MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash:	5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde
SHA3-384 hash:	ffacc1ea3d0e6e941c7979ba8a2a6ba17fcd3d6a3786da9dc357d9def32d4b29730d7a7cc7fc29a6e8e7e36527d0c451
SHA1 hash:	9525f35d9e894349f4ecbade7905752aaec0cc8d
MD5 hash:	a61754746b52b33f7535dbf287e27276
humanhash:	butter-friend-gee-glucose
File name:	payment confirmation.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	376'320 bytes
First seen:	2023-10-18 15:56:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:RckOazRkzyPtvhW+m9VgbiNFeYOtYYE2Odtyqd72fOsA:WkOaz/Ptk+GVgwZlYrOiqoo
Threatray	5'773 similar samples on MalwareBazaar
TLSH	T1A584F1A8E7A6D720D21305BBC3A0EA61C33D6E31C671A5F6BD22354E5BFF51CC809980
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	b474fcccccd4d4cc (10 x SnakeKeylogger, 2 x AgentTesla, 2 x Loki)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455732/

Detection(s):

SecuriteInfo.com.Win32.KeyloggerX-gen.26139.2188.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Sending a custom TCP request

Creating a window

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade packed

Link:

https://www.filescan.io/uploads/65300054ba877ae55910ef32/reports/fd0ed1d3-2423-46ae-a0df-648a156c2cda/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1c8eb76-0841-4f98-a92c-9277ae4a9a8d

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

n/a

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1328136

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2023-10-18 11:58:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=llzwr4kyhaxwf6egxqenp3o4pq5zi7xwmwctlic4lsvsjzim5tpa._file

Verdict:

malicious

SnakeKeylogger

13c527233819f76ce94c4ab839838a213acd727de5cae5660222a5c4ddd8d5b4

SnakeKeylogger

32a00fc9b61a3ca12be1aa91388fbd5c37b19650b01a11d0e5521097b3de3e11

SnakeKeylogger

3bdd69de010f0f5eab2291127a6645fb8ed19f279276a6e7bf1122cf1937d61c

SnakeKeylogger

62c1d71fff5293071772735f75960544716be3c3ee5996c6889f3ef3b4e7bcec

SnakeKeylogger

6caab57198e2e3cc5833f0b578e193c99230595f66ab98eb00f0fdae7d8c2c8a

SnakeKeylogger

6cf693bad16af8a716014d5dbf978dcfad1d39c3e079ac383c4bd0870d583c96

SnakeKeylogger

b9d4088106a3a557fb5d909c8c5b921971704d7b764306ee4190cefd9b8d89b0

SnakeKeylogger

eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9

SnakeKeylogger

f0caaaebe92baa4bc450b54344dfbd8c9f6c4ee2057a6d289b2c347b8b7ae912

SnakeKeylogger

+ 5'763 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/231018-teha8sfh2w/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

de35005a26fb49612d61271677961be0ddfd3a8093300b85fd702c3c601e9c3b

MD5 hash:

5f73b07afe99865879df22895316ca02

SHA1 hash:

dd49e92eb95b2178f18b72e4821e3928aec08a1f

Link:

https://www.unpac.me/results/43163fa1-076e-4245-b48f-60075e67e951/

SH256 hash:

e16b58eedcf1810dd1fe08854762dda57afd12b8727e333ba592ebdafe98b542

MD5 hash:

32543a54673d794bd199ab772a485002

SHA1 hash:

cc076a13f36c727224ecc67eee97663ff1aca041

Detections:

snake_keylogger

win_404keylogger_g1

Link:

https://www.unpac.me/results/43163fa1-076e-4245-b48f-60075e67e951/

Parent samples :

5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde
9734c8dcfd274b038523356935eadc3ff4f7c4b71542def7926f723d0872ca0b

SH256 hash:

2df81b7a7580dd8099502f1caaf6ecf3af80d9b04ffe32cf2ac7834d944cc1f2

MD5 hash:

4cfae6afed1c1626499592c0d6711f93

SHA1 hash:

9f41bbd487e22867d3942e0db7a394ae00a69009

Link:

https://www.unpac.me/results/43163fa1-076e-4245-b48f-60075e67e951/

SH256 hash:

5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde

MD5 hash:

a61754746b52b33f7535dbf287e27276

SHA1 hash:

9525f35d9e894349f4ecbade7905752aaec0cc8d

Link:

https://www.unpac.me/results/43163fa1-076e-4245-b48f-60075e67e951/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 5af368f158382f62f886bc08d7eddc7c3b947ef6658535a05c5cab24e50cecde

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/455732/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample