MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb24308d8b3c88bd77726ea6b1fa55fda8cc46f6c4ab18f91c78796cb92921a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash:	7eb24308d8b3c88bd77726ea6b1fa55fda8cc46f6c4ab18f91c78796cb92921a
SHA3-384 hash:	f73979214b4ae552d374a2d3b37651f94508379defd53790ac9f13dc065fcb828988d66deab3bf4f12cde857256f40d3
SHA1 hash:	e9b3a1b17acbce2d42df20d51427037957f34ad1
MD5 hash:	494381fdfa7860853ab57703c30513d1
humanhash:	pip-twelve-uncle-music
File name:	494381fdfa7860853ab57703c30513d1.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	780'288 bytes
First seen:	2021-07-13 12:57:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:shY0t4fPAmxXphUsh5dS4KbEn5PWer8nu5zd3OYGDXVT9K5eRZa0wmzf0WejRi:UtcvhJS4KQtL8nu5h+rp9HGUPejR
Threatray	246 similar samples on MalwareBazaar
TLSH	T1A7F4D07A479C0627DBBE92797A60F005FB60ACA33B21DF1F16C771C1146BA4269C0D6E
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

494381fdfa7860853ab57703c30513d1.exe

Verdict:

Malicious activity

Analysis date:

2021-07-13 14:25:04 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/9d3f64ed-09cc-4ba5-bf4d-16d9d2cdbc66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/171394/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c287767-900f-4d59-a6f3-99cdd4c6830e

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/815681

Signature

.NET source code contains very large strings

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7eb24308d8b3c88bd77726ea6b1fa55fda8cc46f6c4ab18f91c78796cb92921a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-13 07:13:19 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p2zegcgywpeixv3xe3vgwh5fl7nizrdpnrfldd4ry6dzns4ssina._file

Verdict:

malicious

SnakeKeylogger

333b05f9732e8516f6c557115b9f88b53b13f9b0d473d58ad33f0bdf4b937fe9

SnakeKeylogger

59fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e

SnakeKeylogger

71d43dd5594e4d74bc9c4e79f13089f1f8938831f8155c49025d634cb9ab2423

SnakeKeylogger

8e53c1e78b82ac4b4d48cd346bfe7d08600f5332dbb244d4cd6069fd9a285b8c

SnakeKeylogger

9392b47a6d8ba3302fa0d4a460a9a6582f87a8e983c69cdb0fff28d92a196c5a

SnakeKeylogger

a887d5014710bdaf2d83301d7769e6d7eb1c77b0e900f74e90072b8dd1a9e0ac

SnakeKeylogger

c6c7faf9ebc790a41f61c39c473026a0782bea6a6c013893a54712e9849f9a00

SnakeKeylogger

e4e182c357206a6f0799b943c0376575869c9b079be9fd99d07d5a7b98abd5fb

SnakeKeylogger

f99002091475b0c5f423e2d9efe182de66019616c5fda6205efc3d9bd2f5ff45

SnakeKeylogger

+ 236 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210713-d4aw52v3ga/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Contains code to disable Windows Defender

Snake Keylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot1848104837:AAGyG0hi_VP31PmMNbynbZPjJ66-QVsVr2Y/sendMessage?chat_id=565072597

Unpacked files

SH256 hash:

bba9ff48cb99242dc12d6b5857619d3e89d028d4928141b69fd4de40f638336b

MD5 hash:

e4c15dca9a242d9e0075b31c6481ef68

SHA1 hash:

fea9cd77004c6ee5bdea450d042866688208bfb1

Link:

https://www.unpac.me/results/edbc9ddd-eb0f-43b5-9474-f2f73fe2e7cb/

SH256 hash:

c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b

MD5 hash:

0327d1374a5ce015ad9c83c5de76e823

SHA1 hash:

e521349d9e96a4191248747c42c78b6f88fc8f63

Link:

https://www.unpac.me/results/edbc9ddd-eb0f-43b5-9474-f2f73fe2e7cb/

SH256 hash:

4163d745159b5db5ba624a62b330c87fc152d9352c3b1ccbb9facd96bcfa427d

MD5 hash:

87525aac03100a4245ad9e413e53c6e7

SHA1 hash:

53efaa6f2b63c0e055be45661c50b8f0096e2e7d

Link:

https://www.unpac.me/results/edbc9ddd-eb0f-43b5-9474-f2f73fe2e7cb/

SH256 hash:

7eb24308d8b3c88bd77726ea6b1fa55fda8cc46f6c4ab18f91c78796cb92921a

MD5 hash:

494381fdfa7860853ab57703c30513d1

SHA1 hash:

e9b3a1b17acbce2d42df20d51427037957f34ad1

Link:

https://www.unpac.me/results/edbc9ddd-eb0f-43b5-9474-f2f73fe2e7cb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

APT3 Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7eb24308d8b3c88bd77726ea6b1fa55fda8cc46f6c4ab18f91c78796cb92921a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICOIUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe 7eb24308d8b3c88bd77726ea6b1fa55fda8cc46f6c4ab18f91c78796cb92921a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1431281/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/171394/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample