MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe
SHA3-384 hash: b0f513a6d051c7fe039eba6391162bf0c6926374e6f6a21f4245ef0b4c7ea72bb78179273776d170a8756c6fc4c22574
SHA1 hash: def1c8c949b58a48c2f736b77cb400347b51ff09
MD5 hash: 834b935a3e2549d7369637bb3689975b
humanhash: texas-wolfram-stairway-washington
File name:Payment Invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:638'976 bytes
First seen:2023-08-07 13:16:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UhySZxH6W/l0Nzr+fkdI8DEj5lcGGmX03PytC8x3M6Q:uHxHr+zr+fk6MA5lcGGmX03PmCA86
Threatray 233 similar samples on MalwareBazaar
TLSH T1BED42340699FE791EEBC97FA383C097E477A752A1522F3180F511CE86617F1D8A42E23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1000107171100000 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Invoice.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-07 13:22:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d6cf6d8-8a0a-43fa-9ad9-f920146cfa1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441079/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.13320.21805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Moving of the original file
Forced shutdown of a browser
Gathering data
Verdict:
Malicious
Labled as:
Variadic.A.242.Generic
Link:
https://www.hybrid-analysis.com/sample/5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c9105a78-c89d-4d58-bb40-5c863bfa7713
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287116
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 03:14:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lst3ywzlh6ourv7uxqzqsoshefo2wereyyfi2urgxxad35epcl7a._file
Verdict:
malicious
Similar samples:
1f896398b69e22be7442bfd778d704b1e3b0961a51a8307e175d0876f8b67055
SnakeKeylogger
271f99b3aa0cfb6916f6297e02f0d31e601acd4549ba536e7efa633c67c4a185
SnakeKeylogger
2c02305910d1d64b8128f8519f65a75a9d33a27cfc21de77bbd087fde9bef580
SnakeKeylogger
8f863d304625540995913e53ce885ec3d02a58f3fa538ea28d1b1796bab83a49
SnakeKeylogger
903e8bc85723320489960259f907195dbc38fe33cd5471b509a4655583dc02e7
SnakeKeylogger
b54bb2f83ecfbd30dc44b780e6bd4f870748ddfaeb598a4a65dc505f87bd60f3
SnakeKeylogger
d50ad11cd990b8a013247eaa4f0a7b1b0044720d56ea2c9834d9560d54e90a22
SnakeKeylogger
ec7d100b0dadc5c38ecb39309a02e826bd167ad25a28f4cf8b0d8c52aeca7018
SnakeKeylogger
fe0dc5415b9e4a0aaab85349ca18704f10b02a3f5fe6de959b3e39d12a9a07a2
SnakeKeylogger
+ 223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230807-qjcprsgf81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b54bb2f83ecfbd30dc44b780e6bd4f870748ddfaeb598a4a65dc505f87bd60f3
MD5 hash:
0c92907c32cb05bfe560770af59dc77a
SHA1 hash:
cf5bc87fd842602d3069fd72e5103ee1182e39a3
Link:
https://www.unpac.me/results/62150a63-77e5-49cd-9018-93ecd25cf407/
SH256 hash:
34d42b028a9b7bbb9bdc03174ac11fcfacb85b0998950c7c1de32fbb08547ca1
MD5 hash:
24f05a283c8bd5218d48b506cd25a0a8
SHA1 hash:
a20a716ef67ea1d7d6229429af0accd6aa658360
Link:
https://www.unpac.me/results/62150a63-77e5-49cd-9018-93ecd25cf407/
SH256 hash:
685c9d7e1b600153e470b3addb11ae0f0a4eb32818c724385f4674bad5ae8453
MD5 hash:
12dadeb5efa2ad0d1f487b1b038e8c4a
SHA1 hash:
537a1a0a5bf300b1117f490f250423ce4e3e740b
Link:
https://www.unpac.me/results/62150a63-77e5-49cd-9018-93ecd25cf407/
SH256 hash:
acb4f2181a20567f3a024b4919e95a204633c49dd5fa694e73b2c508b2517f62
MD5 hash:
54382de0119d4daa02ec3edd0312168d
SHA1 hash:
0451e80a80e731f260afd2e7c60d9d79069b0a3b
Link:
https://www.unpac.me/results/62150a63-77e5-49cd-9018-93ecd25cf407/
SH256 hash:
5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe
MD5 hash:
834b935a3e2549d7369637bb3689975b
SHA1 hash:
def1c8c949b58a48c2f736b77cb400347b51ff09
Link:
https://www.unpac.me/results/62150a63-77e5-49cd-9018-93ecd25cf407/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ca7bc5b2b3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441079/

Comments