MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9
SHA3-384 hash: c107f39069514cf32dcf0e2f4a5ce1546c3af9416e27f674e1bfd1d5072b361efe3c89c95b7ebd1f8c5b2fc9cb8ebcbe
SHA1 hash: 2e1e482a887835b3f9f388a4ddde0d14d8ef429a
MD5 hash: fd0a38331b8b396c1b26e12b94b97001
humanhash: fix-echo-lamp-wyoming
File name:d7PUAUK87AtSvZc.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:632'320 bytes
First seen:2023-01-30 10:33:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3BBySTDWbaRYJx9yTG0JVjr+1UDsqWeh3ih9HdA:RCb/x9yq0J5+iDDBYTG
Threatray 11'440 similar samples on MalwareBazaar
TLSH T12CD412D6C369CDF9DB84027B65B400589B2226AEF296DB4802EF6318CDCF3106675B9D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon cc9692b83832968e (13 x AgentTesla, 8 x SnakeKeylogger, 4 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d7PUAUK87AtSvZc.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 10:36:33 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/6a99780d-d773-4208-bcf7-c346441dc92f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/358227/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Enabling the 'hidden' option for analyzed file
Reading critical registry keys
Moving of the original file
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d79d242d4f6d560e23abc4/reports/34e0bade-3523-48d4-b790-e7bb0fe25149/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a9a9b58-58d5-4bef-84f6-c1385eb95954
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161491
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 03:47:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfogqhhsjts2uwwcjs7d3h7bcbuwn73um7awupt3aaxiaa2nvdeq._file
Verdict:
malicious
Similar samples:
13d9c71cc329aa1fa94184cdf410decd035edb7d5e003414b43f491730593ff3
SnakeKeylogger
3425f88d29b22467d49ffe9ff63b9974ff680eff72b6179420ba4c310a5af05c
SnakeKeylogger
48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b
SnakeKeylogger
4f44df487a3c894e64c272598c1fb7aa6601879a2073bf5243f82326bcf2b324
SnakeKeylogger
85e3e60e6673809467be19cef0db037aa1980342e69a9c0a2c149c44e0664be5
SnakeKeylogger
b495e348fb0e0544e57737f46f9333a711eaca2cd531a5e8065e96bf274d8690
SnakeKeylogger
c02af082fec5a80ac247da9294400c04f338c6b45c75b8d70d9c7e07c35e30b2
SnakeKeylogger
de8a5bc036828e30ef5a846f020c868bd2b12527a59b80778dee13cb55c782e3
SnakeKeylogger
+ 11'430 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230130-ml7q5sbf6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/4822e232-4251-4247-b282-d9c65ed36148/
SH256 hash:
1c44b94b2156c97df2de3f0fdb3236dae46c296b9ca0e27329a2041c41ee67ff
MD5 hash:
4d303be8a205d028fc227f3bd1e17614
SHA1 hash:
ea05007b3624430c1440e420ac2b2c50c9c27b16
Link:
https://www.unpac.me/results/4822e232-4251-4247-b282-d9c65ed36148/
SH256 hash:
c91cc62af4e146a82caf327969566cd57803389e0764df02eb0fa5cd1f185e15
MD5 hash:
94d5c3bae310c2478b529cd22fae1034
SHA1 hash:
d9efec777dbffc4efb61199f08eabc777c0a1039
Link:
https://www.unpac.me/results/4822e232-4251-4247-b282-d9c65ed36148/
SH256 hash:
05d4a6e31aa8698dfed743a77dd3828ca1d64ea9e4fd033e7e32953ee1e0d48b
MD5 hash:
fc5c053e4a122e79b4eed222a658302b
SHA1 hash:
c990d6db5e9b58094f7503299160ee316ea62175
Link:
https://www.unpac.me/results/4822e232-4251-4247-b282-d9c65ed36148/
SH256 hash:
e519c001467abe667a348df7cecc0a50cafd8385bb597d64195cb316aecda651
MD5 hash:
3956cc1307231f23d94c98b4866e77e8
SHA1 hash:
57baee147bf7b6a1c0f93f44eb453432ad96f675
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/4822e232-4251-4247-b282-d9c65ed36148/
Parent samples :
3e21563d0270349da6e8a003fe91bff368f6114fc6195a62c14013883f5f8bab
915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9
be97a51ffa2d24ac0f2eba8eb2bc3ed49057c873d16d8c6b893c84b8670c9a1f
SH256 hash:
915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9
MD5 hash:
fd0a38331b8b396c1b26e12b94b97001
SHA1 hash:
2e1e482a887835b3f9f388a4ddde0d14d8ef429a
Link:
https://www.unpac.me/results/4822e232-4251-4247-b282-d9c65ed36148/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/915c681cf24c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/358227/

Comments