MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
SHA3-384 hash:	c5f7b41281d9ed9ec017d097363d5143bbd283ee627a133cb48ad30eae8c11c40fc136a6a6481938da740b7754f04dc4
SHA1 hash:	222d551b7a7d3adeaa68187e1ffa83da1508bf2d
MD5 hash:	99dbf7776a72a4837ea8b7ff80611217
humanhash:	yellow-blue-sad-wisconsin
File name:	rRequestforQuotation.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	956'928 bytes
First seen:	2023-03-01 15:09:57 UTC
Last seen:	2023-03-01 16:29:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:QuTjV7Dbp4S+5ywQTHmZLJfjWtVDJHaqT:QuTRbp4S+5CrilcNT
Threatray	66 similar samples on MalwareBazaar
TLSH	T116158CC677BCE122F8E7A1720A1511D93A39B5877212F53B9B33BB518601BFF7A89500
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	3044b271f0e8e0ba (14 x SnakeKeylogger, 13 x AgentTesla, 4 x Formbook)
Reporter	FXOLabs
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rRequestforQuotation.exe

Verdict:

Malicious activity

Analysis date:

2023-03-01 15:11:13 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/0240f049-681e-41bd-9a0b-ea7c8aa1a8e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370826/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1862.25894.11176.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63ff6accbfec0852a68e32c8/reports/f8ed9d4d-fd3f-4e0d-a8b8-73658169a533/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dbc7ddfd-edeb-4517-9b10-12cec4de68df

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1184982

Signature

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-01 11:26:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qcfpadi3j3czubbm7jwsursut7fj2lkyrbdsq65loazbmixabdgq._file

Verdict:

malicious

SnakeKeylogger

44e90dc0d1ece69f2d0c57a54984110927e97a3491ed20047963467f4edbdf1c

SnakeKeylogger

478dba764af2f0d8179f62518b9d675cec897722b4bc9dc75b5bf66cbca0b9a0

SnakeKeylogger

777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1

SnakeKeylogger

8ab1910d7f3de293954247ef8f06fc69669c9049735fef3e324935c925ec19ca

SnakeKeylogger

91855c7204cf7b1a4a56e87b16e5cde14eb8aba073690ca817f2b937130135d6

SnakeKeylogger

c551529018bda5ce4f1f7c2fbbebad88a1544151676521feb0bb5fcacc4a48be

SnakeKeylogger

cc4027113c42cc0e57bbf7da93a8f5f45a4c82e75704a80c13c080a9caa75d21

SnakeKeylogger

+ 56 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230301-sj14gagc6w/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5300146648:AAHnGWyIYhkCfGzD7b3SfmLZj94Y8lXxD90/sendMessage?chat_id=5116181161

Unpacked files

SH256 hash:

d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

MD5 hash:

915aa3d78cab8eb6920c2cf8ab39e6a1

SHA1 hash:

f4dc2ac541b600883e4648aafbc92f5e0b1811f0

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/d087f910-31d4-49fe-841e-46ec6d3b255d/

Parent samples :

9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c
54bae76ab64ae74ef5b97cef8aaffa2ec1254df6fea46d54c1387b6f5d5fb025
b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f
7e039e4d466d67e2e7fe4cf46aa141db13f2454161ebc86ec1dd02c33113d154
34ae82b3da999e17e5b62fae65be1827e3f6a54c599c68f1a02666772b70eb09
d4086b64b176925017dd2db176cb3754e172bcec944037e1f3ea53ce48c1303f
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
c9234000f8f576a39a7d2a957826094c1c0e37b141ef26ee2e8e36a62e09805a
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
0f629b4e11087c4e000457daa326269c1ed26198d5a5e8f963d10e0be9dd77a7
4df7854ec37d3d2d2f8b87ef3811ac4b4ea2f16c0d37329a91a4ebeca78337fb
d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

SH256 hash:

1ca385bd3f4ca0493e3efcd83451292b0add472eac326f2a16b1344c01ce9a55

MD5 hash:

941cefb61cfb63d2ba8b6331fc335213

SHA1 hash:

bf1fdb6224a5361d9231e6acd83454dae6a152b3

Link:

https://www.unpac.me/results/d087f910-31d4-49fe-841e-46ec6d3b255d/

SH256 hash:

5892caecb012082ce9ac325714180be42ba92fb0564241689b00b69d1afb666c

MD5 hash:

a92205aa493c98920a689e5b8404a926

SHA1 hash:

3968a98dad901b1eae5c3c39d54b4942776da219

Link:

https://www.unpac.me/results/d087f910-31d4-49fe-841e-46ec6d3b255d/

SH256 hash:

e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29

MD5 hash:

d170ab8c03b9c37d5be449454db131d2

SHA1 hash:

2031b6754a65d21b47dd11a34fee86f048d6048d

Link:

https://www.unpac.me/results/d087f910-31d4-49fe-841e-46ec6d3b255d/

SH256 hash:

99471e2b4f66bbedada27c720008d6a305d5fa4b1efe631681139733f3f4864b

MD5 hash:

4cb2ead4cf25edd2d61a72ff4339d078

SHA1 hash:

1f27a133bac367c812cbb352e5eff19fb0ba3a5b

Link:

https://www.unpac.me/results/d087f910-31d4-49fe-841e-46ec6d3b255d/

SH256 hash:

808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd

MD5 hash:

99dbf7776a72a4837ea8b7ff80611217

SHA1 hash:

222d551b7a7d3adeaa68187e1ffa83da1508bf2d

Link:

https://www.unpac.me/results/d087f910-31d4-49fe-841e-46ec6d3b255d/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/808af00d1b4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/370826/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample