MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780
SHA3-384 hash: 6c3d0a9f74859c0a1911fd1503a89d39f5c27812d3bc0eb3c6734a642e072ccbe111c4ad060b294064c1243628144efa
SHA1 hash: 68b373cf1c9977d53c655f5dd8246e3d4546b1b3
MD5 hash: 67fc49b3cb7052507170c6d58da57e7d
humanhash: hotel-glucose-nine-uniform
File name:4589098654345SK.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:276'948 bytes
First seen:2023-06-02 09:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa6sVyBOAJdgdGJ2xoxxOSmqu8G+UCYKZBYeGqZYjVNDm2TcVkUBm:PYW2OEleBsu8QCYKjCq6jVNDmpS
Threatray 5'111 similar samples on MalwareBazaar
TLSH T10244120813B6C093E5E65F322A3D622B9EFAD51154E4A75B17E02F6DBC50F81990E3B3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d0d6969696ccd4d6 (26 x SnakeKeylogger, 5 x RemcosRAT, 2 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4589098654345SK.exe
Verdict:
Malicious activity
Analysis date:
2023-06-02 09:21:16 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/34c29742-bc7a-4f09-9d6d-b9101c679675

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394719/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89033/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6479b3539ce2e6bd7ed08096/reports/bbae9646-5dee-41eb-b107-7a2d5ffff388/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cca232f-acc4-47c7-ac2e-7a7839bfc2c0
Result
Threat name:
NSISDropper, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1247492
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected NSISDropper
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780/
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-06-02 07:22:53 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5gspghhdlbm2ayvu3i62tc7zni5irn56yffotkrzjttxeaxe6aa._file
Verdict:
malicious
Similar samples:
0e7bd6f8296063a72918c9ebb5a7270a8ac73edf60831a963715cee2a267a793
SnakeKeylogger
15994314eaefe9e800a2f5028dcf65d886e15f35089df8bf6d114e954a601e6d
SnakeKeylogger
19b2a3829ed8eb3ff4a36bd542c114c3b28b23c64dfa4560db86e4f902d7f7a2
SnakeKeylogger
4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721
SnakeKeylogger
cd8f48ff53a64677eead33cd179d5215e63e59d5e5bcd9cdddf2c3876f638027
SnakeKeylogger
dfe752002f955e1facba9518dc6ac3854b9aa6ec196fcc22068f41e4f5c87cf3
SnakeKeylogger
f453407e0d8ba9650704045d1f0722f70e9ab9ee1460b88c97f937842b02f585
SnakeKeylogger
f4cd4df9815a2c3902f07a5389fa171f3fd6b27ae1e9af262d19d6bd286ae9cd
SnakeKeylogger
+ 5'101 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230602-k8fvtsbb4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e800149c8398a9728ce3f52e32f4d26aa995715e1e79d16226d992d8aaa58e95
MD5 hash:
de58963eb520c52e33193991aa71ea6f
SHA1 hash:
dd9aa1975005a15988ea6233a89596b828447bdb
Link:
https://www.unpac.me/results/0d0fe2c4-f756-49da-8b23-982f5ac60059/
SH256 hash:
b851ee2d1103ddf0f137e23c687c8e77e2cbe4abe736a99918622751c6db4105
MD5 hash:
9ae9f25cfb0e5aa7a10b70990bf843db
SHA1 hash:
b460aa5dd612c911dbb2ad7e6b9a58769885d9cb
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0d0fe2c4-f756-49da-8b23-982f5ac60059/
SH256 hash:
eed681404aa6a914f852420d0e456b9a23852590f57325c2d9a878c308058ec7
MD5 hash:
a1c2c0b25096b72be4d71c44ef889ad4
SHA1 hash:
af48fc60944baaa9e1b6686ce340bc3c131c7cf5
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0d0fe2c4-f756-49da-8b23-982f5ac60059/
Parent samples :
a762d43b5201af8296baa735ec7ac4870a9d27a17124be162c20524978e688f6
5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780
e4083e69c82e69a41814def10c07a138d730398060abe67fd6a4a99c6f772bd8
2b1fc6582e816e95fcb9b2c9cf726176ea3d2c54806b312ed10b989f7713eef8
88001561b8572bc81462f293cb546b3b1ecd0d6a83097a2d26471cc282f25864
4390dddf839f96d8587b2606617bfc5940183f54cafb1d48fc5c1986a31238cd
6b8bec10fc45b9cafc5f9fe08bd936f89a30e2b4107eeed1616d2c2b0d38414d
6026079cd4a895bf3956688c9da038c721810971b5ad4dbea0646f3286ddc521
12cf168b454157d8f07521d0f2ed5457cfe87260f3e1e4ce13c51a3d433a2bca
024bfd09e9c0b5a0c81d377dc99b2a441f6651480c63b5ece0a4be575d659c25
c4d61401b682f67da79981fbf0df579b7e34b94495c9a5c88b4038a2a1df7a5c
32cf8921f08f7dd5ae4cb10ab8d8326e24d112360b9a39a9fe4e49c0b3e96661
23b6e6ddaf2fff34828dbbba29c5d6315d78a6660236d5fd0da7d8322c3e6f1c
SH256 hash:
5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780
MD5 hash:
67fc49b3cb7052507170c6d58da57e7d
SHA1 hash:
68b373cf1c9977d53c655f5dd8246e3d4546b1b3
Link:
https://www.unpac.me/results/0d0fe2c4-f756-49da-8b23-982f5ac60059/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f4d2798e71a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/394719/

Comments