MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240
SHA3-384 hash: 43744e0eb333ea1cfcbfd83e30194c77c01ee99e869785b727332d0986c1ee610825a11f347e2236416f486f4fc66dac
SHA1 hash: 0a66f5477620ecef41dd14322359a468c7ceba3c
MD5 hash: fe87c4e3c089316d0222db4965fde5dd
humanhash: mike-island-bluebird-georgia
File name:AEAT - Aviso de Notificación.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:561'664 bytes
First seen:2023-10-03 06:08:55 UTC
Last seen:2023-10-03 06:38:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4nexQNumB0ldv1XWG/dm5EniOqJt7MAhx7NpckoiOLIZ7c:Vfykdv1XRF9nSM+jCU1c
Threatray 5'643 similar samples on MalwareBazaar
TLSH T182C4010071792B6BEAB6A7F92872251007B1FA6920A1E31C6DC670DF9D72F408F54F67
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651bb005a31588d184ef7faa/reports/8264d3e1-79cd-4e46-be29-da783c2aa17b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06a9d2d4-d3e8-486b-b219-f033f54dc1c1
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318452
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 21:32:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzbxznfckozr34s42qdbe7y5nprodzxk3pq3zefiioggotlmgjaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
52c6ffb87121554941e0039dc10e44aff96df0880d038bab6cc736d99814d0c2
SnakeKeylogger
68cd899c048a9b097d438260f9a92513b6cc42fc203c8126df2bb35b86c50671
SnakeKeylogger
9c999d23bb8110f85cc977e9a697c7eb3387dbe27ae0dba92c141986893946d3
SnakeKeylogger
a33eafbcec3736e5d47d6c951a6824ed67a0e124131425f04e2e03864edf8502
SnakeKeylogger
b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1
SnakeKeylogger
b82242cf60b9f23d227f5dda48fd1e959dbc0a0bd06bccb279ff3531783873ec
SnakeKeylogger
d9eefd6741e692541008b7d71cde7d92662a6088247791f8a48e41b953324196
SnakeKeylogger
df8944cca7e607a5fe6765794fbd8c009de24cc170a99cd0cb7055b177b6a217
SnakeKeylogger
e47b7ff50e6e7dd47087235ad782bdc84255e2642e80744d34ae027a2db13aec
SnakeKeylogger
+ 5'633 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/231003-gwf4aaae23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
d60dec072f893a5f398ba30e3a15cb61570cb724c19751afeb2c4c659b59622a
MD5 hash:
8c865d459cbe885b9611d339deb8d457
SHA1 hash:
de13418769a5c9a2cc0050abebc928dfa7b789f1
Link:
https://www.unpac.me/results/804dcdf2-f326-4d8d-9080-20de0d1e0002/
SH256 hash:
e94b818b715ddfdde4b3a7dc1e1278e803f7ac8b7961b7db66f55044fd1b0c1d
MD5 hash:
dccf4763b3f95d523f5722e2b2857fe4
SHA1 hash:
a196b732b1e2fc3351333543aec69e4695dcb5cf
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/804dcdf2-f326-4d8d-9080-20de0d1e0002/
Parent samples :
3ebbd8420e5203a6c4a7c22f4d530ed2af31cd2638b7fd026f498bc1e55da16f
cb84aa32b87319aceaca7792a356f57030077830811a7fa0ea045a67afa62b5e
5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240
SH256 hash:
513d832b6414ca92f71ea7abb910113140519f343c8fee079825d19bec37cae6
MD5 hash:
128feef2cd97a2ee0d369655ab39f214
SHA1 hash:
90d82fff31ca1510bdc670c400faa2893c918341
Link:
https://www.unpac.me/results/804dcdf2-f326-4d8d-9080-20de0d1e0002/
SH256 hash:
eac1acede4faa639ccd46894deed1acee764b8aa112879366bff614c4df3f592
MD5 hash:
4c5d248e652c4cab692ada3dc0d06c3e
SHA1 hash:
299108ba088125a17f40c42de9e37e224153af3a
Link:
https://www.unpac.me/results/804dcdf2-f326-4d8d-9080-20de0d1e0002/
SH256 hash:
3fd0bedc0411d2ef09bb38f50a70888b9db436aa3f1a3f6340b3957a8bf1cef3
MD5 hash:
f7e3ee72e28761ebde68a3d0e2aeea6f
SHA1 hash:
102da2e7659210602f3ccfbb7768d8478428a565
Link:
https://www.unpac.me/results/804dcdf2-f326-4d8d-9080-20de0d1e0002/
SH256 hash:
5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240
MD5 hash:
fe87c4e3c089316d0222db4965fde5dd
SHA1 hash:
0a66f5477620ecef41dd14322359a468c7ceba3c
Link:
https://www.unpac.me/results/804dcdf2-f326-4d8d-9080-20de0d1e0002/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5e437cb4a253b31df25cd406127f1d6be2e1e6eadbe1bc90a8438c674d6c3240

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments