MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28
SHA3-384 hash:	1ea6e77b3e0cbfec2fc5012c50ac66f0aa90f7f694fb579e8c068d854d5ec283eb5dac460fa25650a969f3248f8186b5
SHA1 hash:	22067cb494eb6923811929daad39ca4ddf881e1d
MD5 hash:	bbc670507beb28a487cbc9b1441f6611
humanhash:	fanta-nitrogen-mirror-aspen
File name:	PROFORMA INVOICE.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	957'440 bytes
First seen:	2022-11-04 17:10:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:2wpL6ajmI9euStP7c/DuN9LJnM7klUKkRk0APfs2sFLTAehm8buS89W7Bm/2orYh:WGmI9ezIqN9lM7klfkRAd8TAqbD
Threatray	9'010 similar samples on MalwareBazaar
TLSH	T18015E10E7691655EC51BB17899F4EEB7A785BC12E50BC21B12C31D8FB80F262CB107E6
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13097/50/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PROFORMA INVOICE.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-11-04 17:11:44 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/5181160e-50e9-4a3a-b1fc-1c6dee91be59

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/328603/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.46272.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Forced system process termination

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/636547acd998c15a09ab0fe0/reports/8bc23a3a-9167-4310-866e-dac9c1231ecc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cba536c7-ef62-4758-9b5b-946269c677e4

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1105578

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-11-04 10:39:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 40 (52.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mximkqkcluix2ot4v2pyoc25hmkjnadg4di265vguui3iarovyua._file

Verdict:

malicious

SnakeKeylogger

2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f

SnakeKeylogger

4952a1b507d5779ad9e44e2976af3b6f890fb7d9f1bb685bea255300a70cf1bf

SnakeKeylogger

5e5878e7c89a666a6f6c0f3ad414a7c3d47c85d8bab613343b531ef552127ee8

SnakeKeylogger

a9faed68a14b216b5ce314939c62695058bdddbe086042b8845aa319b098c933

SnakeKeylogger

e1db205d91abb43dcf76bca95eae329c435f225b2470f2659e7a0e12521f8fe0

SnakeKeylogger

f22041afa2bfc2b588ff3e01f3a8b866dc713c7dfb2aa142561d291f00de1c5e

SnakeKeylogger

+ 9'000 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221104-vp9c5shaf5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0c60e5c5-b000-4382-b60c-be3a7d0b88ea

Unpacked files

SH256 hash:

c433cb8ba4ed7546f62880c9983c33c18ccf5a42dae834a64d82e8c4fcdd5efd

MD5 hash:

f7f718010e122cf3d30c40483d96b344

SHA1 hash:

85ddc75a5b350e0cf6ae188d4746608ce7d0ac96

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/d65af5b8-b213-4e59-83a1-e4b5c46187ca/

Parent samples :

0240f6faff8e14bcaf1113c921446538cead5eb4e39ab98e5e66068b3f3a75b3
cda24e3d3a8ba88a8d2d0dab710a930bc5ca13c1c3083971a0714fb318f8f5c8
c433cb8ba4ed7546f62880c9983c33c18ccf5a42dae834a64d82e8c4fcdd5efd
f41c73c8acf70e184c320f82246f59e3d49afce5ce4362d5574365d927f1a274
d4ad5ce4fdec7a03272de766af8b37fbc6343698b02f79b90fe082805bbee4e0
8614125f0030e7ba50feb26e4182a5a6fef974bb63ba462ffe632a4eb60401ad
f09db6345fcac734d7947e06039509442bb67ad36338f5c95cfc4db43684250b
8fc6ce85bbf1ffe09f896024dbc3ab65c3d8eb13403b67c50c448b0a688e84f2
b6abfeb2f4b5b9b41a34dd97806c12c49acc96e6f08115a7a7f9a5dd0a1db7ba
34386c8bb9b1f66f769134bea8e66f8ba8043c83ef81815a3bc6be4c2c932eeb
cf61eac87e9e32c2356e1ba7f4575a566d77d3971423fab6b152887a92ce5fd6
42dda05e1400a7a68a6909ce702427acde73c0caa30eae9d35a94202785c8fd5
f18d2d065b11a522118286f168308dc5bb012e9be93ba9b2b109947a5cca8ebc
c8621ed33fd881102eeaab471e0f5a3e5c766665262da60e69c0221707cd4ff2
174dc014b5ce03bf58ec6b7ce51e3245cad4ab121c6ca77a4081ec0baca127fd
2e111c4d9613c4d79c80bb8c172f2fb0be13ecd086c57365a44ddbc693037163
4d4d9ae7d1df32c6dbd477d6387d5570c0e8b304868aeeb68f738609f8b10518
023daf67673478dbcf9d192a79b3c7e860977540e5ecf2c276cc22dcd3853550
e2b989a7784480d0c71fcbd9842cee49fc2321b941a66ebc602467cdf685a7fb
7127b0166dbae1bd34069a99dd934345f4cf1dc01fab672070f47e22c2176bb6
f2b4cc229354335ed435a8d1f8d46f5faae4218e2482de7fcef20e6783c65e61
c56b76378b1c971bc21dfb6819a1578ef694bcaa4cf5587455edffb2f3ea72a3
1c28298d2342d343cb1e5202daac84d68787741e1e68d01a877f5658cae8615f
5714a59d68c85cc68b99965d03dc6ee4adcdb69bf1719854e0625444be18d1b7
61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc
0d2777fc2687de0946f7fcc21bda9522034cef8322b73f94cf01afb5fe70adde
5be8bcd31c0d875b15324142117e3c67088f9c0d82e0866f5fa6727d02045f86
b3835043f8dcce1db6ccc2c7001092974cb8c891858f226fac1e4fa7015348a0
04cb7f26c4b9788f2271c0a08c5c867f3a52a2079a744522b6a8027b5a53f4d0
55f050354276f1d2c5c318fd6008cdd3bd18f061182675e86dde829e50e8df71
380683938b5bfa921c1205276053d6c9627a6123c48721562058ddbf306a5257
bcfdfb5073ac28ac7605bfc46a0b8b568146c6029519e3c9ab4ed6ebf42c95aa
47ddfd857cfbfde58f7599c330823dd214cb0b7f1f10c3762ecc617e06c1be1a
65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28
704a40d5b442b0389975c80b40cb26a96f83fac19634aa11894797512f87329b
cb01bd4afcf3723bcedcb253313b24e4e9538721774b99bfbe949f1b7f4e52e4
f70c088856b498d1660a080b978db81ea7e4488d7013587487f840c7b84d6859
d68266d44d18118b13f34a9c7ac9fb28d607d7b34c1a3f60145bfc1147a40177

SH256 hash:

097918ab3a5b5fe06875a3e77a35680a6ca429189ab9c23b13d93d7c0d5324cf

MD5 hash:

5539056649fb81f77ed20b78e01406dd

SHA1 hash:

711d568f2b9d81fd475134c18366a158ac1749cf

Link:

https://www.unpac.me/results/d65af5b8-b213-4e59-83a1-e4b5c46187ca/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/d65af5b8-b213-4e59-83a1-e4b5c46187ca/

SH256 hash:

025f6e87482c421e11db2276055ef12b1bf52b370eb1ae5039523f384a3fff52

MD5 hash:

51d459aad2b385a9e0b8e3402210b5a2

SHA1 hash:

1baa93a90f9e466e76214e626c839310e1b8dcc5

Link:

https://www.unpac.me/results/d65af5b8-b213-4e59-83a1-e4b5c46187ca/

SH256 hash:

b8cfe6ff19cf9e995d48b4ec43e4f43bacaf2b34c9b01529ca201fec58d5535f

MD5 hash:

de137fc12686c176781742b0fca9144d

SHA1 hash:

0c43983faf187cc92689b861c531ded5822175a1

Link:

https://www.unpac.me/results/d65af5b8-b213-4e59-83a1-e4b5c46187ca/

SH256 hash:

65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28

MD5 hash:

bbc670507beb28a487cbc9b1441f6611

SHA1 hash:

22067cb494eb6923811929daad39ca4ddf881e1d

Link:

https://www.unpac.me/results/d65af5b8-b213-4e59-83a1-e4b5c46187ca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/328603/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample