MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057
SHA3-384 hash:	a2eb67798b988ff49b3a6b60053f64cb794b3ca4dac74464be0091ac1281f562301c93cd8c9996297fdd0350ceee7d56
SHA1 hash:	81be8deeb7a622b7ff1e2d3939db464fa7bd6da2
MD5 hash:	508c53c6f331bf19a8a26cfd93739370
humanhash:	autumn-twelve-double-april
File name:	BOQ-Rev-03.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	949'760 bytes
First seen:	2023-07-07 09:06:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:KbFEbGB7LnM2Nt53sKra0vvAyGpTrv9oSCgFgv0TDGsgTCZyW+/B+WROI4u63V+q:eFJXAzpV7CgCyDG3C3+53ROI4TH
Threatray	5'458 similar samples on MalwareBazaar
TLSH	T1A915853F14C9AE27D239E3A67420D55DF252B7C277A34B4AFBC216A1943236933E118D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BOQ-Rev-03.exe

Verdict:

Malicious activity

Analysis date:

2023-07-07 09:09:45 UTC

Tags:

snake evasion keylogger trojan

Link:

https://app.any.run/tasks/f4854f74-57b6-48ea-8be0-ea3a5d35bbf1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/410418/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68014305.32766.10193.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64a7d5b8631db84968f22ae2/reports/2e709c8a-b247-40a1-9b02-3430d82d2be2/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0be288b6-dfc0-4b0c-952d-ef7d7850fc82

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057/

Threat name:

ByteCode-MSIL.Worm.LovGate

Status:

Malicious

First seen:

2023-07-06 14:02:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qfmodbu7rvdoindvwifufamjka664nosung2srt72wgjl7d7mblq._file

Verdict:

malicious

SnakeKeylogger

53081b8516852eee078265c82b2f9b70367d3d2a50d8886e24f2704a3b683929

SnakeKeylogger

62f8a25d4004ab00392eed751610158bdceaf54359f694564310226579a2cea9

SnakeKeylogger

a854d103628be8a5a7fba616001a113407ef81f817e61961099fa6138c0690d5

SnakeKeylogger

b4deb5c9d4417c4cc42bdb2c388f6c0552115e6df80b86e680a4aa08a3c0df15

SnakeKeylogger

bde75e5a73df3ef95e72fd79905f718427f70945166bbf8558f9e84b3605abaa

SnakeKeylogger

e74ecf1c2f87e3182e7a6414767b62eeea8a49e1d1b08894fbb50a8cd6243961

SnakeKeylogger

eb6ac5c1adc4a760d3632874fd1ce4299e761023a5afedeaffdcf27009d185b8

SnakeKeylogger

+ 5'448 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230707-k3bc6ahb61/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

SH256 hash:

805af617593c4765886e3168c25c18afe47dbfe80e650b86896bf5a4671c9b27

MD5 hash:

c364d0d632368db790d400f96e3461f5

SHA1 hash:

02350fdf058fe505c6d966c91aafddc36b96ee83

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

SH256 hash:

d13c6f18c9166783d0df281b20f83c1eead33c8ad8ae3fa649f0484d46ad2e4f

MD5 hash:

2e79fb8c175018dbae8284e99a3bb56f

SHA1 hash:

00ff18727d6f2de95ccf9bfb5b3f336dfd64ee42

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

Parent samples :

e74ecf1c2f87e3182e7a6414767b62eeea8a49e1d1b08894fbb50a8cd6243961
bde75e5a73df3ef95e72fd79905f718427f70945166bbf8558f9e84b3605abaa
a854d103628be8a5a7fba616001a113407ef81f817e61961099fa6138c0690d5
4bd65c6278bf0a954b76e47052d212150a61be572f3f0dd2dac5345dfd875707
8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057
9c3a93c9fb73bcb55516b64442f10442919ce9e8d6e00a751e5a86f516bd9ecf
b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd
08d13a3f8a8759c5124ced987c74889a2fdf42b491e78e30a4a546857c4eed0d
11ac39821487f87eac7ad91f2d6d94037cd25947d6485a0e974d89fadbf2f950
7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

SH256 hash:

805af617593c4765886e3168c25c18afe47dbfe80e650b86896bf5a4671c9b27

MD5 hash:

c364d0d632368db790d400f96e3461f5

SHA1 hash:

02350fdf058fe505c6d966c91aafddc36b96ee83

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

SH256 hash:

d13c6f18c9166783d0df281b20f83c1eead33c8ad8ae3fa649f0484d46ad2e4f

MD5 hash:

2e79fb8c175018dbae8284e99a3bb56f

SHA1 hash:

00ff18727d6f2de95ccf9bfb5b3f336dfd64ee42

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

Parent samples :

SH256 hash:

805af617593c4765886e3168c25c18afe47dbfe80e650b86896bf5a4671c9b27

MD5 hash:

c364d0d632368db790d400f96e3461f5

SHA1 hash:

02350fdf058fe505c6d966c91aafddc36b96ee83

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

SH256 hash:

d13c6f18c9166783d0df281b20f83c1eead33c8ad8ae3fa649f0484d46ad2e4f

MD5 hash:

2e79fb8c175018dbae8284e99a3bb56f

SHA1 hash:

00ff18727d6f2de95ccf9bfb5b3f336dfd64ee42

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

Parent samples :

SH256 hash:

8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057

MD5 hash:

508c53c6f331bf19a8a26cfd93739370

SHA1 hash:

81be8deeb7a622b7ff1e2d3939db464fa7bd6da2

Link:

https://www.unpac.me/results/1701402c-c519-49d2-974f-48b139751e88/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/410418/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample