MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 907bed63f29c88a9e192e313c4b51ea6cca3d580a586baae4b6c5791221489cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 907bed63f29c88a9e192e313c4b51ea6cca3d580a586baae4b6c5791221489cb
SHA3-384 hash: 841994879ea9562f3636f03545fa0991f17bb03034fa44546a71f179706f1d8aeabe4e5bae5192033910124491c0f6ff
SHA1 hash: dd644200b86175592796cd7fc5eb5332883e7f69
MD5 hash: f8234f03f173f5991465b1e733e7d808
humanhash: colorado-florida-august-muppet
File name:PF.NA.127.00.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:987'648 bytes
First seen:2021-07-29 13:41:46 UTC
Last seen:2021-07-29 14:49:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:t4jrG+lf4W795/d3k64JawO/4u2rzXTS:ten+64Jav8zjS
Threatray 976 similar samples on MalwareBazaar
TLSH T117257B207AC4DA1AE12F4736CACF10204FFCB72236729755ADE112B96645F91EE352CE
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PF.NA.127.00.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 14:03:13 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/50d4326d-6191-4129-b611-217f824a41fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175049/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.968.10559.5776.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/803c8d8a-6b17-4eda-8ad3-1b17aa587a55
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/823864
Signature
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 05:16:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sb562y7stsektyms4mj4jni6u3gkhvmauwdlvlslnrlzciqurhfq._file
Verdict:
malicious
Similar samples:
03d0aac6f093a70220228119cee9b391830fb5ec500c2fe95d488a037cb37f8c
SnakeKeylogger
3266a0669caa4babe913c1f33f30a5ec22e99345173cdc9527ea93aa8f3673eb
SnakeKeylogger
51d5a88a4ba4a668db92c2aabfae2e394bff27bd40f9693615dda48eab999d47
SnakeKeylogger
54312ea9106139b43ff7ab38cdee369e00aa1b5d6433971e167716e9a55ee4b8
SnakeKeylogger
9fb57f10806d3f0f9d89e0b74ee8ffe7fbdb93f642619d30aac24603a27d1479
SnakeKeylogger
b33baba943038aa630b333eb82a3159eaa82541b26c7f942d1b452490abc0551
SnakeKeylogger
d44a2ec092a66bec26dabf98269fab0009b8309966e7a78fb0263b8c086d0c29
SnakeKeylogger
d9ed8af079bdd7fef1daa51696fe0172d5170fd4ee668ed2f252cbe65a2ab488
SnakeKeylogger
dd779d251eb7d27fd513b44de8286b6168e7af9b741ad1d390a34dafd58e48f0
SnakeKeylogger
+ 966 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210729-33b67x71dx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
CustAttr .NET packer
Snake Keylogger
Unpacked files
SH256 hash:
ecc126dbd603f9fd99298b06e185db818ead05d8cf83e1a7f19c29bfe3b6c4b9
MD5 hash:
889867188a6deb09b88485fae2d83447
SHA1 hash:
918fd8445dd7e2d399d236b4e2c91f55dd6f59bf
Link:
https://www.unpac.me/results/2d6ba89f-ac3b-406f-8272-896143d91373/
SH256 hash:
045e2d57bf3f7ac1a82a240ec00e09555168a1106ac1daf5819ee98a0d112639
MD5 hash:
3a26e93710ccc0013bdd9fa8d95134b9
SHA1 hash:
469f3bb86a9f5e887ad458e2d77cba0e23827b5d
Link:
https://www.unpac.me/results/2d6ba89f-ac3b-406f-8272-896143d91373/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/2d6ba89f-ac3b-406f-8272-896143d91373/
SH256 hash:
3018acd4c7007a08af5d94e59e3bafc77e5d1ce74333b0fbe3a3fdca7e3e0296
MD5 hash:
6d217de8dc0a76e7d64e27aad2637ab0
SHA1 hash:
25152aec7dd5d121231fd53c307d72b88b5ba482
Link:
https://www.unpac.me/results/2d6ba89f-ac3b-406f-8272-896143d91373/
SH256 hash:
907bed63f29c88a9e192e313c4b51ea6cca3d580a586baae4b6c5791221489cb
MD5 hash:
f8234f03f173f5991465b1e733e7d808
SHA1 hash:
dd644200b86175592796cd7fc5eb5332883e7f69
Link:
https://www.unpac.me/results/2d6ba89f-ac3b-406f-8272-896143d91373/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/907bed63f29c88a9e192e313c4b51ea6cca3d580a586baae4b6c5791221489cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICOIUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/175049/

Comments