MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6010803fae462f5a1432a3c193ee4a00deac0c37dbbefec649201aad9824ef0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	6010803fae462f5a1432a3c193ee4a00deac0c37dbbefec649201aad9824ef0d
SHA3-384 hash:	ec4a018cee8ccfad44d23f027181c1b9695732ae9617277be5d301186989cc7bd25a385f80b889dea5c8c16cbc4c5a50
SHA1 hash:	85e57eb6351bfb33cee9307f2c7b83ba7f61fcf1
MD5 hash:	ebe352b61274aa3fde064313d40b53ce
humanhash:	gee-kitten-berlin-magnesium
File name:	Statement Of Accounts.PDF.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	664'064 bytes
First seen:	2022-06-08 08:42:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:xJj2I+n09qWH1YTeBdGiOIcpUeDlnVzbeV9/cexWNVTNTau8C:nKI+n04TeDOIc+MVXeV9/sLU
Threatray	2'353 similar samples on MalwareBazaar
TLSH	T160E4CF90B3BA9F71F27D63F26420A00807F4251E95A4D23A9EDDB0CE32B1B4259F5E57
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	cc00ecc4b6e400c4 (8 x Loki, 7 x AgentTesla, 7 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Statement Of Accounts.PDF.exe

Verdict:

Malicious activity

Analysis date:

2022-06-08 22:22:34 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/e0c08c11-392e-4adb-9a4d-814da25871f5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/277687/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/62a0612a6aa17a21fc2bef3b/reports/74eafefc-001f-4a10-b973-029be017d3ec/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bc1ad0b0-fbdf-428a-a25c-72df6ff94c57

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1008841

Signature

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6010803fae462f5a1432a3c193ee4a00deac0c37dbbefec649201aad9824ef0d/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-07 01:33:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=maiiap5oiyxvufbsupazh3skadpkydbx3o7p5rsjeank3gbe54gq._file

Verdict:

malicious

SnakeKeylogger

10ccc2f52e8e3df144f6366c09b3608e49d9cc2fc7094180762f57c707c04eeb

SnakeKeylogger

16b1cff94d925182e95124fa432b55cc290fc81d9480493b3ff09e139eb0da6c

SnakeKeylogger

515830978948bd0d029a4a46b05b8ac48b3f1a2db6ce2b0c4ff1324c45496a33

SnakeKeylogger

740cc8f312eef16d83b7c49fe33519ae293bf1c1c2f80e0482c34ea3a9473843

SnakeKeylogger

887dc9a9ace8ac2880f6ab0dc7bbc71902d330d3c3e04a0c5e6243667dc8cb03

SnakeKeylogger

898a25a7bc4fc3d5a2b64b5f7e631b0fa1add0858d2aee07a1678e89570918fd

SnakeKeylogger

8a6bffed79d6eb5c57b4eb47aba7789b3498b54845519a8db65bc1de3f37d982

SnakeKeylogger

923527e188f407ba2bba6d1570506c474519970bc29fbee47d16d01636e7a338

SnakeKeylogger

b73c4c07db87052a48008e0e37e56247178dc05ef2b1cfaae0dc3080dbbd0839

SnakeKeylogger

+ 2'343 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220608-kmk8esacc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

fab1a3368db6f57e8c439371b65c6d22fd49f0ed74552d683c2117c075cf54c7

MD5 hash:

f5cc3de7e8860e1e9ed3a864ab556dc6

SHA1 hash:

6ecd0049249739ab98a0629f92786ef0c307c781

Link:

https://www.unpac.me/results/feccdbdd-c942-4177-81d8-f172736c2df8/

SH256 hash:

fedb655e7c7d5479a074cf90284028515c7617ec0ef8ddf15b284792fac75b5a

MD5 hash:

8033f11ee7303107ed1f446a0640ec3d

SHA1 hash:

6637ddd9dd0b0ac48ed6a24858758aec37804bcc

Link:

https://www.unpac.me/results/feccdbdd-c942-4177-81d8-f172736c2df8/

SH256 hash:

ca1b6299506bf2144834fcd4faf6b66eba78c56f81af15d18b3feeb8876e2cf4

MD5 hash:

2c73dbcc4cbd98979c80bf2e790b8bf6

SHA1 hash:

628ef7297f05db9abf3d7eb295c6f29bfc969f0e

Link:

https://www.unpac.me/results/feccdbdd-c942-4177-81d8-f172736c2df8/

SH256 hash:

a675f303f6e1ed214cb7ae9910246a1d54565da05690b29001d713f2acaad961

MD5 hash:

feed7bf03a05e5d55c945349f4db4399

SHA1 hash:

19021308efc63f8063b7d9b805b2a75ba18b3833

Link:

https://www.unpac.me/results/feccdbdd-c942-4177-81d8-f172736c2df8/

SH256 hash:

6010803fae462f5a1432a3c193ee4a00deac0c37dbbefec649201aad9824ef0d

MD5 hash:

ebe352b61274aa3fde064313d40b53ce

SHA1 hash:

85e57eb6351bfb33cee9307f2c7b83ba7f61fcf1

Link:

https://www.unpac.me/results/feccdbdd-c942-4177-81d8-f172736c2df8/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6010803fae46/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/6010803fae462f5a1432a3c193ee4a00deac0c37dbbefec649201aad9824ef0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 6010803fae462f5a1432a3c193ee4a00deac0c37dbbefec649201aad9824ef0d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/277687/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample