MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a7155d76d2967e717ad98faa6204b54f2a3bd03ccf920dede8fcc432177a2d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a7155d76d2967e717ad98faa6204b54f2a3bd03ccf920dede8fcc432177a2d0
SHA3-384 hash: a943ab88e751de2acf88c79974eda85c04d28c5b3d2e4e257b2b1b9df7fdfd4c242fbd734b827ed8f845ad5376f3b342
SHA1 hash: 7b152444c1c42efa831f0f2aa45982cf92f188b3
MD5 hash: 6aa2efb17fffe54d53b2e9072564a01a
humanhash: fourteen-failed-ceiling-wyoming
File name:Request For Quotation.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'030'656 bytes
First seen:2021-08-04 05:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:CE2ibewE5JTocHYZEv24JrxS2jSRK88N3/A2lyj6P17L2XRk8iOL3Z7nqhhN41ca:tbqsEu471bZ/Tyj6d7gL9w74SM31vy56
Threatray 517 similar samples on MalwareBazaar
TLSH T1492501BDD2067FB7D2B8A0768405120D57F1D2027D12F3AB7EACA2D642D3F2657A3618
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request For Quotation.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 05:07:43 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/3ec733a8-2d94-4fe3-9da8-f7c9df499596

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176213/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a06c091c-0973-4dad-9013-824f0cab1eea
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826622
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a7155d76d2967e717ad98faa6204b54f2a3bd03ccf920dede8fcc432177a2d0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 08:28:50 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjyvlv3nfft6of5ntd5kmiclktzkhpidzt4sbxw6r7gegilxulia._file
Verdict:
malicious
Similar samples:
022e918d8b07b6bda3fc703e212db5d145fa5814f33ea2fa8a350e2be405a348
SnakeKeylogger
12fd71647d0ddc3a5619975288f310047162f1258765d337efaee411c9f7e7f4
SnakeKeylogger
42e71a6e0d1db101fe1fb3f5d8f067aea2fda52b24050dbadea6d8ebdddc4a81
SnakeKeylogger
83fef9d67405ca7975e04fc8c66e7d298809f90260d1b287f709a3bae49f502e
SnakeKeylogger
ab3bd41484af4af797f93d64c2c420accfdb426c635bdcbad90bfef989b2f4db
SnakeKeylogger
c751f9d546d20216bdc996ecdcea6ee9f57771682879383621bff83a8229e384
SnakeKeylogger
e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611
SnakeKeylogger
f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127
SnakeKeylogger
f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
SnakeKeylogger
+ 507 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210804-mpc6cvafzx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1487657528:AAFnNHLAtj_ujed9_IjvpSguj8z_a4GKbog/sendMessage?chat_id=1443320838
Unpacked files
SH256 hash:
a66992a2f52c9947fe8a4d8fcd0540f651797704dedd8e8212954f0be06af77b
MD5 hash:
71dd48628c83a40c64791ab24cb995bb
SHA1 hash:
55eb113a1172749199158bacae5ad9f1b78e2b49
Link:
https://www.unpac.me/results/bbdce0a3-7a06-49d3-893d-130a67b094b7/
SH256 hash:
2b009add484df2d72c9f7a6422f0ff7cdc80a6e8ea8228b0141008726526aec9
MD5 hash:
a6ff2e44d4a22f632b7bc7333f8e914d
SHA1 hash:
3833278d5c09be40a2b70c810af310719a97f772
Link:
https://www.unpac.me/results/bbdce0a3-7a06-49d3-893d-130a67b094b7/
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/bbdce0a3-7a06-49d3-893d-130a67b094b7/
SH256 hash:
7a7155d76d2967e717ad98faa6204b54f2a3bd03ccf920dede8fcc432177a2d0
MD5 hash:
6aa2efb17fffe54d53b2e9072564a01a
SHA1 hash:
7b152444c1c42efa831f0f2aa45982cf92f188b3
Link:
https://www.unpac.me/results/bbdce0a3-7a06-49d3-893d-130a67b094b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a7155d76d2967e717ad98faa6204b54f2a3bd03ccf920dede8fcc432177a2d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 7a7155d76d2967e717ad98faa6204b54f2a3bd03ccf920dede8fcc432177a2d0

(this sample)

  
Dropped by
null
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/176213/

Comments