MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd
SHA3-384 hash:	19814c00518a690a19ea24bfdb69442357220a34f8bd19d665cf4cae5295ed2858ad7aee960c4ec3171561edfd9e1510
SHA1 hash:	87c7aa4240781cf80672f559e893d25dd50eaa37
MD5 hash:	2986dab6f137fbb711573bce5b14380e
humanhash:	salami-nebraska-social-montana
File name:	Balance Payment.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	930'304 bytes
First seen:	2022-12-01 17:59:38 UTC
Last seen:	2022-12-02 10:36:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:dj3T2yQqp9OOIYmTvzn4L0kS4EURAcxpySg3K+wTia38kfS/AzsEEY4:9QqpJINvb4qtUNpyITiwAAgEEY4
TLSH	T1FE154A64B2988955FF7AC7FD3AC5144A301A19F1ACB92CE84C4674C20E381C5EBF59EE
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Balance Payment.exe

Verdict:

Malicious activity

Analysis date:

2022-12-01 18:01:43 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/86912a0b-227e-4a24-9c3f-5f1479a6b343

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/341255/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6388eba46ab8d544984c5736/reports/4b24045a-c697-4f9c-8079-b05a85527319/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4d2644a9-0a03-454f-92aa-ecbb0411cfd3

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1125644

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd/

Threat name:

Win32.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-12-01 16:46:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 39 (61.54%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qwuhdn2vl3aj75goxmzliviu2ht5mzyhwyni7pspc6nnjd75bp6q._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221201-wlbs5sdh37/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/708f7175-3cb6-4ef1-be63-482607ef865d

Unpacked files

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/06227b0a-f6a6-49f1-8665-eec2071ddcb0/

SH256 hash:

df1e9fc23f7006f11f609d79805d67194d92bd2c069cac6e257c72dac2b8c7f8

MD5 hash:

2ef1d933702072e93b1bf189b73b2096

SHA1 hash:

964077b1e95fb63df23311afae0339383b971f4c

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/06227b0a-f6a6-49f1-8665-eec2071ddcb0/

Parent samples :

85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd
13d9c71cc329aa1fa94184cdf410decd035edb7d5e003414b43f491730593ff3
de8a5bc036828e30ef5a846f020c868bd2b12527a59b80778dee13cb55c782e3
c02af082fec5a80ac247da9294400c04f338c6b45c75b8d70d9c7e07c35e30b2

SH256 hash:

ddb4b9708827cb344d5c08c6b07571d0d6a38fd4b594bcbdb73fa4e0104b274d

MD5 hash:

4709d80b2fe48a1401137beae6f231c7

SHA1 hash:

53856da064431f669e254da51bf4a3e7db634120

Link:

https://www.unpac.me/results/06227b0a-f6a6-49f1-8665-eec2071ddcb0/

SH256 hash:

a7f21554dd64a849b70bb42248287635f6293f99a2c3f120bede100873ff75f3

MD5 hash:

c9c721f9e7699908fe09c1a603253d15

SHA1 hash:

30b7b37652e470acd16e7dde3fa697e0c7aadb41

Link:

https://www.unpac.me/results/06227b0a-f6a6-49f1-8665-eec2071ddcb0/

SH256 hash:

571855c98dc76766a8c061dce942f72ddeebb9fd5bc3fbab0002a38c83a98b4a

MD5 hash:

360b1302943cfcdd3ca68d41dff1d3b9

SHA1 hash:

22c7314e8d2161fb8afec6e7c4e27c8ac0af7861

Link:

https://www.unpac.me/results/06227b0a-f6a6-49f1-8665-eec2071ddcb0/

SH256 hash:

85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd

MD5 hash:

2986dab6f137fbb711573bce5b14380e

SHA1 hash:

87c7aa4240781cf80672f559e893d25dd50eaa37

Link:

https://www.unpac.me/results/06227b0a-f6a6-49f1-8665-eec2071ddcb0/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/85a871b7555e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 85a871b7555ec09ff4cebb32b45514d1e7d66707b61a8fbe4f179ad48ffd0bfd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/341255/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample