MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84
SHA3-384 hash: 152c1d766abe9e80d025776275eae2b18025db804022beef2681d300dc45966e617b3915bb6472919fac623da5636781
SHA1 hash: 15f83f779dd459b19b184d9142eae9dc884b5ff6
MD5 hash: c28e151b8cf8469e5e267f33bfd8513f
humanhash: black-october-march-east
File name:c28e151b8cf8469e5e267f33bfd8513f.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:561'664 bytes
First seen:2023-05-22 08:31:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:tuysSnIIz+9Z0tk8Tl8CdLFMSI7e5Ai6a5xyPVtmuN:5lz+XQkO8ChFdI7Nfa5xutjN
Threatray 1'568 similar samples on MalwareBazaar
TLSH T179C4E16A62F91F63D37947F655B822420B7462A3AC37C53C4DCE34C9E647F500AA8AD3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c28e151b8cf8469e5e267f33bfd8513f.exe
Verdict:
Malicious activity
Analysis date:
2023-05-22 08:34:18 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/02a02ffc-1710-4fb9-8346-a4d118c24315

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67059949.27011.31985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif formbook packed threat virus
Link:
https://www.filescan.io/uploads/646b288df2d14615c850f40e/reports/74a8764d-7f43-437b-b626-f01b40d4495f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/662753b4-11c5-4c25-85da-83b1cba40afd
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240203
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 873206 Sample: w7XKz9tt6Y.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 8 other signatures 2->64 7 w7XKz9tt6Y.exe 7 2->7         started        12 iPiIwINKZNwhlU.exe 5 2->12         started        process3 dnsIp4 48 192.168.2.1 unknown unknown 7->48 40 C:\Users\user\AppData\...\iPiIwINKZNwhlU.exe, PE32 7->40 dropped 42 C:\...\iPiIwINKZNwhlU.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp10CE.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\w7XKz9tt6Y.exe.log, ASCII 7->46 dropped 66 May check the online IP address of the machine 7->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 7->68 70 Adds a directory exclusion to Windows Defender 7->70 14 w7XKz9tt6Y.exe 15 2 7->14         started        18 powershell.exe 22 7->18         started        20 powershell.exe 21 7->20         started        22 schtasks.exe 1 7->22         started        72 Antivirus detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 24 iPiIwINKZNwhlU.exe 12->24         started        26 schtasks.exe 12->26         started        28 iPiIwINKZNwhlU.exe 12->28         started        30 2 other processes 12->30 file5 signatures6 process7 dnsIp8 50 checkip.dyndns.com 158.101.44.242, 49695, 80 ORACLE-BMC-31898US United States 14->50 52 checkip.dyndns.org 14->52 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        54 132.226.247.73, 49696, 80 UTMEMUS United States 24->54 56 checkip.dyndns.org 24->56 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 38 conhost.exe 26->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 11:30:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qvllfdvyi3u65gnabvv6s55hy5x7jfvdsdu2n4rbkctod634bwca._file
Verdict:
malicious
Similar samples:
132357a4b7dbf315242f39ee40ad9645a4414f16470720a675abfc39cb8e5b55
SnakeKeylogger
27981353e3464d563e3395e623e4a3207f4f9bb968a4e207bc8e6cac2971af98
SnakeKeylogger
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
SnakeKeylogger
519c5f8d463735bc7b6c925eba0b4e92bc49501cd7ae194e5756a988dc2c8202
SnakeKeylogger
726a9e0d8640423c3401fbfacc3e816afd915b964b1d41fb07893c5234f73a3e
SnakeKeylogger
aa64eab74660609d37759f40828c4d4e486c47fb8d9613c60f39d11465aa05a8
SnakeKeylogger
afbbf7833447e0a14735a0b97382990345799ddd5960af8bf20cf761e4469cfd
SnakeKeylogger
bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386
SnakeKeylogger
d9672edbb45fefa3ca9a12a91c8d27727f3e5262c76cac9efbf67925d6d6fb78
SnakeKeylogger
e9ca300e5f48557e95213ca62c5db6b3484644a1c32f10eb5ff2c49be53c5919
SnakeKeylogger
+ 1'558 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230522-kfahcahg8t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5122580304:AAHkCWB9EFavZMQfS6pgdGmtEGk1zc21s0Q/sendMessage?chat_id=5138702702
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/5f5d0bdb-64bf-4fff-8d18-5041859991f6/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
98f304cf71f3d2ff08a28c8fd256fe6bb6c5ef426793d4f13d3b2ca591d53df0
MD5 hash:
d3d3d1e14ae909c1621eb9ef1e7b5312
SHA1 hash:
84af3b6fbd09d4f28038e683583067e1e8250e93
Link:
https://www.unpac.me/results/5f5d0bdb-64bf-4fff-8d18-5041859991f6/
SH256 hash:
1a07717d1acff577840c72a9e81de993e0058a8d454f4816f67273c7cd26d11b
MD5 hash:
eeb8723244bf4323cf7199fb3fcb9f9e
SHA1 hash:
475665131d7c513a6f62b5986a2ab318e8761a1d
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/5f5d0bdb-64bf-4fff-8d18-5041859991f6/
Parent samples :
b4d384c4beb28700a5ca488567c34bcec8331baf771f16549383bb06e057d4a3
b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e
70a8964eccab1bdf1d93086e8ef308aa0f9504c34c2a0321ba6eb1babc89b55f
77eba5c8f9099d4c9f2cbd300fb6d24e43c05e951860a88f17c4ffc97736453b
581c551c6629325cd764cdb54c101d3cca9150e1d22d16149d721b8e4da20e44
e6609ae5fb8180b336d2349a97518ff15ac1b7a60a022d5befd0a366040d2de4
b8a1bfdd85f3adf519fd1ba1ffbb60a4215bd3d930dfddac1caef7066fd33cef
bde58e12d41cd833eb907de3955528c3ba4ea45f7e825b6ca038f74eaf594d26
3b9b37912769526d5ca753f309018434f6d56410b88695472cdf6e948b9645f6
fbadbfd07054097238ecc6ed27a1e69e4907cbf038b4cc2ef52bd2f07085d0a9
92d153f7f41fa901887ec1494773140e4ef9b41378f2ec05deeb0ad8ec3f5d16
14105392349904938a9d2e42e5eaf8a401d2b832c89f14fb79440a7126525d57
c7d2461a20a6687bef74bfc784219676af232262762a102ae4f11765d2324210
535d74b24a5ffb30a283e855cbfdfb3509e9c94c4f97baa2f62197b221cce54f
1828a6afda383a1f6f48f9bab91e7f0d648fcef99f959b406618847c168e5325
efe80cf748bd25110797151a16a29b956213cc00a85716dae6e6008d648725dc
125ab5d56c8bc8e55483764a4fb9ad34ea9a74543e7b3a245c308703e5ee1d40
8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84
SH256 hash:
6722a58c81f6d11004e880bd8481acc423bf96afd46bf692f1562cfa4c5852bd
MD5 hash:
d92d2ba953be4be2d6f2bc859ec5c607
SHA1 hash:
05da51752277bd907ebcfb799524ec7655abbc3a
Link:
https://www.unpac.me/results/5f5d0bdb-64bf-4fff-8d18-5041859991f6/
SH256 hash:
3b66ce2ed1d261568de36df8f50d5feba792daaf757f3d8cfc06c68d55265d11
MD5 hash:
0d01fc2928327a51d05ed148076fbb71
SHA1 hash:
018b8d3e08c5eca6c5fa5f2c49cdb4f91b23d28a
Link:
https://www.unpac.me/results/5f5d0bdb-64bf-4fff-8d18-5041859991f6/
SH256 hash:
8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84
MD5 hash:
c28e151b8cf8469e5e267f33bfd8513f
SHA1 hash:
15f83f779dd459b19b184d9142eae9dc884b5ff6
Link:
https://www.unpac.me/results/5f5d0bdb-64bf-4fff-8d18-5041859991f6/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8556b28eb846/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments