MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97
SHA3-384 hash:	1fac7777d28f15144c3e8b305b52c55b88e3983212042fe536bd79f4ed96e1c298361c984402aff577791ed6277ad63a
SHA1 hash:	cd248bcc0b3631f234401ad17c5d0e9dd76d3e3b
MD5 hash:	9721c84a7ef08e1174f8b0986ace01de
humanhash:	twenty-nebraska-nevada-sierra
File name:	Piping Bulk Material Details.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	748'544 bytes
First seen:	2023-07-12 06:47:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:uyXNhGRXUnmW7xuXp+aWGcVC50yFVdTCLLQyTox81tIjd4Ic:pbUF72L8go4SR
Threatray	3'152 similar samples on MalwareBazaar
TLSH	T1B6F4233DA414222ACD7CDEAA46CF494CF2E2560BF35EB93F2AD61AC34611941F7C681D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Piping Bulk Material Details.exe

Verdict:

Malicious activity

Analysis date:

2023-07-12 06:51:27 UTC

Tags:

snake

Link:

https://app.any.run/tasks/a2600482-e85d-4f82-bcbd-c3631c93d188

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/416426/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.58985.15290.4890.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Restart of the analyzed sample

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed replace

Link:

https://www.filescan.io/uploads/64ae4ca3a15fc7eb4fd116ef/reports/6c0a621f-b6ab-45b4-a79a-6ae994dbc91a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/71b0139c-9732-47f9-93b9-d22744e3c865

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1271572

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-12 06:48:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5j26gir75z6zlahwjx7ltqvz4co2glxjc6cvq4yjrkbh6vbtklq._file

Verdict:

malicious

SnakeKeylogger

11ac39821487f87eac7ad91f2d6d94037cd25947d6485a0e974d89fadbf2f950

SnakeKeylogger

4bd65c6278bf0a954b76e47052d212150a61be572f3f0dd2dac5345dfd875707

SnakeKeylogger

53081b8516852eee078265c82b2f9b70367d3d2a50d8886e24f2704a3b683929

SnakeKeylogger

8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057

SnakeKeylogger

9c3a93c9fb73bcb55516b64442f10442919ce9e8d6e00a751e5a86f516bd9ecf

SnakeKeylogger

b88395f4d398c54925af660992e5b72acae5e15823ea88b91b528415eb674566

SnakeKeylogger

b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd

SnakeKeylogger

eb6ac5c1adc4a760d3632874fd1ce4299e761023a5afedeaffdcf27009d185b8

SnakeKeylogger

+ 3'142 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230712-hkrw3scc43/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

7e0a2bcf1ce5abd41cda5a205062a98de2841fc1f02cd03b2ff499a4a39f8b75

MD5 hash:

3c6f514115966ffedfa449f598a6004a

SHA1 hash:

b8eeb4b3ec2b7db6240a365902b5419e5b8ebc99

Link:

https://www.unpac.me/results/ac73571e-1282-4057-9b21-93f82e0141b3/

SH256 hash:

d13c6f18c9166783d0df281b20f83c1eead33c8ad8ae3fa649f0484d46ad2e4f

MD5 hash:

2e79fb8c175018dbae8284e99a3bb56f

SHA1 hash:

00ff18727d6f2de95ccf9bfb5b3f336dfd64ee42

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/ac73571e-1282-4057-9b21-93f82e0141b3/

Parent samples :

e74ecf1c2f87e3182e7a6414767b62eeea8a49e1d1b08894fbb50a8cd6243961
bde75e5a73df3ef95e72fd79905f718427f70945166bbf8558f9e84b3605abaa
a854d103628be8a5a7fba616001a113407ef81f817e61961099fa6138c0690d5
4bd65c6278bf0a954b76e47052d212150a61be572f3f0dd2dac5345dfd875707
8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057
9c3a93c9fb73bcb55516b64442f10442919ce9e8d6e00a751e5a86f516bd9ecf
b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd
08d13a3f8a8759c5124ced987c74889a2fdf42b491e78e30a4a546857c4eed0d
11ac39821487f87eac7ad91f2d6d94037cd25947d6485a0e974d89fadbf2f950
7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97

SH256 hash:

158fab6189a60302592807c6f297b7cfe7be866f59e4c63413ac54faef14e34c

MD5 hash:

02f26f2c2c3688d9a2397e40548117b7

SHA1 hash:

469f63d5f127cab9666c216fee5f4cc03dfdcd9d

Link:

https://www.unpac.me/results/ac73571e-1282-4057-9b21-93f82e0141b3/

SH256 hash:

7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97

MD5 hash:

9721c84a7ef08e1174f8b0986ace01de

SHA1 hash:

cd248bcc0b3631f234401ad17c5d0e9dd76d3e3b

Link:

https://www.unpac.me/results/ac73571e-1282-4057-9b21-93f82e0141b3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/416426/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample