MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32
SHA3-384 hash:	676656b25b1d22472c32772345174e9872badf1e0632479c8eadb1d8416f5f5238b9abf19be06515d926252707a9947a
SHA1 hash:	f4e15e8600affc68dd028ec2d1b10dfc03f587cb
MD5 hash:	236aaedb72a16cae9d65454c7ed8db59
humanhash:	tango-alanine-summer-black
File name:	Para Transferi - SWIFT.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'020'928 bytes
First seen:	2022-10-24 12:20:56 UTC
Last seen:	2022-10-24 13:21:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:ouev57kTyj+NNagXwrhZ1LwzILXUPkPI0s+X/Eu73JEvOJFi3OAPDHYkpFYMEME1:olr+NNap/1EzIL7PIhWsur
Threatray	7'836 similar samples on MalwareBazaar
TLSH	T1FF25396837556B9FC497CD35D864DCB0AA616C7B971F8643D0C32EFBB80D1A69E0C0A2
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Para Transferi - SWIFT.exe

Verdict:

Malicious activity

Analysis date:

2022-10-24 12:21:31 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/126c80e1-2528-40f1-a089-4d4b7acf099d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/323378/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.20363.29691.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b284ce10-bf12-464f-95f0-b2ecf9039671

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1097058

Signature

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-24 08:53:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pklpv34d4jeasnme6yz33myfpxndj4pafbud2vcad65gcq6pfqza._file

Verdict:

malicious

SnakeKeylogger

50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0

SnakeKeylogger

658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0

SnakeKeylogger

7370349d22f65927955d817fde07a3c9e1b5235fe3091278ad6899d8026422e3

SnakeKeylogger

7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5

SnakeKeylogger

ba7fa01438610d59a23d6daaa7dac208e3a99ff8dd10dfd6d9be2a59d4ff557e

SnakeKeylogger

f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01

SnakeKeylogger

f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d

SnakeKeylogger

+ 7'826 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221024-pjbl2agde3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5503630831:AAGYIuw8LrLVvQb1hO8ZqTSsce27HhMrEKM/sendMessage?chat_id=1467583453

Unpacked files

SH256 hash:

bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd

MD5 hash:

b52058082749f08bbcb7036b0d4189e8

SHA1 hash:

90365baf6b18ff3139da00cd5caf30660643110e

Link:

https://www.unpac.me/results/3acae3f9-5f01-4383-8973-1bf10fec712c/

SH256 hash:

5342049a21ed1f76391cdf85833452c331335f38a2fd234feeecf5f4d464e0a8

MD5 hash:

cf1a9372f1fa1a3793f48575fdf519a8

SHA1 hash:

844cb850fe217281b09160aa6fafa24c97ff25db

Link:

https://www.unpac.me/results/3acae3f9-5f01-4383-8973-1bf10fec712c/

SH256 hash:

cb3ea46acdd04926fe3d61461996aaf0d1a5013e27ac9e4ec06e8592bb96097b

MD5 hash:

baaa3b490e83d5b78889ba237a946f6d

SHA1 hash:

613a6e6fee7ad1ecdb2983864eb6f37b20d4deb6

Link:

https://www.unpac.me/results/3acae3f9-5f01-4383-8973-1bf10fec712c/

SH256 hash:

7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32

MD5 hash:

236aaedb72a16cae9d65454c7ed8db59

SHA1 hash:

f4e15e8600affc68dd028ec2d1b10dfc03f587cb

Link:

https://www.unpac.me/results/3acae3f9-5f01-4383-8973-1bf10fec712c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/323378/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample