MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f
SHA3-384 hash: ff6a958001ee7930b6dbcee1e913fc2c15177d9427a06d39bf4f310bc8cba1d4426695dfeadc08ce71b73b3ad04b2599
SHA1 hash: 19e23dea3ed105cf83082dc1d22cf12b2bf37389
MD5 hash: fb88fd7becd713e2b71ada11cfa88e5e
humanhash: west-mango-robin-cardinal
File name:Tender QUOTATION - LH22000309AA2022__Pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:255'985 bytes
First seen:2022-12-23 04:07:58 UTC
Last seen:2022-12-28 19:10:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 3072:rlTSr+vbmJI5B6uB1G7NM9tCi00WQE/ZmA/GDx6kvZBvBykj8aG8LAyrokTzu2yx:rkwSuXG7NM9tLWQRAoki8Cxu2y7iav
Threatray 1'834 similar samples on MalwareBazaar
TLSH T1CD4413E9AFC2C427F491C8369BF2CB76CBBAE748166461073BE00F6564186C3D91F159
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tender QUOTATION - LH22000309AA2022__Pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-12-23 04:08:23 UTC
Tags:
installer trojan evasion
Link:
https://app.any.run/tasks/8fa7688f-8a8d-4ab1-bcf2-ba5ec2ae1952

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Dropped.Trojan.GenericKD.64440210.30091.4408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a529b2779e491a53b2e9f0/reports/51be9e18-e416-4dff-b22f-560af1fbf13d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30e74a24-3c26-437b-9c0c-b3630a88bcd6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139775
Signature
.NET source code references suspicious native API functions
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 01:34:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7qdhk776gafwzlq27u3ceghz7cqtktyxkswpxnh4ewgzzovhexq._file
Verdict:
malicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
SnakeKeylogger
0a5d1edacfafff8bef4a4009291b438be7f757609077c2bf5057da38cceab228
SnakeKeylogger
41887da1dcfcd733b74f492cafe20358e8813bd7e770b54ef4c75e763a77bc0d
SnakeKeylogger
68cb6a1efb7c442f063eee5ae3f96ae12a3d2fba0852f22aa7a761cf8b1ae31a
SnakeKeylogger
75fe4b601dac47a21ea34b057b8c2ee8623db40d6fbb6e3398b77260ed38eabf
SnakeKeylogger
7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6
SnakeKeylogger
7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293
SnakeKeylogger
856e9dc2812c572a9023f02503c471addbf8a82be5aed8454cc6254f899caccb
SnakeKeylogger
889c2ec3e88c2a47de4bcc6d88cb74d21a01088330fb240788c81968ba16155b
SnakeKeylogger
f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
SnakeKeylogger
+ 1'824 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221223-ep9qxafg72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
56ac567b148cb4819139441a361c3dd1b10d09f48ff2d178d41a5fc414ce6c3f
MD5 hash:
3d1f3727f22a3cf0e709636107750ad1
SHA1 hash:
aee0a64965a6bbf57bba92a92525cde8b8e5607c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6b665dbd-2fef-4dbf-bf5c-13d01cdef853/
SH256 hash:
23544a49c8fe3c07ba153757ebf8f97a26c7fa6bc2f0db2940dee4d5a3efa589
MD5 hash:
cccad6f58ffc51ce44588b84a41da17c
SHA1 hash:
4424f37675dc72b8f5a3df4547f49897b662631c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6b665dbd-2fef-4dbf-bf5c-13d01cdef853/
Parent samples :
5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f
9b1094e3d8b648ad6edf854749e551871ac94a22be9bc22fd7d9a1d4fb246d48
SH256 hash:
bccb6d3f080543c6f080dd9f0f7060b6e4cf9cd7449406fdfa8bb4a66d809e41
MD5 hash:
54cdb3208dd34fef072e93869798d317
SHA1 hash:
8cb9210aae07f02e43cfc186c93915859490ec19
Link:
https://www.unpac.me/results/6b665dbd-2fef-4dbf-bf5c-13d01cdef853/
SH256 hash:
5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f
MD5 hash:
fb88fd7becd713e2b71ada11cfa88e5e
SHA1 hash:
19e23dea3ed105cf83082dc1d22cf12b2bf37389
Link:
https://www.unpac.me/results/6b665dbd-2fef-4dbf-bf5c-13d01cdef853/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fe033abfff1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 5fe033abfff1805b6570d7e9b110c7cfc509aa78baa567dda7e12c6ce5d5392f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments