MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd
SHA3-384 hash: 137f51111bdea617dc1caa54b57a16cf5693c22ba05c2991f901d1c716c0b2851b621737f374daea57924c5d0e6f4660
SHA1 hash: e79566e82b76c1237f929dc65f3c59f5abadfd31
MD5 hash: 7b4b2a63a5fa12792f6c7c6a4674ec42
humanhash: twelve-hotel-mars-orange
File name:00282-22292829_pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:396'689 bytes
First seen:2023-03-29 06:59:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:mYa6eYce/Z9XgZnKrLrh8lmikop/H7DxCVb3+dz320u6fySbH4:mYTcAjgh0rh8Z1H7Dg3+p//e
TLSH T18B847C732D0D9A86C1301B3096A90D34117B2F8EE6CE0EDEFD7E79B824F99A52507436
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6d65336ae9ebbfb6 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00282-22292829_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-29 07:01:05 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/91298173-7ba9-487d-8938-11f3909756a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378390/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75563/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/6423e1f40dc8b8a71cf77095/reports/36d3fe94-c606-4163-8f58-69050f3bcccd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76cd10b2-33bc-4b3f-9e3b-f0f906370b97
Result
Threat name:
Play, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204076
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Play Ransomware
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd/
Threat name:
Win32.Trojan.Garf
Create hunting rule
Status:
Malicious
First seen:
2023-03-29 05:36:02 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=loqfp3bwi72smrzphdcuojtazm53f4sgvefeoxlyudgsjnhjos6q._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230329-hsm8vsgg8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6139793960:AAHb1pvRqCPkUdPwQAk890wA9oCHnQ-VPaY/sendMessage?chat_id=935548406
Unpacked files
SH256 hash:
7f475ba84b3dd3c81f51c89528ecd9d0caecf88da389ade8f33f3f113a80692e
MD5 hash:
2c546b649cd40cfdb8d2541231e383a8
SHA1 hash:
c39d13bf162e2bf9ebe7f187b64ec56d253435ad
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/bcdc06f1-d4e9-489c-b1a8-774b0c54b84b/
SH256 hash:
80abc5a2938aa57416d1535827fe006e5cdd18713367977551af15247f9d8f25
MD5 hash:
a4b4494d2b7db94bd68151f464a8044f
SHA1 hash:
bb23ea3b40795c0d78aab86563a5bc933b988b86
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/bcdc06f1-d4e9-489c-b1a8-774b0c54b84b/
Parent samples :
4d3e26742a298215df314faf2e67e2667c6fe32aac23f65298441a8ae8908331
5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd
eaaef6c4f58cd6de149d1139623eaa618016295c7ea638d7252634cf0638747c
48908b86073e3eb1a50ebe4ef90bce2b3a5c7467edf131ab799daf1da2ac04a3
80abc5a2938aa57416d1535827fe006e5cdd18713367977551af15247f9d8f25
SH256 hash:
bac230933b57edec3afe996931d52b96f184654fb15985cc367a60da6b8376fc
MD5 hash:
a534119a8ce95baf5ffa3b7e9ef6c51e
SHA1 hash:
8436b76939c727acf7e01b75cf01510ef381ef82
Link:
https://www.unpac.me/results/bcdc06f1-d4e9-489c-b1a8-774b0c54b84b/
SH256 hash:
5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd
MD5 hash:
7b4b2a63a5fa12792f6c7c6a4674ec42
SHA1 hash:
e79566e82b76c1237f929dc65f3c59f5abadfd31
Link:
https://www.unpac.me/results/bcdc06f1-d4e9-489c-b1a8-774b0c54b84b/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ba057ec3647/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5ba057ec3647f526472f38c5472660cb3bb2f246a90a475d78a0cd24b4e974bd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378390/

Comments