MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2
SHA3-384 hash: 0c9ca914c49d0b32716f66af0fcada2bb44a713659e2b865e2b23f1fad80b3cebf6344e768569aae166dbb3b54aae53f
SHA1 hash: e2285c80b38fe19ca6653fe281ed160d9a230c65
MD5 hash: b35da75ed7de28e39d2d2ba207dc001a
humanhash: pennsylvania-vermont-glucose-maine
File name:13_07_23_21_30_48_1_F_3_2023_FRA_261457.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:614'912 bytes
First seen:2023-07-14 12:14:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:HDp8l9pMv4eQut/HY+249WAbT2W/zNY1fnrxDsK/STr:ql9pS4xW/HDjQAbTNOfnrZsK/ST
Threatray 5'357 similar samples on MalwareBazaar
TLSH T1F6D4CE8173B49E31E8AED2B920296088DF79B43E64A6E11A4F5A34D11E60F77371F743
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13_07_23_21_30_48_1_F_3_2023_FRA_261457.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-14 12:19:01 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/7f2d8224-b6b3-4f85-af28-2dbc67f25fc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418781/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.5799.8405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64b13c4b6e9f7019dea0e1f4/reports/8946465d-94f1-448b-b1bb-89aa0418903f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92d2d7e8-90ea-4f8e-8750-2b4cfa88d785
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273141
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 08:54:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oexhaxzk62hizfuzbdvgz6ecc7hjkerqfsgsnkslbfodrn2zvpra._file
Verdict:
malicious
Similar samples:
1b6074d75cc84fcd24ad401c5706b1b77c1ef133a479f92e43153cbd8a952929
SnakeKeylogger
48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b
SnakeKeylogger
549dd9bedf40c44d43f4c7fabd72feab510a787f291d6c6a090f13152fd66ad8
SnakeKeylogger
560d725c51733509f17d4a1b647cb5cfea3f400cfcc9cbab82da116419db1297
SnakeKeylogger
673a75c1f1f0092d9c281898b7e218b8c1440faa70990a5060bf8e560687e4b9
SnakeKeylogger
7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899
SnakeKeylogger
a4ce07acfbdf7bd395f263bd86c3383bfc2d2f21be8df21511c1d37fa40e59b4
SnakeKeylogger
a5fd6b85520d3b39202bd9a1cd07164034a437019dbdac558a6850498a104038
SnakeKeylogger
be97a51ffa2d24ac0f2eba8eb2bc3ed49057c873d16d8c6b893c84b8670c9a1f
SnakeKeylogger
eebe1c81da57309a99fa8cf1a8ef2ef90af6072182ad6b8dd3ceb8a31500bd0c
SnakeKeylogger
+ 5'347 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230714-pexnpsed7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/ee0550e5-3113-4721-9677-7fe36e7bb44a/
SH256 hash:
1697cf7558f177fcc8056f9c4edd20d2ae40dbb1174b61f29772f2253a32af50
MD5 hash:
412b890b4edab18ab4921fb798fe679e
SHA1 hash:
5e0d567dd1a0d3c479cb9d9b08f04dced1fdb4d5
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/ee0550e5-3113-4721-9677-7fe36e7bb44a/
Parent samples :
a5fd6b85520d3b39202bd9a1cd07164034a437019dbdac558a6850498a104038
712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2
4b899a1465e8a93502b8eff43fcc1c925fedd246148b02bf50d7f177ab7c2d52
4267e2d7fe9a8a024af4c37d0dfebe2b19475780ff5d503dc33aa5601d67444c
a522c162309a70669686d31f16cab0be84f04cc948e8d2e6579b9a1365b63fc5
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/ee0550e5-3113-4721-9677-7fe36e7bb44a/
SH256 hash:
a2f849b4283dba2c2b01e988e5677d590eecd68caee903584f412a948f1deb95
MD5 hash:
f33b35b9a1a9d07c525833833f44d76c
SHA1 hash:
022f26592a1494b5da54817eb1655c22505094f6
Link:
https://www.unpac.me/results/ee0550e5-3113-4721-9677-7fe36e7bb44a/
SH256 hash:
712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2
MD5 hash:
b35da75ed7de28e39d2d2ba207dc001a
SHA1 hash:
e2285c80b38fe19ca6653fe281ed160d9a230c65
Link:
https://www.unpac.me/results/ee0550e5-3113-4721-9677-7fe36e7bb44a/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/712e705f2af6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 712e705f2af68e8c969908ea6cf88217ce9512302c8d26aa4b095c38b759abe2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/418781/

Comments