MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b
SHA3-384 hash: 68de2c1d13711527eed4f529fc9f92db8fc2527574d3abbfb27dd32bbc7031662269a2c46d2217ab2fab0cf0a502f376
SHA1 hash: 4808653698928e467a6c081d8d7555bb23e88954
MD5 hash: 66280aaee7af46f456fa4c30d2813bcb
humanhash: fillet-lithium-single-april
File name:7asMMYL8w8fSymN.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:616'448 bytes
First seen:2023-07-13 07:36:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QBqD3ZxjJE8ERFtwu4NCBJvLhfoh/Z4vme2AUf7qaOxywxcKv0t0a4:QoLZxj6XFtmQRhfoh/Z4vmn7jqagv0tK
Threatray 5'461 similar samples on MalwareBazaar
TLSH T125D423D23E34AB61D2A17F7DCFB0602AB276E1753219CB3D17B22449DE627850D909E3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7asMMYL8w8fSymN.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 07:38:08 UTC
Tags:
snake evasion keylogger trojan
Link:
https://app.any.run/tasks/a6ee0fbd-43cf-4c1e-97d4-08f19a050337

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/417268/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17004.19303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/64afa9a36e9f7019dea01332/reports/9b7c9042-9e6d-466d-938d-571f6cd37d50/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9372a08-34eb-4a19-bbea-9bffd5d7a176
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272263
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272263 Sample: 7asMMYL8w8fSymN.exe Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 5 other signatures 2->60 7 7asMMYL8w8fSymN.exe 7 2->7         started        11 smahPQwx.exe 5 2->11         started        process3 dnsIp4 36 C:\Users\user\AppData\Roaming\smahPQwx.exe, PE32 7->36 dropped 38 C:\Users\...\smahPQwx.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp2FBE.tmp, XML 7->40 dropped 42 C:\Users\user\...\7asMMYL8w8fSymN.exe.log, ASCII 7->42 dropped 62 May check the online IP address of the machine 7->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 66 Adds a directory exclusion to Windows Defender 7->66 14 7asMMYL8w8fSymN.exe 15 2 7->14         started        18 powershell.exe 19 7->18         started        20 powershell.exe 21 7->20         started        26 2 other processes 7->26 44 192.168.2.1 unknown unknown 11->44 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 22 smahPQwx.exe 11->22         started        24 schtasks.exe 11->24         started        file5 signatures6 process7 dnsIp8 46 checkip.dyndns.org 14->46 48 checkip.dyndns.com 193.122.6.168, 49692, 80 ORACLE-BMC-31898US United States 14->48 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        50 checkip.dyndns.org 22->50 52 193.122.130.0, 49696, 80 ORACLE-BMC-31898US United States 22->52 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 07:37:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbhtq77rvkut5vwscdokdxzq7xggzhd5gat42xi4pqftx4ownmnq._file
Verdict:
malicious
Similar samples:
067371c60e42b21c7772345cfd18f9990ca2238ad24a221d5f268577eb9f4ed0
SnakeKeylogger
217deeacbfd0b0a0b448fd35c2dc00797077e43f7fc2383b6e1fb86029eccc52
SnakeKeylogger
48aa55cd385c0089fae8f59ec7e9a7ac44a379a67fccc2f2b921ca3161fca87a
SnakeKeylogger
590f697c02283726bc0568ab2d69a65674e7239afe60c82e00a78ddc839d77ce
SnakeKeylogger
94bcfa2f30dbe9c0f930ad54feb009eadc10f1f06cd5cba3b068fef35982f8da
SnakeKeylogger
9cd50229927cb6cc9e06d0884ab53ee5da6b8764fe60e326bbed779ddc5c8e2a
SnakeKeylogger
b77e4e01d790970d4933798c036226efe9d1e0cad9e12c7de1679c65741fdf51
SnakeKeylogger
e0efdd6252609b1039db00c31d375781a03b956a4ba65d8a11b5b81ce46a30d8
SnakeKeylogger
f754d27afe08000a5c8a4322034b6d30f7ff60d9735554e835514a52bf917429
SnakeKeylogger
+ 5'451 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230713-jfs41sgf7z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/c96d8540-9c36-4781-b870-fd9485aa0cf4/
SH256 hash:
aab85f2695b4521783d480755d3f16b0b355425fecf237983ac92d49252a0662
MD5 hash:
378940443a4c54efd808e9eac1c74c11
SHA1 hash:
9b6561f7120ed04ae751de4b3ef6ae26b2053ce6
Link:
https://www.unpac.me/results/c96d8540-9c36-4781-b870-fd9485aa0cf4/
SH256 hash:
ef4098f31ef7a393d273cd215f50510c33c7191abda5e0ea471c3efde4dd5c56
MD5 hash:
ed27771897bd309025859c36869bd832
SHA1 hash:
617807e1cfac4374220b9d928733fb7f3a47e0cf
Link:
https://www.unpac.me/results/c96d8540-9c36-4781-b870-fd9485aa0cf4/
SH256 hash:
df0a9e3ab2ab412c7a84d66fcbd4f38ffa6fd3ae45c8cbf06001984f121bde7b
MD5 hash:
f7bb7e35053836c507a37e7f03c44e0d
SHA1 hash:
4ead5c4deab36f53f2f067dc6e535bf27c403ec3
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/c96d8540-9c36-4781-b870-fd9485aa0cf4/
Parent samples :
2dc75c246d498d4ef915b30fef16d96af9bdcc3794b5b1f075b6398af8c2a5d4
01dc863e099966c6e41aa68adea783c07978e1935e44e236575b5cd1daa90ca7
f5d9290de50bd4e9e312516792f7e8bb42337cdec991ed4c8ec526509f978a65
804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b
c1c786f11398b34c1ad810db36dff9e0880b36cd3580098e6b07c3bcfc84c787
07656dde7e964ab7e49378a310d439f5c3201528ec707e0b1a138d5c61b8d63a
SH256 hash:
804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b
MD5 hash:
66280aaee7af46f456fa4c30d2813bcb
SHA1 hash:
4808653698928e467a6c081d8d7555bb23e88954
Link:
https://www.unpac.me/results/c96d8540-9c36-4781-b870-fd9485aa0cf4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 804f387ff1aaa93ed6d210dca1df30fdcc6c9c7d3027cd5d1c7c0b3bf1d66b1b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/417268/

Comments