MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f
SHA3-384 hash: 2d8a28ec5bb1750d425dfb374086b1864a50669db5613d5c571354943220c95b7f471650926a8f59dbde5878bc03608e
SHA1 hash: 38f103c1d3a3c7ffc1177e1a0aa86600a068a233
MD5 hash: eca59ecf4f1290fc47c6756c36c7dd5c
humanhash: whiskey-tango-london-washington
File name:Factura032444,pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:18'944 bytes
First seen:2022-03-25 13:23:00 UTC
Last seen:2024-07-24 16:12:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:59UkTUXh2GHEzmn4kCPs1arUGBNMGBUKdepk0KVOyghWsxu3zXxGaBZOvXEo:5dUXhRHKQHpSUaepk0OOyd3zXzY0
Threatray 82 similar samples on MalwareBazaar
TLSH T137825D18B396C273D0A64F3294E30BD1AAB8D7255A33470FDD82163DDA433191EA6F71
File icon (PE):PE icon
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257700/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GRB.genEldorado.23819.25489.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623dc23ca19c6494128db2f8/reports/1e019a38-dbcd-488a-adcd-992d7e46901a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f24834a8-0432-4eb8-9e2a-8f3b3ad6050e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964603
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597085 Sample: Factura032444,pdf.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 8 other signatures 2->40 7 Factura032444,pdf.exe 16 6 2->7         started        process3 dnsIp4 26 45.137.22.122, 49760, 80 ROOTLAYERNETNL Netherlands 7->26 22 C:\Users\user\AppData\Roaming\lexplore.exe, PE32 7->22 dropped 24 C:\Users\user\...\Factura032444,pdf.exe.log, ASCII 7->24 dropped 42 Creates an undocumented autostart registry key 7->42 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Injects a PE file into a foreign processes 7->48 12 MSBuild.exe 14 2 7->12         started        16 cmd.exe 1 7->16         started        file5 signatures6 process7 dnsIp8 28 checkip.dyndns.com 132.226.247.73, 49794, 80 UTMEMUS United States 12->28 30 checkip.dyndns.org 12->30 32 freegeoip.app 188.114.97.7, 443, 49795 CLOUDFLARENETUS European Union 12->32 50 May check the online IP address of the machine 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started        signatures9 process10
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 13:23:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovffij2kdoegnvou7e2gkixawlkz4w3xvms666tt4n652yzg7n7q._file
Verdict:
unknown
Similar samples:
0fe497b1acbeb3a024b44a626b7b12648789aa7a5c41e828d5d1d7817a7f6eab
SnakeKeylogger
2d21ffd087346917668a0a424138c2ebbc60efa1162fd499c2edc6b85c6cf281
SnakeKeylogger
4a4dfa10b15f6169d9523beb501854f5aafcf99e9e4ebb2684a61f84e5f2fed3
SnakeKeylogger
805aad97c81dea343c603fa472f65b9061c97731e3870bf5de9d8427e604e001
SnakeKeylogger
d7ccb616fe7cb8a33d18db6b40c9221db0d7eab713d189306fd7e7565c5d2da8
SnakeKeylogger
f1be4e6d3dc2c6d4ad04a512152177aea74eafcf6c17824db54ef95185915139
SnakeKeylogger
f3de094d3b47ff5064f8163c62df41b615e851a49d1dfbd4904dc188d5234611
SnakeKeylogger
f442097ffe0336d6712267088a4368aa539f51f7ea7d1e950da88c6a42f1b29e
SnakeKeylogger
+ 72 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence stealer
Link:
https://tria.ge/reports/220325-qmt38adcgl/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f
MD5 hash:
eca59ecf4f1290fc47c6756c36c7dd5c
SHA1 hash:
38f103c1d3a3c7ffc1177e1a0aa86600a068a233
Link:
https://www.unpac.me/results/9758fff5-8673-4f1f-9adb-23c53c738b74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/257700/

Comments