MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c
SHA3-384 hash:	eb8597ae15673d5f7bfd97c42f18b6f869fa70e946c3e2e4ab4333a6ca8a5450739b5a99d4fdca1ad4f2bc6c1eae8e6d
SHA1 hash:	fcc7b707fddc280d111ac4d04af3c84f85da11c4
MD5 hash:	a863b7703348505c94a8571a11fbbe60
humanhash:	comet-xray-seventeen-enemy
File name:	payment001.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	455'680 bytes
First seen:	2022-10-25 09:12:36 UTC
Last seen:	2022-10-29 12:53:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:8Fwtaw7c7obBoofPhHxtlVdRpankyaC8OM6jzDPHi0/QJ4t2CMlKQ+Nmm5IVyuXc:2Mh7bountnIky8260R5Q+IDouXkp
Threatray	5'484 similar samples on MalwareBazaar
TLSH	T16FA412101BA16917C1FF77FA783B0A44D33A5501CA76EA1C29C531EC14AF7058AA3FAB
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00c8dcfc9cdcd000 (13 x Loki, 13 x AgentTesla, 11 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payment001.exe

Verdict:

Malicious activity

Analysis date:

2022-10-25 09:14:08 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/f10dcd9a-3135-404a-9420-460214eb3258

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/323853/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.45756.7452.15433.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c08cdf3c-2023-4ecd-9faa-89f6d1998b91

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1097379

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-25 01:49:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6h5ulbxc74okjagcxa3apqfq2sxltokoys3d5rl4uaflv7kwuwa._file

Verdict:

malicious

SnakeKeylogger

499439f56127a77db15051a32a4b19fd43e98dfe9a3373dd008b60102a2d7d79

SnakeKeylogger

74bf4be5cd674b82ed1eee10d1187d16b8abd1c348d2527d8ff34d88fbc01114

SnakeKeylogger

7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32

SnakeKeylogger

84e596ad20cda4c95082d8cbad4bb3d75abd243f99d923c94286944678b40476

SnakeKeylogger

dbaf6b7b3a59ffcc8cee70bea12b6587a8ab8dc6555c0d3687f90bda81ed497f

SnakeKeylogger

e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef

SnakeKeylogger

+ 5'474 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221025-k6rjjscbal/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5788931871:AAEfkw_P98L88KrFlXGZzJolFlQrpqGegLg/sendMessage?chat_id=5649714338

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ecbcf63c-9784-45c7-8bf3-381d4532cf16

Unpacked files

SH256 hash:

45b7b6c61bf11f15b7aa49a1d436ae3d933edf3a925d2792981f787924801c51

MD5 hash:

c87965053a7d85ab8dd3c00159fb67b1

SHA1 hash:

a7736d8c29df6deb4a521f805fca0cc32519dc8e

Link:

https://www.unpac.me/results/1a81406c-e4d1-45e3-a6e6-fcefbb522cfb/

SH256 hash:

4035fab0fa6baa1644ef9c569698e92bd2da582aba6e37d145ec791f3f7738e2

MD5 hash:

5d7025962c08df30bc49388c5ab6b997

SHA1 hash:

a3c2974c7d5bdaa4c9185cd36fed5d259969cc64

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/1a81406c-e4d1-45e3-a6e6-fcefbb522cfb/

Parent samples :

b89882fd492b452ad93021de3223a75912db541b71b4db756f248ba385b0d97c
d086e34cc5ee029f8acb9acd840cee22341982c2c2f4752e575d4f18c5a9d00b
0a22a2255fdbaba55a3d1901e74e709968f363362e2902c5a16bfa6a86e90481
768b0f2e493d03d6c314819ed2898e559350dc85c25631a77c254444f86bf6ee
a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9
337760975af1bfd2b9c43ee0f7326ca1cad747c3426edbb7de1db2be71d8e5f5
f5513ad2ae4942ab753e178eefecfc0c62396c9a1a9128c2a65591780faad3ef
16c6e27daa1a1e14e32a2a49ee97054d64a9ae4b4549db8d4d7c3bfca889c15d
6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c

SH256 hash:

248a7c4997aacb14ca032daf9668636839f921d0a3403f09a3b0ccfdc948cbf1

MD5 hash:

a7952169b04a2c6a39661aad59e79dcf

SHA1 hash:

88722f1a32c913307c0c6385b04478a79fabd12b

Link:

https://www.unpac.me/results/1a81406c-e4d1-45e3-a6e6-fcefbb522cfb/

SH256 hash:

884abb8dec68ad279fce92295b2f1846f41efb96579c7c7938231548ad679be3

MD5 hash:

226e7d27f4aa9880900469aceacde4bc

SHA1 hash:

7994f0615fc2536f45232a695d1797dd85d7e593

Link:

https://www.unpac.me/results/1a81406c-e4d1-45e3-a6e6-fcefbb522cfb/

SH256 hash:

744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f

MD5 hash:

91fed5db1afcdf48e0cd6d4058a013ba

SHA1 hash:

3717b3346e25d3f66f00626ad1a771d8655f485f

Link:

https://www.unpac.me/results/1a81406c-e4d1-45e3-a6e6-fcefbb522cfb/

SH256 hash:

6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c

MD5 hash:

a863b7703348505c94a8571a11fbbe60

SHA1 hash:

fcc7b707fddc280d111ac4d04af3c84f85da11c4

Link:

https://www.unpac.me/results/1a81406c-e4d1-45e3-a6e6-fcefbb522cfb/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6f8fda2c3717/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/323853/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample