MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b
SHA3-384 hash: 87614d6d33ffd9a8096a384da59dff2734b02146adf98078627f3f1ba475ce8b958e5b24a9b38d1f36d668b78e7fac11
SHA1 hash: 4489073955417fc54dfa972acec18e4e0e093e26
MD5 hash: 623af4ec67442d3421570a4a63b899e5
humanhash: don-butter-lima-kansas
File name:PO125105302023.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:731'136 bytes
First seen:2023-05-30 10:29:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:OQzR6mR2B0xTGlxNqvNu2hZ+nUEsn9iXJlorQNpGMW0B4PyruuFDIkeazjQuGwzY:OQ96mLaVUH9990ro0NvWMZ1tIknIuGNF
TLSH T1BAF4E08933792E37E27E97F50401E2B603B9BA943962E3D60DC3A5CB9EC6FD14650583
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO125105302023.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 10:34:53 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/84dd4605-5709-4ee9-a9a1-86deef8c7e52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393520/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILMamut.10815.27701.26053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6475d02b6dd70dc931d8677b/reports/b8a20ea3-ac06-4474-a986-f21e17b780e2/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILMamut
Link:
https://www.hybrid-analysis.com/sample/889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea95e1a5-0627-45dd-bac4-481a758e2d8a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245122
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878133 Sample: PO125105302023.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 7 other signatures 2->59 7 PO125105302023.exe 7 2->7         started        11 dKtsEmFPiEqUV.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\dKtsEmFPiEqUV.exe, PE32 7->37 dropped 39 C:\...\dKtsEmFPiEqUV.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp525C.tmp, XML 7->41 dropped 43 C:\Users\user\...\PO125105302023.exe.log, ASCII 7->43 dropped 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 67 Injects a PE file into a foreign processes 7->67 13 PO125105302023.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 21 7->19         started        27 2 other processes 7->27 69 Antivirus detection for dropped file 11->69 71 Multi AV Scanner detection for dropped file 11->71 73 Machine Learning detection for dropped file 11->73 21 dKtsEmFPiEqUV.exe 11->21         started        23 schtasks.exe 11->23         started        25 dKtsEmFPiEqUV.exe 11->25         started        signatures5 process6 dnsIp7 45 checkip.dyndns.org 13->45 47 checkip.dyndns.com 158.101.44.242, 49701, 49702, 80 ORACLE-BMC-31898US United States 13->47 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        49 checkip.dyndns.org 21->49 51 192.168.2.1 unknown unknown 21->51 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal ftp login credentials 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 08:35:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rciyplrkpplyf53gm3d34whleb6xowdhv5m5c24cy7hcgjpmeuvq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230530-mjtfqsha74/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5967839484:AAGJtiRve079uoreJ5X0WycNZ-zS90-jUJE/sendMessage?chat_id=5928418129
Unpacked files
SH256 hash:
82d06b80e627d8b570b83e76c746e8eb8187d53be2338e00572a2c0942915500
MD5 hash:
715bf0afc23e5427a5b5451659d64348
SHA1 hash:
69befb1dbf68bdf5f851668485e868c9666b3ec5
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
Parent samples :
82d06b80e627d8b570b83e76c746e8eb8187d53be2338e00572a2c0942915500
2b00e652ffa3e4930797d32ac541d7b14563de78aed4d47c6e3eb4126a3159b0
9b5ec4049e14aa89f83aa1e7268533d5560664710c1de74c4f866d07381880d1
c41cacb7516cec6aa59d1a5e274de00c0ad6f86a9a0a1be8e45c7641e1ac4f55
4d2295b264de302082940248ee43c9ba5f9b55b280e8fbed3cb3117f9cb1ea62
308a5ed2f79e93b600af3147ea292f64636d31b858a27436d175b933400ead85
889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b
SH256 hash:
49a0b7f2a1aac3bfea8e252b371fc848402860507d823432c9414c39b49a4c24
MD5 hash:
15f0368eaa78750137329a8b3d7d11d4
SHA1 hash:
4d4f9f1ffac42f511f7635372ccadd59a037b19b
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
SH256 hash:
f4718a758b02a541ca7c26ae571bebd0e89fcf27c13202fa7096a5d2901d2d13
MD5 hash:
7ee250dfb45c13b75899c818135d292f
SHA1 hash:
bede6e3bba79b61cb5198a332dbae8c37e3bc531
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
SH256 hash:
a9b7f9151545d83c51c504091835d6cf7f70f273d3b5442200cdc1a29ad31724
MD5 hash:
e4dea0dd7048a86f5111d1d1dc5cec25
SHA1 hash:
b35f27a911bfcd3b2b558ad37738ffd370146c7a
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
SH256 hash:
889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b
MD5 hash:
623af4ec67442d3421570a4a63b899e5
SHA1 hash:
4489073955417fc54dfa972acec18e4e0e093e26
Link:
https://www.unpac.me/results/56e42499-3dfe-4c9b-8f54-1ee2b2161bdd/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/889187ae2a7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 889187ae2a7bd782f76666c7be58eb207d775867af59d16b82c7ce2325ec252b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393520/

Comments