MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e
SHA3-384 hash:	0533944dff12bdd7464e1babb1c69b5350d537e16ba1d583620f6fa989e9896b35f1000c7fe7affb0631277d23bad1ec
SHA1 hash:	0afe0c82051109accc698940a035f2d984e7e8db
MD5 hash:	1d85ca5408c0aa8af7ed5d9368b38994
humanhash:	happy-island-finch-sierra
File name:	SecuriteInfo.com.Win32.PWSX-gen.2845.2417
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	870'400 bytes
First seen:	2022-12-12 10:31:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:XMKxXGTksbx6XCg6l5mZYQKfoENe0VuuK/v2SIqkog6:NgTksbxTgkmZYTfde0EuKn2Spk36
TLSH	T10A054B2DEBC8E679EFE7BEF206266FC01552E9C81E93F195883F719D0D20211F106996
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ecf0c68ac2c298f2 (60 x SnakeKeylogger, 14 x Formbook, 6 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.2845.2417

Verdict:

Malicious activity

Analysis date:

2022-12-12 10:47:59 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/2602d4a1-0803-48f1-b601-09f433084be9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345393/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.2845.2417.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6397032204e0e79bdf4267ef/reports/5456dfcf-7d51-42ea-b88c-cc65120a2352/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20309af0-0f2b-4c89-87e3-9c1cea556065

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1132551

Signature

.NET source code references suspicious native API functions

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-12 10:32:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojx6mavr3hvce7qigxyr3ema3gtzchks7jph7z65ujya5m4mmwpa._file

Verdict:

malicious

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221212-mkezqsbb27/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5409930542:AAFxwqGbFuHLkEcoI_Wd5LmyaZ64bak9as0/sendMessage?chat_id=5492983899

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c7d2b88a-2503-4ed0-9c0d-46e07c2ca5a6

Unpacked files

SH256 hash:

61a39d9eb3e773e7188c26f40fb23755a2c9b20bed4cf8ba103435886e42c155

MD5 hash:

605ed828480855c70c8917e3b6cc5642

SHA1 hash:

c2314030d4c626bcc755bba8755c84c04fe458e1

Link:

https://www.unpac.me/results/37f8bec1-2bbb-4a1a-88af-a0e4448ff20b/

SH256 hash:

6897514151c61188eef196109020bba0b5f53de689144928aea20ab97b9b8a03

MD5 hash:

5e6ecdca36b1e9559d3eb987a8d73f1c

SHA1 hash:

a3a86faa8bf46eebdf0e78a87f93edbd92a4d161

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/37f8bec1-2bbb-4a1a-88af-a0e4448ff20b/

Parent samples :

ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d
35aeecd77643fc7df90432db30ef248cfba29a9cc98a2c164b3bb4d233974734
f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf
726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e
aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963
dec5bbf9420596e7e4b387c6331b6009817af7803e20f717ffb55dc313e60645
482f061d6359be2ae8cd7c5ff63fe997ef1dc42d1a286237db8729097647c507
16c366cb47a4b606f2b20a1a1ccb4a8e408c758afbae9b51922667abf9c2b92f
84cc129521b39e0182631b253637efda5e6305b8c484ab76f3a4184e81bbd812
73d18d7b6bd92fa3e85db713d39f932c483c0317607b93a2b31845d4e703a6a2
f20fc83d3adb7cf9f5dbaa5efab44527e0657d88529bc621ec489e37593d510c
64879bdaf4add0db2f52b2cfc4c579b15fa5263601aed7c3aeeb926f0dba1acf

SH256 hash:

922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50

MD5 hash:

1ecb63625d636b0b8f8ebdece9fa80c3

SHA1 hash:

5623d5ad21fc63893011bae7e4709c51219fcc1c

Link:

https://www.unpac.me/results/37f8bec1-2bbb-4a1a-88af-a0e4448ff20b/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/37f8bec1-2bbb-4a1a-88af-a0e4448ff20b/

SH256 hash:

7c8feacc6caec9290f1ce04ae672bf178bad9eec1e2c2130cc34806e55b08c82

MD5 hash:

e456a6a3d4c8c7a5bd79ce5df7848e22

SHA1 hash:

2bc5069765f543021c60ffd2fbf7244429e9e678

Link:

https://www.unpac.me/results/37f8bec1-2bbb-4a1a-88af-a0e4448ff20b/

SH256 hash:

726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e

MD5 hash:

1d85ca5408c0aa8af7ed5d9368b38994

SHA1 hash:

0afe0c82051109accc698940a035f2d984e7e8db

Link:

https://www.unpac.me/results/37f8bec1-2bbb-4a1a-88af-a0e4448ff20b/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/726fe602b1d9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/345393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample