MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b
SHA3-384 hash: a40f8e7c25da5ea0ed2f27e23710cec3c308918ddd1d85a48e02dc080af75ea9e5687e2bd0ba8f7cf18dc618a5935864
SHA1 hash: 6618de4001a7a435436443ffe220ef03841d7fbd
MD5 hash: ba1c5b2bd69f2a679e3099e2d1f8ea5a
humanhash: finch-fish-wisconsin-quebec
File name:PO_287109139.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'212'928 bytes
First seen:2022-09-24 07:38:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EhLuyAHpomp2yP5IHnRgtcx0UuBeMrwd4PxrIwWbv7BE42JFrpA:EhLuyy2mp6nRzwrhIbjSJ
Threatray 4'985 similar samples on MalwareBazaar
TLSH T14E457E92B1948D9BE86B05F1AC6AD53012E7AD9C94A4C10D5ADABF1B71F3311209FF0F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312790/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632eb4226963f27ddc2d27c5/reports/9ffa77d8-4bca-4e86-affa-9e90874bb916/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61cc612e-0535-444f-b6d5-902b18ad703c
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076329
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 07:46:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qe4uzahf66f2rvlepecxpt7wyu3s6zbif6auorl6lmj3knmmcsnq._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
0a6d0d3564e7e3a9cd3c0f186f8f5ab59c70551af31ca1dbcbc5245062ac3cce
SnakeKeylogger
5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01
SnakeKeylogger
6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723
SnakeKeylogger
bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c
SnakeKeylogger
e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30
SnakeKeylogger
e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f
SnakeKeylogger
f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913
SnakeKeylogger
+ 4'975 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220924-jg1kgsaga6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5688807535:AAG1DGE6pZTsXCmSWLJMEc1Gjb9GWweDx4E/sendMessage?chat_id=5567956038
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f2a11a95-b054-4517-8616-697c9086e76d
Unpacked files
SH256 hash:
b03f2548bdec3e1bde2520b876bcaae9d6a5403a7e4268ec1f5541e07bffd7f2
MD5 hash:
35cd7746ed3fbc9993b75ae6e52825ed
SHA1 hash:
9c35ff9cea694ba882b947ba2f270d7232a68a3a
Link:
https://www.unpac.me/results/00c11353-66db-4831-8693-f10270b37644/
SH256 hash:
02b6112792925ada8dd7e8314aad6dc3b3c4acdf5c9be7203bdb03c0168c4abc
MD5 hash:
4c8db81dad97b54148394d56d88c4662
SHA1 hash:
9541c3fa387488268d06d42f433ca0c824ce0143
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/00c11353-66db-4831-8693-f10270b37644/
Parent samples :
e73eb6dfdf2a41140a1e318786fc665ca34da069b76e9e4f6631be4fea3e4641
d410fd3f95b3fa5d5ce9b3b406393ef5d2e803eae2638fec0de719c0b506dbf7
81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b
f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72
5a818191a4aa931ebdf594da986e37e8cbe0428b225a2c5f9bec9efcc46a83b3
47dd6760fbf13ed84621e2e974ee6decb76356716c4e6657b077b67e5b8b89cb
7768c1da766d45e917871231c3b6ad5d890cb5d363e805ea58b8a8c96d206d20
02b6112792925ada8dd7e8314aad6dc3b3c4acdf5c9be7203bdb03c0168c4abc
532237e55d32b01247c9c1f8713aef65b614353573c162a256902f83e02c9b84
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/00c11353-66db-4831-8693-f10270b37644/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/00c11353-66db-4831-8693-f10270b37644/
SH256 hash:
22b69d2c418875a9a3f6c3ce3488fe7c6bb99562e467c1fcb4c2f40ae0b196bd
MD5 hash:
c180eb981034606ca0d2f5051119fe3e
SHA1 hash:
30b8a28320261da59bb65826508658171af29003
Link:
https://www.unpac.me/results/00c11353-66db-4831-8693-f10270b37644/
SH256 hash:
81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b
MD5 hash:
ba1c5b2bd69f2a679e3099e2d1f8ea5a
SHA1 hash:
6618de4001a7a435436443ffe220ef03841d7fbd
Link:
https://www.unpac.me/results/00c11353-66db-4831-8693-f10270b37644/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/81394c80e5f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/312790/

Comments