d663998602b1f93cb6f626764d940
cd457647c5506fa1ebd3577f1ae8e918d4c0428038cee79db004570a7fa62c20
2787c515f1bf23eb1f84b4d0cda93a5929f094837e83155c144346ab53d0eeff
07f9fbdf3275f33f24a204c24ad3dad60ce1f74869f70caec813d18b259a1fac
fa7fd5b16def191f454534f6010b4de4a2dc6edd96b1269c6f3d393bf684d906
a0654f62824278612b4680a50d4ec37f05d34b7c4851118b6b2b0f3ebf26de92
aac543a6d3739034fa6c2b252610dc1d9afebc90b8726866f50750dc7b9968dc
ef96aff361fcc5b8c1efb69dcd5c68ec6956287f083c73ece05bf7afe86673de
62826246ed171e21b93e198d3ed59a8087d8e03b039fc566b34f54a0502cae01
f690807fa4bc8d257fd4cffadb3cd3154ee7bfaf11b7a09eba40259a311d4bc3
ec3cf9e9b9bc954296dac23688372c542ee9dd6041cb8d061489c149ea8d1eaf
5451af0f189419eb8ccd3feda51434e33c895fca5a63d05da1bf14fa0bb8f54e
131d50787d10f1df4153f4fbb95d39c666896c78987e3a7b83f643aa0c91b458
13b7007f4c163ebf9f97e33187e44cef00110c610b0fe4d25c4bb10a5a51b706
56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689
7d1c3591a7cbff524d0dcc03cfaed0fc1b7915e78b2a624747fc6dd4b3a765e7
1e743ec80b16cb881f0917b18dbe1bcf11b60f132a20586e5b75c039708cec53
093e669e3e7672fd4bce100c627920b416c2cf0ac4523289e2644ccaaa2f30a3
df990526583ae85b0713396e2f9fb5963d1de2bd1f0b85b038fd7f241ce1f1bd
52bfe70515e66a6f6d8b5ffff8b2d310bf211f0dcc745337ee12d69e85015eb2
105720dec1383492add8156554e740af732a92fbc9fb60edcca566f29c8f6ae8
b4264117c8337a2c7f689756393bec9303ddde5fe02986ef47b410ff22ba5ce1
dfce3d45a141a90bb1dda531b99447c1c8ce99be74c704d888af79f2a444c1d4
8b084a5b70a6572aa23ed19deb7007a91ea8ea740a36b801b6c98fccd7a2b3ec
0f467217bcccaa0eb494cb5da8e328cf5d16639ff4dc5d0cf56df96895f19a38
81d9661cb388676b8ac07ee0f5581f2095c68afdb8349c80217c5e39c1f1566d
0d7492d1fe1f2ccf93fd861f469ae978b2ca23c7bbc5b9ef7d0a64b87828739d
9a4d80d06be8acf452a13fbff5540cc48bd1089021d0978b41f5bdd68fd9d4a2
3468917c0bfb8bb5c07753482c3c69ff14f8a3d71aa4852478e68753654248d0
8394f08d071bc49b7eb6c186c4d4c769b82483340e850fda350797889723ffb2
280c26c26ee8fa14fecd6c866c3f4daeedfd7a48ccc501c06eded8ff096b3769
3d6efa4c776b98a784826dfd39c56d9e18398451752dcb9fd698735b9a6ac16a
94e644a9242ad93043fce6c5bb97e759d61e456b5171a0965e78405b018c5c75
9950b95b9ec431f1a93d12d2dbf4995c308f39b70742d09850b4a5995680391e
4952db48053c48e241bf6dcc0362c160eeb22d6ceedd9b57298b37659851c9ed
8d568e3e78eaaf4a8a89f03de6ad457c036bf257741f2bf42d6b861f65c5c060
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/a5d9ce88-0707-4de5-9bb2-43cb510edd16/
SH256 hash:
217f07974d4a15a0f061fe1d5cdf5525a068bbedce6f1184bf9a7fa63e06760f
MD5 hash:
a93401b6f680c0dd3e75fb5ab3b7f1e7
SHA1 hash:
04a722b400e9fffc4764d6affecd6b477c6d810f
Link:
https://www.unpac.me/results/a5d9ce88-0707-4de5-9bb2-43cb510edd16/
SH256 hash:
56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689
MD5 hash:
5e4daea9f86df8748694932fb94711ae
SHA1 hash:
16da07a9f50c6cd1f720aa0d73ba88b3054f7330
Link:
https://www.unpac.me/results/a5d9ce88-0707-4de5-9bb2-43cb510edd16/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56d6ec04e6da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2346135/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/358222/

Comments