MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash:	73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6
SHA3-384 hash:	c52d077a86ef4beefa9925720b5d1802f1a6e45f08cbbc85e5c44f965fd28ac45b6b3b77ab38a49868f1e8da9e80c775
SHA1 hash:	165d205fe0bbd649bb277ffd139b7a6f46c84e99
MD5 hash:	edebe7a0e4dc7a73d6f5cbbf7439cecf
humanhash:	burger-sixteen-november-beer
File name:	py.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'329'152 bytes
First seen:	2024-01-18 00:56:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:JqDEvCTbMWu7rQYlBQcBiT6rprG8a9YqySy3lVPSW6:JTvC/MTQYxsWR7a9Yq83lVPn
Threatray	1'930 similar samples on MalwareBazaar
TLSH	T10455BF027381C063FFAA96324F56F22147BD6E760437A91F17983DB9BE704B1163D6A2
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e0f0f8d4d4f0e296 (1 x AgentTesla, 1 x SnakeKeylogger)
Reporter	adm1n_usa32
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471384/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit bladabindi control darkkomet greyware keylogger lolbin packed shell32 threat

Link:

https://www.filescan.io/uploads/65a8775e94d1aebfb2a527f5/reports/d7e734c9-2dd3-46b0-aa07-53633c4f91dc/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5cd8d75-d6f4-430c-b6c9-8022fcad4416

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1376441

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected Generic Downloader

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6/

Threat name:

Win32.Trojan.SnakeStealer

Status:

Malicious

First seen:

2024-01-17 10:03:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oozpuy6xwwe27575jzhnwloo7o2grsgqc2yzo24kq5d24u7z5o3a._file

Verdict:

malicious

SnakeKeylogger

583a2d1876ab1fe9703ac09dcd8a6a67cc86482f443691f343f4b2b4ec29dd0e

SnakeKeylogger

60e7d495e14577490e67715e6c3cce3a587227b4c551d07c324e40ac1076cd35

SnakeKeylogger

8a153debc69f1d51f36df5763d50971a0f6b0ff6d88012abfc619a9633cc2818

SnakeKeylogger

9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f

SnakeKeylogger

c125c422c6534f72a342ec54231c2caaff61cb2f649bb764913ff76e25705d4c

SnakeKeylogger

+ 1'920 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/240118-baxw1sacg6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6

MD5 hash:

edebe7a0e4dc7a73d6f5cbbf7439cecf

SHA1 hash:

165d205fe0bbd649bb277ffd139b7a6f46c84e99

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/f46fd2bc-eb5c-4595-ad56-43d3349fbefa/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/73b2fa63d7b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73b2fa63d7b589aff7fd4e4edb2dcefbb468c8d016b1976b8a8747ae53f9ebb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/471384/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample