MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2
SHA3-384 hash: 8f08c64e215950843e05d39767666854a6c8df0eb331f2e0cfdfc44d77852ceb7e18d4b494d7bf03fb5f1a02cbab9e15
SHA1 hash: d4b37030bbb788c5f7b90cc78c68c89e460a2954
MD5 hash: bc65373fd5b20831b8a163b7feab686f
humanhash: music-sodium-juliet-salami
File name:Quotation.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:699'904 bytes
First seen:2023-09-29 08:46:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ntzyiRJU/WcDr/Zzj6Ofh+XH1G74vHewVMs0RzNOfHnU8Nb9vTTCgtb:t+Fei/Zz2ObEHewpKcvUCGW
Threatray 111 similar samples on MalwareBazaar
TLSH T1EAE4123072FD1B9AE2BAC7F548655A18177478BE3126E60C4DC670EB15B2F80CB15E93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00e49a72729ae400 (9 x AgentTesla, 4 x SnakeKeylogger, 3 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 09:31:36 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/d7de4051-282e-4817-91d5-643d8b0dd16d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Moving of the original file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65168f0b988a26b6d971fd90/reports/a19f3c75-4f7d-4106-96c4-0731a27a8572/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65c15bc7-e022-4196-ba0d-0d084cfd75ab
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316270
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 05:04:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5k6avlcezkbt45xd6ic22f476dygpsis2cfuvtcwzre24c5vpba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ba7c10b9a514f623f07c1c49b4fbf3b4c97c1c2d4a2b8623b98a8b77cdd4718
SnakeKeylogger
2029b84d785d6e3379aab8455ffd8ddda16c01304d507d9dc009d71186da2009
SnakeKeylogger
638619c26cc20f590052a8dac6eabcc3b0dd6dcdd7f48832a36a1b0d983ae77f
SnakeKeylogger
a9fc57ab4ffcca4baa8f4fe69708ea3d63d5f85f5f5916bd7870fe547f368e02
SnakeKeylogger
b6ae3f27029900241bf6ecd397a0686061db57ce48df21098bc27d365fc3139f
SnakeKeylogger
c2a43fc45a16b56cc03b8e197da3b3fd602c6fa3483d17deb81c86faa45bf751
SnakeKeylogger
c76afbbf6fa00b8a5a2826a1104bb2b6468e6df5610e596f737086687ab96ff8
SnakeKeylogger
ce3a3c9f22255146152575aa50fc9f5f1ef3f8c96b9b94cd766301045f846612
SnakeKeylogger
e8c5ba9af6c89db0e69234af98c64b49493c93fc8b9314ce2cd7a5d51a897130
SnakeKeylogger
+ 101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230929-kpw3psac52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8
MD5 hash:
7c2c98a1bc1af93e1bc1e0c933915b8e
SHA1 hash:
c5c3a2e553fdfa9010cf11b582fe3399c5551ffd
Link:
https://www.unpac.me/results/b7b85433-b80d-4597-949f-3ffce2bcb0f2/
SH256 hash:
61f5dddb7ddeb06cce3cab7a87ab203e6c82d57a26f579df91068c905b0b8f7d
MD5 hash:
449fab1f50415df74d5c150d31ef7557
SHA1 hash:
be8f919163d1275a1909fc39199a171c5f16e3e8
Link:
https://www.unpac.me/results/b7b85433-b80d-4597-949f-3ffce2bcb0f2/
SH256 hash:
e18ea9035e26ed8477917f25ae8298ef97d52181203a5f3b29ffc936e086f728
MD5 hash:
3a0eab0fb72637042f7bac829950e67d
SHA1 hash:
6538cd7b9f66dc7ce283db4a97120ceecebc5049
Link:
https://www.unpac.me/results/b7b85433-b80d-4597-949f-3ffce2bcb0f2/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/b7b85433-b80d-4597-949f-3ffce2bcb0f2/
SH256 hash:
7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2
MD5 hash:
bc65373fd5b20831b8a163b7feab686f
SHA1 hash:
d4b37030bbb788c5f7b90cc78c68c89e460a2954
Link:
https://www.unpac.me/results/b7b85433-b80d-4597-949f-3ffce2bcb0f2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f55e0556226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 7f55e05562265419f3b71f902d68bcff87833e4896845a5662b6624d705dabc2

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments