MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537
SHA3-384 hash: 923b6228169ecd1b49266d7793da347961376789d58e537657298d10a5946de35e94ed7fcc17d4030336772686faf144
SHA1 hash: 17ef63a1319edab30b7a1dd2290b77f9e4c87f95
MD5 hash: 5b6d6276f85b18566ef18aa7af673421
humanhash: uniform-golf-failed-yankee
File name:T0ZEepya8ZIhcdU.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:738'816 bytes
First seen:2023-08-20 10:02:00 UTC
Last seen:2023-08-20 10:46:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iL23/gPrkdXHocPl4ELHaqXhaU4yhgMeEp3UJQo3wjjxSXN/6dLzY1L5:ZwrkdXHjPmrqXsUcE4XAdQ1V
Threatray 349 similar samples on MalwareBazaar
TLSH T12BF4F14032AC2F73E8799BF1511254400BF76C5B64BEEA8C8EC375EB2276F029A56D17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
T0ZEepya8ZIhcdU.exe
Verdict:
Malicious activity
Analysis date:
2023-08-20 10:05:17 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/e7a744ef-c065-47c4-97ab-b9c015e5ae52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443742/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Moving of the original file
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7d9b9300-6b4e-4823-9232-916ed0c73be8
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294006
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-19 16:00:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdj2ejyzo4jelwqnkaw3k6kznkhd6nd5bknppxwn3aykawoc2u3q._file
Verdict:
malicious
Similar samples:
46dec447edf772e1511ac2389736f3f4fbbd26f4873994c64e899292dc86d54b
SnakeKeylogger
4c15743287e80d5077f5bbd94c767bc734f1392abc330bb25d447b535efdae24
SnakeKeylogger
8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a
SnakeKeylogger
ab642090d1dd077c53cecf69b23330c3ff5583d6ff47d6365cb9e5ed4c0e7d5d
SnakeKeylogger
b88f695c511fb7260c06b7e22c51dcea69ac6020cdfadaab785431d90047167e
SnakeKeylogger
ba285605d34d25a3eef3f74f74a7f07b849b0bdb7ea3e593dccca1a78cd6c97d
SnakeKeylogger
c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
SnakeKeylogger
c55bc8db8e2e82ba94d54b7e372cd2063608519f29815af447bacba01f4c33fd
SnakeKeylogger
+ 339 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230820-l2sfqaed63/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/a15501ce-b2c8-4f9b-8e51-7450b42f7f96/
SH256 hash:
6e8a9531062cde8f7f9ec957c3cdb548764327ff548d843e54e5da635a7364a4
MD5 hash:
43ba9520d57236f7bd2e482a7662d9d1
SHA1 hash:
b9eb06c1c48c2e3619dce1eb5d276fe15c74b994
Link:
https://www.unpac.me/results/a15501ce-b2c8-4f9b-8e51-7450b42f7f96/
SH256 hash:
9c4081a46efd752549d04f78abfd8fd0d328d8f6ab8f3f1f88ae2f03facce561
MD5 hash:
119bc83a88c77a9ca105491a59d8fd19
SHA1 hash:
61db107ccf68a4f0fe499641163d552199eb7cb8
Link:
https://www.unpac.me/results/a15501ce-b2c8-4f9b-8e51-7450b42f7f96/
SH256 hash:
aa3670a577d4c6a9de6032190f2e147ca39d1a7b7cdaeba6b29205da945ba9f5
MD5 hash:
b2ba69c87d0423b3ea3e23e0784e8dbd
SHA1 hash:
0131a3bdd22a942b42310e1f9bfcba786d077959
Link:
https://www.unpac.me/results/a15501ce-b2c8-4f9b-8e51-7450b42f7f96/
SH256 hash:
88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537
MD5 hash:
5b6d6276f85b18566ef18aa7af673421
SHA1 hash:
17ef63a1319edab30b7a1dd2290b77f9e4c87f95
Link:
https://www.unpac.me/results/a15501ce-b2c8-4f9b-8e51-7450b42f7f96/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88d3a2271977/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 88d3a22719771245da0d502db579596a8e3f347d0a9af7decdd830a059c2d537

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443742/

Comments