MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d
SHA3-384 hash:	9b9040cfc008048692cd97b54ae87c0d01ce68949897ba57b53fcc4726be57e56f7d965b202f018007b7052c93d9197d
SHA1 hash:	ac79da066a83feaba8a70a1f0f6456fe8e39ecc2
MD5 hash:	e48e8bd7c034de883faae60da15ddc3f
humanhash:	island-vegan-hot-moon
File name:	e48e8bd7c034de883faae60da15ddc3f.exe
Download:	download sample
Signature	SnakeKeylogger Alert Create hunting rule
File size:	669'184 bytes
First seen:	2023-05-11 18:30:52 UTC
Last seen:	2023-05-13 22:50:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:AhmPsUOWatCsPAzRa5DFIsfhknQ3O3Fa0L/as+26q2:ImPxfQCZUlFIpnQkoJs+26
Threatray	5'201 similar samples on MalwareBazaar
TLSH	T174E4E089533BBDE1D6581B71260438434E6DB11A75F8F0FCBD2BB888C9AA9118FD4763
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

244

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

items selected.doc

Verdict:

Malicious activity

Analysis date:

2023-05-11 09:13:02 UTC

Tags:

exploit cve-2017-11882 loader snake keylogger trojan evasion

Link:

https://app.any.run/tasks/633707b0-5f27-4f40-a313-6fec50024d56

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Snake

Detection:

Snake

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388481/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66985724.12355.10112.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645d34799d50210e708533a8/reports/94afd985-3bdf-460d-a47c-168560eb3176/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Snake Keylogger

Malware family:

Snake Keylogger

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5226c21f-5584-4e46-bfca-161b180113f8

Joe Sandbox Snake Keylogger, StormKitty

Result

Threat name:

Snake Keylogger, StormKitty

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1231010

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d/

ReversingLabs TitaniumCloud Win32.Trojan.Lazy

Threat name:

Win32.Trojan.Lazy

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-11 00:57:25 UTC

AV detection:

14 of 24 (58.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rzagxux2erbiynurkeagyhj3ky3hlxnmgkewjmykmqu7mtyxa56q._file

Threatray malicious

Verdict:

malicious

Similar samples:

0c0de658cc1409dddb75bd3149de4f0bfa90b74296d8d1cb909e3189f8ed2260

SnakeKeylogger

1667f1e836cc2e1cb068bdd25482814cee224d1ccec6abca06c885baa612781d

SnakeKeylogger

291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64

SnakeKeylogger

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

SnakeKeylogger

96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9

SnakeKeylogger

a4251c2f1be71e7bb9cf721d3338181bca9be4a9c6a08eed0a3ac2356aa69770

SnakeKeylogger

a98cb609a48a550a1afedb557a9519289fe8d51755a16864617612e16f7b0982

SnakeKeylogger

bb29bd98dc2e9ea502e1e473b659e56940e604cd87058071b08a95dc7eddf7ee

SnakeKeylogger

c3f3e5052e6a603098bfe0838f32ac8f3c09710817af3ae0e96384dc013b007b

SnakeKeylogger

e16ceeac2ceac9ac8f837dcc8f0800a553d48232d28dba5e0019c50a4402e069

SnakeKeylogger

+ 5'191 additional samples on MalwareBazaar

Hatching Triage stormkitty

Result

Malware family:

stormkitty

Alert

Create hunting rule

Score:

  10/10

Tags:

family:snakekeylogger family:stormkitty collection keylogger spyware stealer

Link:

https://tria.ge/reports/230511-w53e7sbd4y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

StormKitty

StormKitty payload

UnpacMe snake_keylogger

Unpacked files

SH256 hash:

c920a286a8b68cad633ad1aadaaba9f740e1f0b260569fc854a1926dab06c19f

MD5 hash:

229a5ea9ec4db7a742c29a038dad23b3

SHA1 hash:

e789cb14bb108e1db1f69d16a3b4175c59329b74

Detections:

snake_keylogger

Alert

Create hunting rule

Link:

https://www.unpac.me/results/75cf47be-2077-4cf7-beab-a161dadca9f6/

Parent samples :

bb29bd98dc2e9ea502e1e473b659e56940e604cd87058071b08a95dc7eddf7ee
8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d
4c7612ff7a8129e2f0dfa5173ab8abfe92a84aed6e01551f360e366b75dc2b27
266decff4d4b099a051f7257f5cb87159f24ad6b748b08fdb3888942226a5de4
7d8da941bad50d6075129ba67e2d4dcfed815af745112aefafb5c1fa605c4a81
f70b14d626ed98e1d538e9968ea027c59698561694983366ae6cf1029c73e76e

SH256 hash:

c72ca892abebd8794a9544913d071c3c91356f5075509717727e180e87cb98ba

MD5 hash:

25383385b11436b817ed4dc0419f4e24

SHA1 hash:

9441f35f45a30503ebb2c717209f29341b5b48b6

Link:

https://www.unpac.me/results/75cf47be-2077-4cf7-beab-a161dadca9f6/

SH256 hash:

5473a01743dfda5f75d655c725e00c84b0f58134d77a41f795b2e81d46dc9b57

MD5 hash:

3893a50c15c96ae2d7b8fc87fdbb6dfe

SHA1 hash:

79de2e516f343151136296798224456e2bd4eaae

Link:

https://www.unpac.me/results/75cf47be-2077-4cf7-beab-a161dadca9f6/

SH256 hash:

6befdea362449fa435bcd24489c9b53a7443b0ce47f81243bcc799bc944a20fd

MD5 hash:

93c110a05f08dac71c2f4feb6fd26112

SHA1 hash:

66a445240f724f345ca9eca5ff40c9337b1e22a9

Link:

https://www.unpac.me/results/75cf47be-2077-4cf7-beab-a161dadca9f6/

SH256 hash:

d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218

MD5 hash:

e5d93dadd08b8bc727e4f4853c6881ba

SHA1 hash:

27e0e057d33f01586193b0cbf06561c2863951f4

Link:

https://www.unpac.me/results/75cf47be-2077-4cf7-beab-a161dadca9f6/

SH256 hash:

8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d

MD5 hash:

e48e8bd7c034de883faae60da15ddc3f

SHA1 hash:

ac79da066a83feaba8a70a1f0f6456fe8e39ecc2

Link:

https://www.unpac.me/results/75cf47be-2077-4cf7-beab-a161dadca9f6/

VMRay SnakeKeylogger

Malware family:

SnakeKeylogger

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8e406bd2fa24/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Password Stealer

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe 8e406bd2fa24428c369151006c1d3b563675ddac328964b30a6429f64f17077d

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2287200/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388481/