MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a37ff4ed1e91178f3de140c084d552f42db0b70fd82554d645e6ef8e4268388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a37ff4ed1e91178f3de140c084d552f42db0b70fd82554d645e6ef8e4268388
SHA3-384 hash: abd8f216ecf7ed866a05d1428eb6a611019fb20234a43f94751541a662ced91071bf2509e5d3e51dadd4ee05bdebcc18
SHA1 hash: c3a95de9ab0a7985ea5fb35f27634d9a9b70c508
MD5 hash: 972f3523a73a290ee0f57f3fb5827bdb
humanhash: mississippi-artist-maryland-ink
File name:Payment Advice.pdf.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'179'136 bytes
First seen:2022-03-23 18:51:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dUeaOm9FfGJ0c6n5SyasFiOx5QnGtPNgOyErZ5F6B3n/MkpOb0wxNGkRhXe76WGE:dUvOif+HsFXx58uyONrF6Jn/pp60iNG
Threatray 3'894 similar samples on MalwareBazaar
TLSH T13B4563AD325072DFC867C972CA681C64FB9074BB930BD603A05313A99E4E997EF540F6
Reporter abuse_ch
Tags:bat exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256777/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623b6c70b94fb38cb4db14d6/reports/001ed99b-3544-440c-8b8e-37438f93c0ad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2363d3d3-a2b5-400b-a737-65c43826975d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963319
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a37ff4ed1e91178f3de140c084d552f42db0b70fd82554d645e6ef8e4268388/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 11:15:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=li376twr5eixr466cqgaqtkvf5bnwc3q7wbfktlelzxprzbgqoea._file
Verdict:
malicious
Similar samples:
0bc6152941893e5d36af2520150b93cc439e5efdb476038e6fac9a17dacc743f
SnakeKeylogger
459ffd564cff546baed72dc2ba79fff156b533600495098f319eed8239d0bb21
SnakeKeylogger
742526bc4de3287b0d55149acdc82c1578cbaae2c42066e40ac5812ed9fd3159
SnakeKeylogger
7529261b01e2f6d420aa0239c584a7d6c0022ea71ce562335d1384a03d529bbd
SnakeKeylogger
ae13fe36ae25d1c276ec9efaaa8599e186f9df2b2d742c7999b895fdf2d302d7
SnakeKeylogger
b188bb830946acfecb6674b08fd89db34c8aa2be066205f7ee50c9f8fbbe3454
SnakeKeylogger
d9c3080d262ce878565455b1d34ab1ed0c45e470cb6651de7e168150807c7d1c
SnakeKeylogger
+ 3'884 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220323-xh4v7aabe2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5203924745:AAHBwqsxtZT7w6GPVRJfGAHycmwHnSBWtlI/sendMessage?chat_id=5221788554
Unpacked files
SH256 hash:
4e013a9310f221596b3d9df583320cead533b44b013b2448e88d1d0c8dd2f72e
MD5 hash:
2adc5eba669710849be34c6c06c25e3d
SHA1 hash:
cd7f5918919a3a7b031a0367b2d4e1016bf5db56
Link:
https://www.unpac.me/results/6505141d-87e8-445d-a99f-f38f8edb4b2f/
SH256 hash:
bbd10969fde6799ac4d166c62374a74cab41b0fa5efd953a998ea7179db14e9c
MD5 hash:
a7cea5dd90c011f32393428cf4313aed
SHA1 hash:
9a0e5d65a3f0795abd257910284f58bd860c8dc4
Link:
https://www.unpac.me/results/6505141d-87e8-445d-a99f-f38f8edb4b2f/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/6505141d-87e8-445d-a99f-f38f8edb4b2f/
SH256 hash:
5a37ff4ed1e91178f3de140c084d552f42db0b70fd82554d645e6ef8e4268388
MD5 hash:
972f3523a73a290ee0f57f3fb5827bdb
SHA1 hash:
c3a95de9ab0a7985ea5fb35f27634d9a9b70c508
Link:
https://www.unpac.me/results/6505141d-87e8-445d-a99f-f38f8edb4b2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a37ff4ed1e91178f3de140c084d552f42db0b70fd82554d645e6ef8e4268388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5a37ff4ed1e91178f3de140c084d552f42db0b70fd82554d645e6ef8e4268388

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/256777/

Comments