MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c14babb0cc8533a8773ec590088334e4ef61d581b5f8915ff1b419d8b60c2bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	7c14babb0cc8533a8773ec590088334e4ef61d581b5f8915ff1b419d8b60c2bf
SHA3-384 hash:	803ee97613656ae2aa34d0cce133168235940ae54d851b32211084a2e5986faed3ab5a12c952a3a990e01c2ebb69fd97
SHA1 hash:	fd0bf9aea1437e109291db9c022bf2b29370c254
MD5 hash:	49c580099a13ad87ff1342ce3dd9110b
humanhash:	shade-purple-charlie-pennsylvania
File name:	order list.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	622'080 bytes
First seen:	2022-05-24 12:53:01 UTC
Last seen:	2022-05-24 13:48:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:jP6Xk3Afxq3vyoUnvoIdZCEQtOAB/THi/COlpdhy1rrxkm:jP6XOAfxcYPEEbOg1K1hX
Threatray	1'297 similar samples on MalwareBazaar
TLSH	T139D401807AFC57C7E4798BFD5C64762013B1AA296890DF081ED1B4E96A71F2205B2F4F
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	32ceaeaeb2968eca (42 x SnakeKeylogger, 23 x Loki, 9 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

order list.exe

Verdict:

Malicious activity

Analysis date:

2022-05-25 02:52:30 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/fa148fc5-85c1-40fc-9760-dab936fe3085

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274088/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/628cd570054dcf0ecae7abef/reports/f5b292bd-1267-43b9-af09-6f9b66d7cf96/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee1e18a1-53ed-455c-9dc8-7804eddd6403

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1000772

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c14babb0cc8533a8773ec590088334e4ef61d581b5f8915ff1b419d8b60c2bf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-24 05:45:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqklvoymzbjtvb3t5rmqbcbtjzhpmhkydnpysfp7dnaz3c3ayk7q._file

Verdict:

malicious

SnakeKeylogger

4136cbd135de0a67aecbb84e9eb39357299777d4eaca08ce9055233f62ec6996

SnakeKeylogger

49144b7e90a73187512a8847add84f34826dd5bfa6113fe0dd013c4a2db51dcd

SnakeKeylogger

4fe060579e231bdeaaa2093bb47c0049b1665a221b3ba953eeefbd36e36c51bb

SnakeKeylogger

5bf9f321e795da8caa68cef487b457a673fc98aca56cbbcf70fdf7f180d32ec9

SnakeKeylogger

8b8749dd4fbb546524dbc10b4f9bec1a3f3a04c9712dfa6a804aa7aad2708c71

SnakeKeylogger

a0024c792833532f6d5f0e391971e41c7efb27d30c062478ccca706b9eb4ffa4

SnakeKeylogger

cee0ec8b4807de91c78cd4addc645a5143b10e73b9406f92f11cc61752e2ac1f

SnakeKeylogger

cf8daae97e0ecfe042272db8fa81d13bd014a6e34047ae97fdfcd7719bac2c8c

SnakeKeylogger

+ 1'287 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220524-p4l89sefbq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5256606453:AAHfx8QrRODLdPbv8UwEufviQZo4c5kfjug/sendMessage?chat_id=1482312326

Unpacked files

SH256 hash:

258542cafbf6b7151404c52c626e7792f5d556af7c53f16e22725125e8605455

MD5 hash:

23c20cd4300d0b938e2a49abf3d9dc26

SHA1 hash:

9067cb6a32d30d6fc25784b4c55661c0d03d42b2

Link:

https://www.unpac.me/results/f89c5fe0-17f3-4b41-93ae-a6ba42d1855a/

SH256 hash:

7fc3a061a6e1994477839381444ed4f983946612d0089e6831bd2bade175f9ca

MD5 hash:

748acb34a51e6c4974b38c39ae84f3fe

SHA1 hash:

89b81512a0111f8c4e43387fd26cc253b35fa07e

Link:

https://www.unpac.me/results/f89c5fe0-17f3-4b41-93ae-a6ba42d1855a/

SH256 hash:

ad39bb9144dfca0eb0e186c685d1de2a92a4f9490c38d607e5f436c4a280d71f

MD5 hash:

c8fb91392c36e7e26d0bf7625788f3e4

SHA1 hash:

5a26b9e8303d16a465246d52aa655ec1b59d1e2c

Link:

https://www.unpac.me/results/f89c5fe0-17f3-4b41-93ae-a6ba42d1855a/

SH256 hash:

eb9be1b76d27f8a61d1935f1735b46baa46cb27c94e69dc4b4db16357bc62fb8

MD5 hash:

f849c950231fbe46c9fbadfdf65424ba

SHA1 hash:

219ba88325dd0a6dcf2d41febc613dac6a692489

Link:

https://www.unpac.me/results/f89c5fe0-17f3-4b41-93ae-a6ba42d1855a/

SH256 hash:

7c14babb0cc8533a8773ec590088334e4ef61d581b5f8915ff1b419d8b60c2bf

MD5 hash:

49c580099a13ad87ff1342ce3dd9110b

SHA1 hash:

fd0bf9aea1437e109291db9c022bf2b29370c254

Link:

https://www.unpac.me/results/f89c5fe0-17f3-4b41-93ae-a6ba42d1855a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7c14babb0cc8533a8773ec590088334e4ef61d581b5f8915ff1b419d8b60c2bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274088/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample