MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d1a0aadb2c6564ddef639c6d6f1a987ab10cb28b0ce4b519d2b025bca91e20e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	5d1a0aadb2c6564ddef639c6d6f1a987ab10cb28b0ce4b519d2b025bca91e20e
SHA3-384 hash:	d4dcd9ab8da5a1f3809a73bc37abd586e81c8db5528c4a007a94682dc6f07a7fafa0c009054877c794ba577e3fc0b2a3
SHA1 hash:	c82ba17f240172ebef646ff8f0ea5b9d8de5694b
MD5 hash:	36e4f762e5ee160bc9417fa24e8eef2c
humanhash:	mobile-thirteen-eighteen-hamper
File name:	Purchase Order #TB-0008 pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	953'344 bytes
First seen:	2022-09-11 06:39:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:IPW4vo87UKXwUKXcFdRmvct7YOjTZGNBDE56Hni27dv/SoWL8YUjjRgNI0NiRwcm:YW22bCWN/ELLUfRVxOcajzBK973Jv+d
Threatray	5'215 similar samples on MalwareBazaar
TLSH	T192151A0F11C508A4C87651BCA4CCC5B34BAADE50E537D949BFCA9CAFF592F2C46D22A4
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order #TB-0008 pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-09-11 06:42:58 UTC

Tags:

snake evasion trojan keylogger

Link:

https://app.any.run/tasks/224e99ea-7567-4d2d-ab3c-3a26ebd6237f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/309218/

Detection(s):

Win.Dropper.Nanocore-9967929-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/631d82de5264d5b74d1eaa8f/reports/baa6c6e5-a6e2-436e-bfb7-806a7fd3d7d3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2e367b30-2447-4747-8012-4670cab05553

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1068354

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5d1a0aadb2c6564ddef639c6d6f1a987ab10cb28b0ce4b519d2b025bca91e20e/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-09-07 03:32:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lunavlnsyzle3xxwhhdnn4njq6vrbsziwdhewum5fmbfxsur4iha._file

Verdict:

malicious

SnakeKeylogger

2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f

SnakeKeylogger

341424a65b51a40deb47ffd68699a4b633d7261b5642ae9e7c22493176146618

SnakeKeylogger

4952a1b507d5779ad9e44e2976af3b6f890fb7d9f1bb685bea255300a70cf1bf

SnakeKeylogger

5e5878e7c89a666a6f6c0f3ad414a7c3d47c85d8bab613343b531ef552127ee8

SnakeKeylogger

c61fef7fcacfba05be6a0c2527cdde790b4a57dde45b53168fb6c415fcf2b174

SnakeKeylogger

c9942df5f94d279a08f4aa4132c1df6570ef0f8fcc0d34eb76da3f27b6d38ee4

SnakeKeylogger

f21713f098ba22b69b0303da4fe32dda9e1290f2d5986b9ff18cdd7de6f5d0ca

SnakeKeylogger

+ 5'205 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220911-he9jyabbb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

MD5 hash:

dbc7be56e6e32349315170599c8b333f

SHA1 hash:

d8e5840e3574b87d435e55a65ac648e040871aee

Link:

https://www.unpac.me/results/678e4a58-deb0-4819-a578-18cd5b4f59fd/

SH256 hash:

100e4cc348049468468733da25e5ae5847f1fd2823ebcec55ad77d9e0f6be31f

MD5 hash:

fc761d8a6f0fd094ca4dafcc8b1d7a4b

SHA1 hash:

9c9ca3e8f0b5f1902edeabdedfa56294d9f057de

Link:

https://www.unpac.me/results/678e4a58-deb0-4819-a578-18cd5b4f59fd/

SH256 hash:

5ae54cd83e910204b442d20d94f8a965048737c8f544a6be25d089fb341e0629

MD5 hash:

f8c15f81d463bd6345983279b44b45fb

SHA1 hash:

429d0bcdeb9d5bd3162eab8b66e87eb7a7983cda

Link:

https://www.unpac.me/results/678e4a58-deb0-4819-a578-18cd5b4f59fd/

Parent samples :

d52569001bef2a2f74d8ef368bba7975d15e51eaae0635ea7b86136903b515f4
2eac157ce4d8e22ef383be3453391339eaf8f63f636d805435a78e1eb452a18a

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/678e4a58-deb0-4819-a578-18cd5b4f59fd/

SH256 hash:

66795eee782837675cfafe3311ddddb28a2085d30bcd386465d1620df42dcb17

MD5 hash:

2686f9c20ee8b068647fbb39c4f4ae92

SHA1 hash:

2137393e7c9133138727316e6e24fcce303bdb0a

Link:

https://www.unpac.me/results/678e4a58-deb0-4819-a578-18cd5b4f59fd/

SH256 hash:

5d1a0aadb2c6564ddef639c6d6f1a987ab10cb28b0ce4b519d2b025bca91e20e

MD5 hash:

36e4f762e5ee160bc9417fa24e8eef2c

SHA1 hash:

c82ba17f240172ebef646ff8f0ea5b9d8de5694b

Link:

https://www.unpac.me/results/678e4a58-deb0-4819-a578-18cd5b4f59fd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/5d1a0aadb2c6564ddef639c6d6f1a987ab10cb28b0ce4b519d2b025bca91e20e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/309218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample