MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6
SHA3-384 hash: 15b2593321e1780ea893ad1b9f54be559863af31a12cff1f4b4fee9cd9435e3fee52fc72a7819542a71119da6f07a8fc
SHA1 hash: 291eb7096c872656cfd9cb3996c8a3ab8e925edd
MD5 hash: 326641cc5065fa7f4c1a0f8b3bf2eb0d
humanhash: lima-iowa-white-uncle
File name:DEBIT NOTE.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'269'248 bytes
First seen:2022-12-20 09:30:44 UTC
Last seen:2022-12-22 00:17:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:NAbxC5iAF1SiIkRzrJj2waZesJ3TMbZ9i7nm0lKCSZZ:NAxCtIBkRzt2DZX3ToinlK
Threatray 7'037 similar samples on MalwareBazaar
TLSH T1DD457C90F7F3BA21F195337B91812B6457E06C05C59AC53A25ACF2AB183BF529DD1F02
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 66e6f892d6b096f0 (3 x AgentTesla, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DEBIT NOTE.exe
Verdict:
Malicious activity
Analysis date:
2022-12-20 09:32:26 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/4005d1c8-4f70-4765-b93d-1132a15fdab6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348274/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d66f27a3-0225-4f8d-8f28-8e275a0564ec
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137790
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 770519 Sample: DEBIT NOTE.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 10 other signatures 2->53 7 dqnaWqqzDKDd.exe 5 2->7         started        10 DEBIT NOTE.exe 6 2->10         started        process3 file4 55 Multi AV Scanner detection for dropped file 7->55 57 Machine Learning detection for dropped file 7->57 59 Writes to foreign memory regions 7->59 13 MSBuild.exe 2 7->13         started        17 schtasks.exe 1 7->17         started        19 MSBuild.exe 7->19         started        33 C:\Users\user\AppData\...\dqnaWqqzDKDd.exe, PE32 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmp8693.tmp, XML 10->35 dropped 37 C:\Users\user\AppData\...\DEBIT NOTE.exe.log, ASCII 10->37 dropped 61 Injects a PE file into a foreign processes 10->61 21 MSBuild.exe 15 2 10->21         started        23 MSBuild.exe 10->23         started        25 schtasks.exe 1 10->25         started        27 2 other processes 10->27 signatures5 process6 dnsIp7 39 checkip.dyndns.org 13->39 63 Tries to steal Mail credentials (via file / registry access) 13->63 65 Tries to harvest and steal ftp login credentials 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 29 conhost.exe 17->29         started        41 checkip.dyndns.com 193.122.130.0, 49697, 49698, 80 ORACLE-BMC-31898US United States 21->41 43 checkip.dyndns.org 21->43 45 192.168.2.1 unknown unknown 21->45 69 May check the online IP address of the machine 23->69 31 conhost.exe 25->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 05:09:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rl542rxmsa4mpz2hsz32lncaozhd4ynjzgp2rmrmqftspiq3c6ta._file
Verdict:
malicious
Similar samples:
122ea6a4e034592aadf95a264fb4cfa6d2767d90fa67205926f87b106f8f736a
SnakeKeylogger
1bba79e46b3a57c57208f5b0c0ea9601e7e63ed219fb9c93eb2d75fa1045fb05
SnakeKeylogger
51cd8a9f4c1a4ef234ad2b69e36415377a4f73afa08f9b69d85f7bdc30d17bb8
SnakeKeylogger
780e633b56607c091dcf8b6cdde49fc66d1a343c067369eac6d45c28247b0f06
SnakeKeylogger
a0a124777df35d015c84f61af9a8e4d0dba82120a30fa031b73b885a13d88214
SnakeKeylogger
bb43a5754a893cb89704ada5e6ab99172fcaba378a12b890b6baae58fd6d35ba
SnakeKeylogger
bfd1a1b3ca8899504a6513dcc986298fd2c82b2c82ae7afd91d9d0046ea795b0
SnakeKeylogger
c0499439a0e94bca738d814f9626f30639c96a7664a19e77c3eafda15ddc6ef7
SnakeKeylogger
d59072f67b73ae7663813e206bf001dbf69d86f73478879df4fee510eec72e41
SnakeKeylogger
d7da71055972a1ffebc2ce82fc46c755ba569781be79cb3d26193871ad4e9ab7
SnakeKeylogger
+ 7'027 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/221220-lg3e7acc6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5484820495:AAGEjy8dT72vJZImmHLmeh3onMuG9LLRD5A/sendMessage?chat_id=5101327412
Gathering data
Unpacked files
SH256 hash:
e43d8d7fc9592084354784b05443a1d32ef2ecf822c7317886fdfe09bec33260
MD5 hash:
a1c59d57bb339db4f37c6bd74572eb1a
SHA1 hash:
b6f583f546b7df26c0929a8b4c4806314d5639ab
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/af8689ff-e353-401e-9cd7-56f6d8b42d0c/
Parent samples :
38950a141d412584636b4e97742db5aebe480e9edc467ef5b532e0216879f44a
7241d8e398ed2bc2973ad2f9a905d5bfdce3b02fcaa3b60c0a4ef1fd194f51ef
f913943b5082aed8ba09b537e3d9328a9f6894dc3ab93a1defb3f43a69078eb3
7776ae6f6274f264a686785c2970782847826bdd9c6a3cbcabab0573f449c174
962b66d01dbbe1dd3cd85dcbe030c318d2f685fe5a965133279f5afb3b6adb94
b4fde3291600549dc094b96ea4afd8520afd1cc16bf7196faf2e11c6281b9b8a
514962de0cfcafea5c6a6ff3c7162c8a9ac2a7362f44812c9f74cf92092c0af3
b44211d828b159e40ceac13bcc9f4090aabb146c02d06a0836cba88bc465c88e
2eaf90482aaf8c1c7ee6ac3533c0c8831e8848d280e0e243829bf24c1393dd63
0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104
6555c5be3926aa465cffc7d5ac89f0bc94ed54155525281141ddc3ec9c6bf33f
6deb2bb7b87e2cb22966a1cd3c54a04948a36474c017c1a6cc622df6b928211c
95f955291eebbed5c72e6956296cba4ac8e169ecab4881a93c9938834a56549a
f2fbf3aacd32bdcd8dc22abc45d879eb863dff437484913e1242bb6f277f1b53
790027b5d9e45f536c779d6527483930da9e3b5891f5a5767363d496a1d528cb
64c749751bffaa96432c647beb4f8ed81a7c811bc6dc0a6763f44455a7c4d5f3
9f5da29a4b91ad8996aa600ac824a5667400dde0076bdff5c5b27652f0df000b
eec2c52990c31a2482d0acf15788db765b705baf2bb149d5cbe013d8c055c51d
b8216cdc194ab1f82820fc2a29ca63af3a1f3e6b80102ab658c1ee33b7dd68da
38b404c76de7b2c70cc770583b5917deefe31be51acf2caafc39b3fd884a9ede
8e603a99770c15419c36fd082b789d2285e7ddfd77da47cf9f9be899c350d913
a93b70eb6d8b21e04163be6ebc444ff76a557040e8d97021ec04a5a002cd5c8a
06cf43a592776ad9e34f1efc2cdbf859599710b25f395d871b5a5e13d88b30d8
24704e7cf611284dbe00a83b66ade87369dfb967016da89e78add0f004e5bcb9
284a1c6b11e8c221f4ab44da36c5b12eb6941d575003de79e918fd1a47a0cd24
2200860726cd8b2d878f4194b29418ca4cf2b2ca056ba21d5fd34ce3362b9c7e
9ae533dd395882eef0df206750f1fff09e5eab9a4397515632d15fd248f72ca4
34b91aa79335759905f9405680460480b9d3a759c32e972192c0e6c41f3d7c36
2b0d30ca1ad2a366fa11c3808abe98aeada07d82b17361cba2e01cf21c9992eb
8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6
682d2d533c6ebad2e51c0261add6a4b633e0a0b3149cb3396b20271d6b87470b
a9498e6102ca86f0b3500796103e30d7e7f4b955441711450f3228ea06e2b8ac
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/af8689ff-e353-401e-9cd7-56f6d8b42d0c/
SH256 hash:
dec01d9bfcd788b9ca040a2dbadf24365a5c65a34fff446540c54991d286ba3d
MD5 hash:
7a28281775da84b7bb075f1d40cd66bc
SHA1 hash:
0e415894e5b63fc11c35a20378d58b5999a3f44d
Link:
https://www.unpac.me/results/af8689ff-e353-401e-9cd7-56f6d8b42d0c/
SH256 hash:
8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6
MD5 hash:
326641cc5065fa7f4c1a0f8b3bf2eb0d
SHA1 hash:
291eb7096c872656cfd9cb3996c8a3ab8e925edd
Link:
https://www.unpac.me/results/af8689ff-e353-401e-9cd7-56f6d8b42d0c/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8afbcd46ec90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/348274/

Comments