MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 815358cc2dd8e2114683ba8490693ece886195b524f71a0e5702629b8af0789c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 815358cc2dd8e2114683ba8490693ece886195b524f71a0e5702629b8af0789c
SHA3-384 hash: ef37ceaa273a7929d9c146ffc3ca298ddeef6ad53c68a666978f66bd262195fec2dd1ca9700aca26618bcacf0409b869
SHA1 hash: 9d1c8ad6470814e2cc713123e81e51c992d6c7fe
MD5 hash: a752a585d1e7e9235bae55e1b1feb14e
humanhash: equal-west-autumn-delta
File name:Inquiries.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:804'352 bytes
First seen:2021-04-01 05:48:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:BWF2ifl9nEJhRqqpxW6QaPgPOBVUPYNzDibBdgKYcEw0IJXklcejpowJzJMUSxAq:YHN9ENFvdCOBVUPknijgKDd
Threatray 1'187 similar samples on MalwareBazaar
TLSH BB05ADEC3640B9DEC91BCD7789982C60AA20B5F7530BC603A01755ADAD0DA9FCF951E3
Reporter GovCERT_CH
Tags:SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiries.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 05:55:39 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/85c987d5-b06d-4466-91c7-fed28eb8ed52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/130444/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661620
Signature
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379745 Sample: Inquiries.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 8 other signatures 2->43 9 Inquiries.exe 6 2->9         started        process3 file4 25 C:\Users\user\AppData\...\JOEryTXRZJ.exe, PE32 9->25 dropped 27 C:\Users\user\AppData\Local\...\tmp14DC.tmp, XML 9->27 dropped 29 C:\Users\user\AppData\...\Inquiries.exe.log, ASCII 9->29 dropped 45 Detected unpacking (changes PE section rights) 9->45 47 Detected unpacking (overwrites its own PE header) 9->47 49 May check the online IP address of the machine 9->49 51 2 other signatures 9->51 13 Inquiries.exe 15 2 9->13         started        17 schtasks.exe 1 9->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.org 13->31 33 checkip.dyndns.com 131.186.113.70, 49689, 49691, 80 DYNDNSUS United States 13->33 35 freegeoip.app 172.67.188.154, 443, 49693 CLOUDFLARENETUS United States 13->35 53 Tries to steal Mail credentials (via file access) 13->53 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 19 conhost.exe 17->19         started        signatures8 process9 process10 21 MpCmdRun.exe 1 19->21         started        process11 23 conhost.exe 21->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/815358cc2dd8e2114683ba8490693ece886195b524f71a0e5702629b8af0789c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 06:24:53 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfjvrtbn3drbcrudxkcja2j6z2egdfnvet3rudsxajrjxcxqpcoa._file
Verdict:
suspicious
Similar samples:
040343ed3920a4420938a8969fbb3bcebfe337f43aa4ec27477a9aad1ce4c885
SnakeKeylogger
1e351911bf4f3405c644d9145ba2947cf78e9049578fe1e64b3466478ad3e1cf
SnakeKeylogger
408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99
SnakeKeylogger
5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef
SnakeKeylogger
5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b
SnakeKeylogger
60bcecff15e6b80448abadefc1829525e4629472543ff159e0be6ee7d1cea7d6
SnakeKeylogger
636ed47033dc0066e0e169d4be9d01b56886b255cd5d351b481e35200f507b43
SnakeKeylogger
8a79757beaf2ff4bf07fd6410a16358874d8e6725810c8141d47ff2365321a2e
SnakeKeylogger
960bdf7b7b3bd263fcd5aa32f4b0ddb567349d46f6d5062a8000981675bffe6f
SnakeKeylogger
ae2820f20d20e5dc262e7e018e027646b4e5e4fcbc58cc6663dd077890b27e64
SnakeKeylogger
+ 1'177 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210401-rlf5qtg4a6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
c83247876245e82abd618d82f0908ae1ca4a703fa2c2983efea5c7f610a8e317
MD5 hash:
37de213c2995cb9840362dc151a69b5d
SHA1 hash:
f52af16f76b955c73c5597145f9ab1ec91bcbbc7
Link:
https://www.unpac.me/results/af268372-599e-4185-b24d-2527845219d4/
SH256 hash:
d765d16179a00a4675868e5ceaa35147b04bbf05ab7e14f5aba10b72e5399971
MD5 hash:
c3d1bc271eb736d5cc359c22c4d7a6a8
SHA1 hash:
8d58def99b784066932a8cb78466bce13591cd67
Link:
https://www.unpac.me/results/af268372-599e-4185-b24d-2527845219d4/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/af268372-599e-4185-b24d-2527845219d4/
SH256 hash:
815358cc2dd8e2114683ba8490693ece886195b524f71a0e5702629b8af0789c
MD5 hash:
a752a585d1e7e9235bae55e1b1feb14e
SHA1 hash:
9d1c8ad6470814e2cc713123e81e51c992d6c7fe
Link:
https://www.unpac.me/results/af268372-599e-4185-b24d-2527845219d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/815358cc2dd8e2114683ba8490693ece886195b524f71a0e5702629b8af0789c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

6288923a19f198b7357ec4a36a8f0c44b87d4d0a399e674ad6571942f3d7e996

SnakeKeylogger

Executable exe 815358cc2dd8e2114683ba8490693ece886195b524f71a0e5702629b8af0789c

(this sample)

  
Dropped by
MD5 a9412e6e1ec969236b96a54c74499f88
  
Dropped by
SHA256 6288923a19f198b7357ec4a36a8f0c44b87d4d0a399e674ad6571942f3d7e996
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130444/

Comments