MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 851ad49739c7389f0088dbd7a660eea0dbec7249ae1e79da567825175ad7bcd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 851ad49739c7389f0088dbd7a660eea0dbec7249ae1e79da567825175ad7bcd5
SHA3-384 hash: 12be27b6ec7ab2528c503316043327dc026e18ab7e672f6e15199826b2ba9a97ef22a437be310d905665301610c8c2e0
SHA1 hash: f41d3fa538e0ec6ea505b257ef5c6e79a6f93151
MD5 hash: b64bd115fda9a32cedd2fc7ed9c57dc6
humanhash: maryland-aspen-carbon-wisconsin
File name:temp order.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:505'344 bytes
First seen:2022-06-29 16:02:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:i9fu8rpr4nsLnSDRMMwJlFauu2iNt7s8erHciD+DUYhIkEd6:i9fuHuu13xer8iEhIkG6
Threatray 8'189 similar samples on MalwareBazaar
TLSH T1CCB46B9D362C71DFC857C5728E985CB4EA6224BF671B511391232ADE9E0CB87CF604B2
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284292/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bc77f7a17f249ae3e64fc5/reports/b42e19f8-ba2d-419a-8b8e-8a87dde2b672/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e610c2bb-61fa-4ad8-89c3-06ec7730dbca
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022126
Signature
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/851ad49739c7389f0088dbd7a660eea0dbec7249ae1e79da567825175ad7bcd5/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 16:03:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qunnjfzzy44j6aei3pl2myhoudn6y4sjvyphtwswpasrowwxxtkq._file
Verdict:
malicious
Similar samples:
1bbdd6534336280436213b88cf3075db3754a027cbf39351dd81f923ed0ed137
SnakeKeylogger
24f0dacae3f61ddb0d4261a78b6493724bd2a83633e7bb4c96659bee2775cfd8
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
462cfabc375614908d94f806e3471327ba67f2660a89ebf7c7e76c3f0b102647
SnakeKeylogger
6069a9d373b71c1217c3415634dfadeed9cfa0baa4949d640fe515d92b5a8a27
SnakeKeylogger
61fd532d935797bfba83bba3ddce6087fe9568763b00fc2fba72bd33a3327994
SnakeKeylogger
cdde2ec6c5fce8c0833d4721eaec2b5bab4a2b9ab326fcb28ae26d8ea0355a03
SnakeKeylogger
dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340
SnakeKeylogger
f23701b52c994665bb4f95c48306728400a78fa164a8adf2d66eaf5ffccce185
SnakeKeylogger
+ 8'179 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220629-thb9dsahaq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5256606453:AAHfx8QrRODLdPbv8UwEufviQZo4c5kfjug/sendMessage?chat_id=1482312326
Unpacked files
SH256 hash:
f1c5c60507b7fae74964860f94b42bdd906ccb3e51081df519e9593a48b1d07a
MD5 hash:
6eb0d8b9cdc2e8ea0c0faf622d009c21
SHA1 hash:
e92f246c521adccf553052d2f635e90ad4d48ce2
Link:
https://www.unpac.me/results/81fba14a-cdca-4684-b3e7-f352b8f9d036/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/81fba14a-cdca-4684-b3e7-f352b8f9d036/
SH256 hash:
fda5cd28b83f479ba5d571e0b3d76cf580aa07c23d7c8ffd2f880452bcbaeee0
MD5 hash:
336c556dfa7bb9a164b606f68b8833ef
SHA1 hash:
265c78fed280b356a4bc682864acace4fef7e1be
Link:
https://www.unpac.me/results/81fba14a-cdca-4684-b3e7-f352b8f9d036/
SH256 hash:
851ad49739c7389f0088dbd7a660eea0dbec7249ae1e79da567825175ad7bcd5
MD5 hash:
b64bd115fda9a32cedd2fc7ed9c57dc6
SHA1 hash:
f41d3fa538e0ec6ea505b257ef5c6e79a6f93151
Link:
https://www.unpac.me/results/81fba14a-cdca-4684-b3e7-f352b8f9d036/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/851ad49739c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/851ad49739c7389f0088dbd7a660eea0dbec7249ae1e79da567825175ad7bcd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284292/

Comments