MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
SHA3-384 hash: 443a8ce54ce1fc3ee312131c8477385078cb252cef550aac0e34b83f94de4d94f9b49ef634761b4a98083be865045d71
SHA1 hash: d8b6bdfb8d1866a13dfe249db09b081e5b3958cd
MD5 hash: 792168d3e129682602200d0ef330aa5c
humanhash: dakota-december-pluto-music
File name:5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:608'768 bytes
First seen:2023-08-08 12:25:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'654 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:s5LbzIu9+r9IaLDm3SoeehMV9zx3J3AoWX6HqrqbB:s5LA9NLq34zx3BQQ
Threatray 3'442 similar samples on MalwareBazaar
TLSH T158D422BA6713CB07D05B13744E28A430437ABED67816E363ECC37BCE96A1FA61854953
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eaeac2b2f2e888a6 (6 x SnakeKeylogger, 1 x AgentTesla, 1 x NanoCore)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
Verdict:
Malicious activity
Analysis date:
2023-08-08 12:26:07 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/08ee94c3-db35-4f1a-9317-06afd3c47157

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441361/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.63718.20377.14707.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b16e735-20d0-462d-9c2d-8e14d3e4b411
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287759
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287759 Sample: Gn426VU4Jg.exe Startdate: 08/08/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 7 other signatures 2->53 7 eZYkVVG.exe 5 2->7         started        10 Gn426VU4Jg.exe 7 2->10         started        process3 file4 55 Antivirus detection for dropped file 7->55 57 Multi AV Scanner detection for dropped file 7->57 59 May check the online IP address of the machine 7->59 61 Machine Learning detection for dropped file 7->61 13 eZYkVVG.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        33 C:\Users\user\AppData\Roaming\eZYkVVG.exe, PE32 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmp5118.tmp, XML 10->35 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 10->63 65 Adds a directory exclusion to Windows Defender 10->65 19 Gn426VU4Jg.exe 15 2 10->19         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        25 2 other processes 10->25 signatures5 process6 dnsIp7 37 checkip.dyndns.org 13->37 39 132.226.247.73, 49700, 80 UTMEMUS United States 13->39 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 27 conhost.exe 17->27         started        41 checkip.dyndns.org 19->41 43 checkip.dyndns.com 193.122.6.168, 49699, 80 ORACLE-BMC-31898US United States 19->43 45 192.168.2.1 unknown unknown 19->45 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 02:42:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgl2cc36yvtjmugs4milyo3fumybpqjvfwivjcsjn6lxgxk32sda._file
Verdict:
malicious
Similar samples:
0c3959bb80d9187387e3b41f8ac1aed632548614454e0888f8fea7404eed8304
SnakeKeylogger
0ffb2f62c79661847214dbf0242b3ccb488782b9a06278a1b66244f9338f2525
SnakeKeylogger
14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
SnakeKeylogger
204f9fbd3fb79151782fec13185b3c55e0109ad3e27e91fe1410cc1171106ff8
SnakeKeylogger
3520f6322123eacd232b1dd107d892e852aa8cfa79eaf4fc3fb9c5b23893c948
SnakeKeylogger
4913dda08726dc0fcc3b36bb5daf24556364937a7c4950698e8f2cc0691aefc6
SnakeKeylogger
90b37ea81aba9787a883970ff011dbbf5da729fc915bf3dc104704111fbc2848
SnakeKeylogger
9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8
SnakeKeylogger
ea7e6b5688313cb532684ecc61a1438a40bbd32a0eb1ee7b1810086cb705aa09
SnakeKeylogger
f3053c7e048f3a0446a3a5b005a73173720e037f7372c4dad57955b23c42d3f0
SnakeKeylogger
+ 3'432 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/230808-pl6vyscd88/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6060762419:AAGo6rQgpyf-Njpv5QeEbwFAJ4lVx_cPJSc/sendMessage?chat_id=1696657848
Unpacked files
SH256 hash:
af6f4fc678055a7825c559f894109784fb0c9ded9744bc087e63e8a1450dc553
MD5 hash:
a6a0cdcff75acbd2ed97a71fc93c5393
SHA1 hash:
ee3cee249b0d3f15945e7b9935e4c533db3d2519
Link:
https://www.unpac.me/results/2460f06d-f4b5-4f37-9aca-fca503b50ec4/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/2460f06d-f4b5-4f37-9aca-fca503b50ec4/
SH256 hash:
0192571f51d430a0ce8d1a835e22a2959a77df621eb5cdd2fb4992b2d9ecd6b4
MD5 hash:
41e6205fb8a4621b5c84dfe310e17d05
SHA1 hash:
695328617d03d67393d7f7f834a801270308e4ca
Link:
https://www.unpac.me/results/2460f06d-f4b5-4f37-9aca-fca503b50ec4/
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/2460f06d-f4b5-4f37-9aca-fca503b50ec4/
SH256 hash:
258837e0e3717642a66757ec5246e80bb7b6b07358cc7062c7a90683824a389e
MD5 hash:
15011277acf37c7b67dbf1de1c7f015a
SHA1 hash:
3015cb619dc908a3358f1c3ea5a532069ba8ca33
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2460f06d-f4b5-4f37-9aca-fca503b50ec4/
Parent samples :
c11df3f962a103fb7d2640c2788461926d8ccda282fec1b46c35d9bec4187573
2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562
5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
SH256 hash:
5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
MD5 hash:
792168d3e129682602200d0ef330aa5c
SHA1 hash:
d8b6bdfb8d1866a13dfe249db09b081e5b3958cd
Link:
https://www.unpac.me/results/2460f06d-f4b5-4f37-9aca-fca503b50ec4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5997a10b7ec5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441361/

Comments