MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ddea9e35c9ed6625bf63dcae0b8d10187aa038f1ed35a95e6e4fc5d5e24033b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ddea9e35c9ed6625bf63dcae0b8d10187aa038f1ed35a95e6e4fc5d5e24033b
SHA3-384 hash: 16d691dd2dc2892377dbf3b63932e34b98ed51e196c5cc9ecfa85fe7627f0ac829aab141de40e511910f3f0dd316c327
SHA1 hash: 02d0715bd61f19161b3db3c1aadd6f755a732a48
MD5 hash: cedfbc442669a16506da0bf8bb4d0b30
humanhash: kansas-spring-oklahoma-triple
File name:wealthzx.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:718'848 bytes
First seen:2022-05-19 18:10:22 UTC
Last seen:2022-05-19 18:47:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:KsdXosO0ivgDsV2l5mbBjTymaeArcjXdfevX8VJq2gmktXE5HikpUnMtv68xS:KsKcivgFl5mb5TynevDdmfoxgmwU51U+
Threatray 4'148 similar samples on MalwareBazaar
TLSH T1A8E41211BB81CA12C65A5572C1E3927083F699CF2232D6873E8553D72E43BF98D8D78B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wealthzx.exe
Verdict:
Malicious activity
Analysis date:
2022-05-19 18:15:58 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/963023ca-a59b-46d5-aeeb-5e4c558df8e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272720/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.24836.14127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628688493baea5a8c04475c3/reports/a3072f9e-9d83-4102-931b-49013c45edea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b4d1493-bf94-4016-981a-fdf825edaddf
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997969
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ddea9e35c9ed6625bf63dcae0b8d10187aa038f1ed35a95e6e4fc5d5e24033b/
Threat name:
Win32.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 18:09:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
279b911a8deff7f7887920f7580adfd320630808c39e481beb0d3c619242a718
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
347fa0ad9e11712fe0628c2454141d6fec8e995acbe7fe7461e6dbf94f2838ce
SnakeKeylogger
4f7d1f1df60c29fe9eff2e75f317a316c9ddc9afe569624a466670cf396b8d61
SnakeKeylogger
8d210f06f267f917e5d73113eaa2bb0fe911562241170d00a2d3ab5d97408ce5
SnakeKeylogger
9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01
SnakeKeylogger
e2db235aa3f5964cab6475624e6e62c5fa0724fafb5cddb5542ff0a27a84dd86
SnakeKeylogger
+ 4'138 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220519-wskpmaadh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
469c6393a956ed8fa824a5c576fd398cd5bd7bb02a27a051eda270304afaf0ef
MD5 hash:
ee34bdbe0e9a823c95e4303582c93304
SHA1 hash:
d1a140121495199433a623a4e809cf93e7fd8b6a
Link:
https://www.unpac.me/results/8970c0d4-61e4-48e5-82b8-a7c09e3332f8/
SH256 hash:
eff19ace43d36cbdf709a564ff5587df756f5c3e7268b283929465e7e9f32a99
MD5 hash:
4aa58b43639ea9b4ede44c93774b6dff
SHA1 hash:
9b1135d0d0bb14991b805b63de11a5da07a777d3
Link:
https://www.unpac.me/results/8970c0d4-61e4-48e5-82b8-a7c09e3332f8/
SH256 hash:
6c6b0b55084d1c9c1a8e63ba1c44a1e61b383c0067b7bdef5514ae0c0bd21124
MD5 hash:
ad03314441b3afe4f9ff399558cf075e
SHA1 hash:
95e05236b75bce506dff83b6488141a5ec3b8e5e
Link:
https://www.unpac.me/results/8970c0d4-61e4-48e5-82b8-a7c09e3332f8/
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/8970c0d4-61e4-48e5-82b8-a7c09e3332f8/
SH256 hash:
766d1c50e2bf2b6a8266440e00bc6467bfb53b33b0e86524c69c1cbb8d72553e
MD5 hash:
eee500955dd2801ad7162a015729116a
SHA1 hash:
167214763677294ce9fe64853e7ab182c73bca28
Link:
https://www.unpac.me/results/8970c0d4-61e4-48e5-82b8-a7c09e3332f8/
SH256 hash:
8ddea9e35c9ed6625bf63dcae0b8d10187aa038f1ed35a95e6e4fc5d5e24033b
MD5 hash:
cedfbc442669a16506da0bf8bb4d0b30
SHA1 hash:
02d0715bd61f19161b3db3c1aadd6f755a732a48
Link:
https://www.unpac.me/results/8970c0d4-61e4-48e5-82b8-a7c09e3332f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ddea9e35c9ed6625bf63dcae0b8d10187aa038f1ed35a95e6e4fc5d5e24033b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2199408/
Cape
Cape
https://www.capesandbox.com/analysis/272720/

Comments