MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0
SHA3-384 hash: 52f4578a0772038a6bb58b215467b8060262ad9282861ea00ae13a756dec19d79112e9b4b3af766ddc274a32fccbe97f
SHA1 hash: 6aa37e067b745386ee54c0c78aa4e7ba252ee013
MD5 hash: ada3e2709fd16ad0eeedbc7df837b23b
humanhash: four-kentucky-enemy-princess
File name:Remittance advice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:842'240 bytes
First seen:2023-03-08 20:46:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:da/5u615eHmbDkWjub+TcpKNiYNqEKZb2g4YLYw:u3bgCcA2n5Lp
Threatray 181 similar samples on MalwareBazaar
TLSH T16905CF5573B19423FC8F41BA192BE69D2DB175033355E23B6B7B3AE1D2016BFB288241
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00f0f4f4eca43600 (5 x Loki, 5 x SnakeKeylogger, 5 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance advice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 20:57:32 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/701e7ebc-af32-42c0-b986-c9ec780cf21b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372717/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6408f44ded3d33698044d849/reports/a64fb2c0-9c8b-4618-9f6e-d299a1b3971c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5271f24b-fe28-4338-aa6b-19242c7f9345
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189966
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822845 Sample: Remittance_advice.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 Remittance_advice.exe 7 2->7         started        11 DtdfcKVYwcv.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\DtdfcKVYwcv.exe, PE32 7->33 dropped 35 C:\Users\...\DtdfcKVYwcv.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp6A15.tmp, XML 7->37 dropped 39 C:\Users\user\...\Remittance_advice.exe.log, ASCII 7->39 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 Remittance_advice.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 DtdfcKVYwcv.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 DtdfcKVYwcv.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 132.226.247.73, 49684, 49685, 80 UTMEMUS United States 13->41 43 checkip.dyndns.org 13->43 45 192.168.2.1 unknown unknown 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 checkip.dyndns.org 21->47 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 07:15:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pacfnnl2vln5rdsvd3fukdwn7avdji326qr4f3jb65vhrmvo3oya._file
Verdict:
malicious
Similar samples:
105564f796b71e908a08ce7cdac01b5e441569cc03cf14293f7e482790ad51dd
SnakeKeylogger
18f55a945ae83f15c75eb486ff1bf45c423bac4fe7ab87a289844a5181fbc285
SnakeKeylogger
2561cf63e82a6252154212b50f71d0705250edbe123b76e552b785d3c74a8bc2
SnakeKeylogger
3b9b37912769526d5ca753f309018434f6d56410b88695472cdf6e948b9645f6
SnakeKeylogger
7ce6cf0e5a6d6633a5a6aef7d6ae9fe05e4ee2fffe4e7d4a2e5f7cf2562b07a1
SnakeKeylogger
8b5d7a796b73fdf3898ef5899cdb03f92270b9fad8c520cca19d957bce8e59a4
SnakeKeylogger
9ad90b66ba9684bd452c7d9ef3e9c7cf561db81e32c3825d0e2d502228be0024
SnakeKeylogger
c09e645a4d4be15d6002fec574468e1262d42769d2a3f1d0b17baf930449d47e
SnakeKeylogger
ed5e7918456cfccd873fe19861241d97abf4b157f88e9da9a9119651480eae15
SnakeKeylogger
+ 171 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230308-zkwnpsgh98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6041013494:AAH-I-5N7YCs5dQrpIdJ8toHohqsTM_GsfI/sendMessage?chat_id=6291600401
Unpacked files
SH256 hash:
5b67fc4f46ebc83af0605658ef6bce9727cb32700f0870539761537635a44d05
MD5 hash:
8b90e3a239ec05b014fc4b38b0e0d11c
SHA1 hash:
b0b9445f03363b1fab1636e6266f7bef1611cdfe
Link:
https://www.unpac.me/results/b1989396-573a-4518-b729-0af610756261/
SH256 hash:
69ebc3203e007a0dec688eeb68156d98c815eecb38f3fc1d928f72f451718585
MD5 hash:
776eb2d7a698bf94ce5a0a61377e82d9
SHA1 hash:
63c713402b6f0ccfa6387c5a6e5373bf7bb50869
Link:
https://www.unpac.me/results/b1989396-573a-4518-b729-0af610756261/
SH256 hash:
dd49948e0b3393a8b53084075ec2f2a8c36813d1ba1ca538697eb62ec4b4deae
MD5 hash:
538dab51e58b7dd3809664982f4d0746
SHA1 hash:
4e7f9615f1d96b087c453a72217662f867e0520d
Link:
https://www.unpac.me/results/b1989396-573a-4518-b729-0af610756261/
SH256 hash:
74ad5e3b5adcc8fa71e498badf48275500c3090a82f317e8dc4e07d83d0418a2
MD5 hash:
843d5af40b52eed8701383dbcb37c8b1
SHA1 hash:
308d0f63a9a70739e6e44cd66452d36bd253e01d
Link:
https://www.unpac.me/results/b1989396-573a-4518-b729-0af610756261/
SH256 hash:
dcd04fdee91bcf25c14e5fa65702eec52842d9a6ec1a3db64bdc93642c0c4bb6
MD5 hash:
3aca638bf06e5a1c1d5fb8b8b263c243
SHA1 hash:
011daf23e678cb3b186bb3aa40a2bc4afbd9adc5
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/b1989396-573a-4518-b729-0af610756261/
Parent samples :
896363cb6c5505b48615777ce409a415de259e7277888afc1bceae8afbf3b03c
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
cf13df594c6d63c04b8252028daa722e3b31b6538b578b90539b4d7be900f0ca
10b51c1b01c212fb397f492f3df0ca4a5847e2350d6df9f58ca50442f9e594b4
780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0
dccf5b8c832a7a3d49a6c78292bfbc79ec27db0124333ba5f23c48b507fb1c26
aa8539591c2d7917346df8dd343e4f1cbe98f2eba1753f3975a20b99c1d43868
5aeac4f6bc3f67763868803e6f4ed041dd0239d05a767075191f31fad97d30ab
b8798bb0929feeb65bf8b6f56e06cc6a150d8f18800d23af210da7972649c28d
5d636852cc55c97e4be8ac1fcb06449942f74d2cfc1528c0149049f2cef1bf67
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
7ba7461d2987044a067dcecfd2e40a6998eb741c4c069e5a4990d14bec768c7e
164cbbf08f08867c791c5c8f901b74c6502e033bfa0abb59b664755a5ae727cd
063673e920d3daadc423a330055f7ed85d270311c5ef7f812e2f70dbdec562a7
d881da9db40f9e11ada612b949960e934f3c782ef2a18324d96b6ad7f74cfbac
SH256 hash:
780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0
MD5 hash:
ada3e2709fd16ad0eeedbc7df837b23b
SHA1 hash:
6aa37e067b745386ee54c0c78aa4e7ba252ee013
Link:
https://www.unpac.me/results/b1989396-573a-4518-b729-0af610756261/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/780456b57aaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/780456b57aaadbd88e551ecb450ecdf82a34a37af423c2ed21f76a78b2aedbb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372717/

Comments