MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8087e9377059c473e66ce6293c2e2c9de5330723a30ffcea8950c33b0e0303f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8087e9377059c473e66ce6293c2e2c9de5330723a30ffcea8950c33b0e0303f6
SHA3-384 hash: dbe1670f16aee45ff1718b633675111c0e5690438b58f7b52b7b54516f8fd3cc933cf21bab55306dc3aa777e335c4017
SHA1 hash: 4f606765f59e9f63a7a5028a08819d8364194057
MD5 hash: 54f32e2168fb40c14ee1388cb860a714
humanhash: five-undress-fix-tango
File name:receipt_scan26092022.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'079'296 bytes
First seen:2022-09-26 06:40:19 UTC
Last seen:2022-09-26 11:26:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:8YfsI03Y6+ySGUrhJUHOPG5oGgjhArqJQeASnxwcE6Sccwky9ltkZ:/sI03dZgFJK63ArqJdASnxwx6SwkSz
TLSH T11935F13317EB8E4BD01636B485E1C6B1A7AADD08E477C24B67CA7D1FF0B71229A61710
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/313441/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.27820.32686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633149c66963f27ddc351ba4/reports/b8499932-72f0-4f9a-be4d-5961a8a8b6b5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da34d552-fc54-49f4-9ce6-def40f6871ca
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078865
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8087e9377059c473e66ce6293c2e2c9de5330723a30ffcea8950c33b0e0303f6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 06:41:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcd6sn3qlhchhztm4yutylrmtxstgbzdumh7z2ujkdbtwdqdap3a._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/220926-hfr2aabaak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5633295549:AAH9lzzrf8Ep6i2K5UISY92DSUSu9k_w37Y/sendMessage?chat_id=5671926480
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9c9b35b-760e-442f-9ac4-dfef873562f8
Unpacked files
SH256 hash:
aad00db4310d0c0fb83402476deddf7e1841e5837bc6514d1e90c73b262c5568
MD5 hash:
3cea5de881d6e75a2339057080544c8e
SHA1 hash:
c9e51d5bfdc61ade3713667302eb880aa0a9f7c1
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0d2c634c-0363-4f10-a0b5-9e9d0e853a23/
Parent samples :
aad00db4310d0c0fb83402476deddf7e1841e5837bc6514d1e90c73b262c5568
5990066c8048c746f0c8e975b7b0da37e8bd06669be5c066bbbecf3ba490476c
97de5c0f24a604e966402888e535bfbbe5e989a287c9bd601e91ef10a8f411d2
0ef614e4585076fc4d0d36c55feae9e11feb7e51e5d006987621e592f3517131
3b8dcf7047a2d9440e4809359bec667476f816e5ca27e3fed3c072c8131b77be
d305aa9539f2074ac6b663b385cd9e3905dd3f9b1755cf8d9d3b724c3831a16e
8087e9377059c473e66ce6293c2e2c9de5330723a30ffcea8950c33b0e0303f6
f8fc4d82f7bc953465b7b81e86a52e14f02bac9df7aa1f921d046fc71861b050
SH256 hash:
b414fc738aa737f3284f1c07c448ebdba1aa183f13bc68ea1129ed753a58da81
MD5 hash:
654032c6a7f483fcfc7f478f65890c32
SHA1 hash:
99e0cef5cac2feb99e400041bb35138eef655e87
Link:
https://www.unpac.me/results/0d2c634c-0363-4f10-a0b5-9e9d0e853a23/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/0d2c634c-0363-4f10-a0b5-9e9d0e853a23/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/0d2c634c-0363-4f10-a0b5-9e9d0e853a23/
SH256 hash:
35d5a4257cbaeded7e22e3bd6dd97c257abe088eee16a7bb44923e355d355fc4
MD5 hash:
ab3f44e21f0996180020b691867c952f
SHA1 hash:
04cef9016a40e73c84fac3174891f31b8e4ce907
Link:
https://www.unpac.me/results/0d2c634c-0363-4f10-a0b5-9e9d0e853a23/
SH256 hash:
8087e9377059c473e66ce6293c2e2c9de5330723a30ffcea8950c33b0e0303f6
MD5 hash:
54f32e2168fb40c14ee1388cb860a714
SHA1 hash:
4f606765f59e9f63a7a5028a08819d8364194057
Link:
https://www.unpac.me/results/0d2c634c-0363-4f10-a0b5-9e9d0e853a23/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8087e9377059/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8087e9377059c473e66ce6293c2e2c9de5330723a30ffcea8950c33b0e0303f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313441/

Comments