MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a
SHA3-384 hash: 6abba67612b0f9a44aa880ebf8448b5d995d9b6fc723cb06978b37b07973d9e70e5afee48e3f8af691aa67da1a308952
SHA1 hash: 0ce940199d1da05f9ce9834bf831be7b4fea0562
MD5 hash: 4fb089125b75694036d39124584c0374
humanhash: diet-low-gee-leopard
File name:KVC PO1100538819.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:749'568 bytes
First seen:2023-08-02 08:46:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:R5MYqIHkdbQKPX7VtiVL8B5rRNH36hVCG+/HSQTibBJTS73Sv:R6hQkdbvpqL8/9NX6HCG6HSQTp7
Threatray 61 similar samples on MalwareBazaar
TLSH T156F4D0047268AB67F53F9BF45524919407B593BE306EE74A8CE6A0EA1B60F500F40F7B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KVC PO1100538819.exe
Verdict:
Malicious activity
Analysis date:
2023-08-02 03:34:49 UTC
Tags:
snake evasion keylogger trojan
Link:
https://app.any.run/tasks/79847700-72ed-434b-b435-88c5dae612c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439767/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.14169.23753.26382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64ca180bcbfeb5bd575123cd/reports/730b830e-b9f6-4a2f-a8c3-dcb8924c5413/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2fa9593-8839-449e-9d3d-bc3f0bceb7a3
Result
Threat name:
RedLine, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284223
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
404keylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 04:11:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 36 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2lb7zxgsurhg3ygpl5fsij62h7ecgfeode46jzm6fiyt72hx55a._file
Verdict:
malicious
Similar samples:
01af6a15beb6d627c8e7d255eb0d8f2e1167d710b101973b8da9b50246368bf3
SnakeKeylogger
069af598ef0f129b4efbb3e86a4f86bcf23d9caac7d85155893302304c62f32b
SnakeKeylogger
3a04516d71e6a24f0f20da46230239ca177e6c1d76cb887948344694e2a376a4
SnakeKeylogger
40ea8804c950d48871a44d15ffca0abdfd33756864d6a83229c03fd9bfba3238
SnakeKeylogger
793e60744aa163e0da636233df2fc83f43d447cddf4a89b28ff15a0ca95e69f9
SnakeKeylogger
afcf2d75de98e641cb9555de188660470893d84e4c22577cd56f947e5a54223a
SnakeKeylogger
eac32618d08c0c5c98468ac2d4ad561b424241b508c1b1ad9e9d00934bbb2e6d
SnakeKeylogger
f03390fa3307e28389f6581e930065b810892ddb2cd0b12f59ccf896e1852681
SnakeKeylogger
+ 51 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/230802-kpv6eaeg9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Uses the VBS compiler for execution
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
ce1ceaa49add2aff90bccd5af49ebe1f70f69bc67174300a7eb29bccd01f60ae
MD5 hash:
462ba946ea64fdd27b39be8b7adb4db9
SHA1 hash:
a441ba9aaa05d55ad709905df9dcdfb937143af9
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
Parent samples :
d00f8dee3e81decbb37ef2651c88d3ba46a959d5bfe1d71fc17afd8b4704b4bd
7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a
30648c0ee182936cffc123c0d03094be35f5cd6fcc246c2d173d649c2b68f132
1655dd140ca64fbbba26fac5c63072c362c161361fd8c3399b54fd5e1666bc90
SH256 hash:
b3f6e9e5d1c680179a337786cd2431f910786035f2c6dd88302a05848313e416
MD5 hash:
8a38bfb220db9d55563a68cb066f5a08
SHA1 hash:
a101237b48a83c737319678e1b5bd915ba1bb2ca
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
Parent samples :
d00f8dee3e81decbb37ef2651c88d3ba46a959d5bfe1d71fc17afd8b4704b4bd
7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a
SH256 hash:
22ea0819743cfa81f99ff562db3979c9b8a93f58a27c433624dd5461563587cf
MD5 hash:
8207cd4ccccf70052614610fdc39df8a
SHA1 hash:
d89beab8beac3133c6c3437a3933f6aa67daf099
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
SH256 hash:
e1333a1d5d28839e1e740aef42f53c21488a6f821874b27f4540e04830098af4
MD5 hash:
ee43618c6e0e8ce311be20d5e5d7a7bc
SHA1 hash:
31bf3843e538d439d269664260688f950ecb6668
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
SH256 hash:
40821038dd9a8a0c85f1c5898dcdd8fac1499e0b569ddfbadffe1c6ceb0aa03b
MD5 hash:
71ff3a9613b8d58debedc2742c43def3
SHA1 hash:
17cc80f177b9baa3f97024e6c7606961aaf36e37
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
SH256 hash:
7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a
MD5 hash:
4fb089125b75694036d39124584c0374
SHA1 hash:
0ce940199d1da05f9ce9834bf831be7b4fea0562
Link:
https://www.unpac.me/results/2ce3a087-0021-4530-8f52-0c3dea1fd1c9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e961fe6e695/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 7e961fe6e69522736f067afa59213ed1fe4118a470c9cf272cf15189ff47bf7a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439767/

Comments