MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63a3030e7976336af80d4f489128aa9ecbe98173b595a6ea641c3f335e3c7d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63a3030e7976336af80d4f489128aa9ecbe98173b595a6ea641c3f335e3c7d80
SHA3-384 hash: 9931891a21cf9d3f9a25d32488a75278f50f73660269c48bba000c0f19dd4749e95620096e4131dc8a2bec62f515f291
SHA1 hash: cc5f3717b765d38c4f209261e18e75476f057b1c
MD5 hash: aa69e4e288a77f38b2eaa81ae7998e0a
humanhash: nine-magazine-romeo-venus
File name:Oa5XaWqR4XeWUw2.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:820'736 bytes
First seen:2022-01-25 11:06:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:2YlYr+vY4TXQJZxXj6CPbzn75yb9U7GwG6iq7acB1BSW:2Ylu+vlQDxGm/wb9CG677aI18W
Threatray 2'796 similar samples on MalwareBazaar
TLSH T1E805E1142BB4C773C17A9BF814B235148BF9396AA53CE5D91CCB52CA4BBAF208561F07
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222381/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP GET request
Reading critical registry keys
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61efd9db0f8c757253e6a5ef/reports/f1c51fc1-d0c9-4514-8bf8-ef50eedbe6c7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/320a4f08-b662-4de0-9714-e09d88a189ea
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927005
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559490 Sample: Oa5XaWqR4XeWUw2.exe Startdate: 25/01/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 5 other signatures 2->37 7 Oa5XaWqR4XeWUw2.exe 3 2->7         started        process3 file4 23 C:\Users\user\...\Oa5XaWqR4XeWUw2.exe.log, ASCII 7->23 dropped 39 May check the online IP address of the machine 7->39 41 Injects a PE file into a foreign processes 7->41 11 Oa5XaWqR4XeWUw2.exe 15 2 7->11         started        14 Oa5XaWqR4XeWUw2.exe 7->14         started        16 Oa5XaWqR4XeWUw2.exe 7->16         started        18 Oa5XaWqR4XeWUw2.exe 7->18         started        signatures5 process6 dnsIp7 27 checkip.dyndns.com 132.226.8.169, 49745, 80 UTMEMUS United States 11->27 29 checkip.dyndns.org 11->29 20 WerFault.exe 23 9 11->20         started        process8 dnsIp9 25 192.168.2.1 unknown unknown 20->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63a3030e7976336af80d4f489128aa9ecbe98173b595a6ea641c3f335e3c7d80/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 09:06:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=morqgdtzoyzwv6anj5ejckfkt3f6taltwwk2n2tedq7tgxr4pwaa._file
Verdict:
malicious
Similar samples:
1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SnakeKeylogger
332eb007a5e9b3e603bcd8546505d6df1b480ab032f772f5a24730c4cc6edfc5
SnakeKeylogger
44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234
SnakeKeylogger
8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50
SnakeKeylogger
95b3882e2ba6d5f35be8c35aa3d047e41ec110eb7f8aa69af7652f1cc29a6fb7
SnakeKeylogger
9e1b6a535b988b2f1f7e8656ec01feceff365d0c4aed814d11fdde1a4a72306f
SnakeKeylogger
c42b8a5dc308fe050318dbb5856cc3d8825143b132cc1e02e0799d9e7109fbe0
SnakeKeylogger
c73a8629499a2e95adf6ec545b360f49d607fb8b737ab5a26020d54b37df8b8d
SnakeKeylogger
eb750ca2f4a93f7b8674c77cf2178ec75f3f858abd51c5fc4979d373b8438545
SnakeKeylogger
fa11ff2dfdf24b8e4628ba1e868a27510b4cb3936d1c03dd1d6bb8049cbdefa8
SnakeKeylogger
+ 2'786 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220125-m72f9aefdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
32d782b891e45cfdd00a4bf29508008823379ea74da94b24353cf735359e2c9d
MD5 hash:
b729064aef0b1f50acac34b65bfefb06
SHA1 hash:
f3b5981d5c3af9dfb01316924c5fcad711655d34
Link:
https://www.unpac.me/results/24bc81d5-06ee-4ae3-bb61-48c1cc959bf3/
SH256 hash:
23f2103b81dd389799a9e0826a26c3f93d900851d22343aa79fae6990ee3d7df
MD5 hash:
d2a1d1857be24bb7e51441aae7daf333
SHA1 hash:
9e831f39f17f34600c3236a12e8cd537f08a00d0
Link:
https://www.unpac.me/results/24bc81d5-06ee-4ae3-bb61-48c1cc959bf3/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/24bc81d5-06ee-4ae3-bb61-48c1cc959bf3/
SH256 hash:
63a3030e7976336af80d4f489128aa9ecbe98173b595a6ea641c3f335e3c7d80
MD5 hash:
aa69e4e288a77f38b2eaa81ae7998e0a
SHA1 hash:
cc5f3717b765d38c4f209261e18e75476f057b1c
Link:
https://www.unpac.me/results/24bc81d5-06ee-4ae3-bb61-48c1cc959bf3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/63a3030e7976336af80d4f489128aa9ecbe98173b595a6ea641c3f335e3c7d80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/222381/

Comments