MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda
SHA3-384 hash:	f9d42261dd3011df28187416fe293b0d5365e49e39a20e5f48aec2134069295cbc5138abc7d3da67bda2d78652639d7e
SHA1 hash:	d2fc0330dca9ccfde2134890e8983ee0f20ebce3
MD5 hash:	51db1438add32e8dc189ff7f91c25be7
humanhash:	bakerloo-eighteen-high-pizza
File name:	51db1438add32e8dc189ff7f91c25be7.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	527'360 bytes
First seen:	2023-02-27 16:14:51 UTC
Last seen:	2023-02-27 17:32:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:hFFZ6JRA/s5vIp4BOvHdFuhtweFoi3pvM:r60U5A4BUHK3zZJ
Threatray	4'489 similar samples on MalwareBazaar
TLSH	T162B423C5536D7363CAB9AFB228B161821775B1AE6E73D28F2CC560CE1D87B004642B67
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8060e0e080204000 (7 x AgentTesla, 6 x Formbook, 3 x Loki)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

51db1438add32e8dc189ff7f91c25be7.exe

Verdict:

Malicious activity

Analysis date:

2023-02-27 16:15:21 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/e97db205-1019-4dfe-8de8-dc6260774b70

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/370309/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63fcd707589e1e4c5bd99b69/reports/d33867bd-80c9-4af7-b43a-e1c74c22c346/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/319899a4-17f8-40c9-8e4a-dafbdfbf3392

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-14 12:45:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 39 (56.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sov5fy4524meusjvvpdxkk5sycxgvndgyjt3iwxi23tbqsb433na._file

Verdict:

malicious

SnakeKeylogger

2d926d1f0aa50e7de665d8f3fce49c4a8c2594722eb8a18ea887c2b73f8e747c

SnakeKeylogger

43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f

SnakeKeylogger

4db11ec2fd47da3b2453479ada853755d43fa81142e235914a424733418b3ea0

SnakeKeylogger

540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1

SnakeKeylogger

7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd

SnakeKeylogger

887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7

SnakeKeylogger

8c379b68cffa3f8c43d74cc2e6576aa4f212f53f35662b32667f58e61ff8541d

SnakeKeylogger

cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9

SnakeKeylogger

+ 4'479 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230227-tp8aeaed89/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

46cb32256dba295b72212185d3bf29e54de9f78fe32a8e43c82288285c3bf721

MD5 hash:

453d8d23d417dacecac4ad0235d2b420

SHA1 hash:

6aaffef79f32f151aef9d5c548ac9055ea6c2f35

Link:

https://www.unpac.me/results/c5be8879-41fa-4cbb-8832-a41318c44973/

SH256 hash:

4f77528786554f8ecfe0ef4c8edf824c731e34e89e3e2ac17bfbef1406f6d9cd

MD5 hash:

fd9edb7db086e033ccbff5652d89fc06

SHA1 hash:

52ab24452add88cbae43f8a934eb908cafe56919

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/c5be8879-41fa-4cbb-8832-a41318c44973/

Parent samples :

c53982a042ba3b6bcdb766a0b174e92ac62ae9578ec4a25209c7bfea42a06880
7bdf551e6d5e28b6b3ac52b80c90364fa24f3701b15bd37ed8a99c3a9204424d
7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd
887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7
b7dc980c140f80ce041218ee58ba7fcee5c770abac4ce0c5d7fec9d545e708b7
99979bba5d3651b7c6da4c590184aa65a70f3cf06405796d098c8917919589e5
36888f542fa2706a42a56ecdd6743a5c1dbc99de0011c12026f36cf47c072fdc
842241f23f9178cdcb83209058c79da72d59eec5eb49da2dc33ab361dda85a79
93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda

SH256 hash:

8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7

MD5 hash:

7f225c69df031bf0560aed3847a1221a

SHA1 hash:

4d5f3ccdb2c6015d2b2a73326c0f32b173af2819

Link:

https://www.unpac.me/results/c5be8879-41fa-4cbb-8832-a41318c44973/

SH256 hash:

0f1b5387bc14f8bb6832bb6b130d15a9f48a7e6ecc7d5ac1842b460edf6a1711

MD5 hash:

d786711e0b259176caad272cb47e10a3

SHA1 hash:

26b182fb6bbab756bb9f8bf36a4f70f1dc8b9a9d

Link:

https://www.unpac.me/results/c5be8879-41fa-4cbb-8832-a41318c44973/

SH256 hash:

70dc4e19b549d85f7b1038c07b4dee1e6c57c4829a94f00c93bd30c045360901

MD5 hash:

4319f27534dfd10ba998f0a4947d5ecf

SHA1 hash:

19452198300fd17246224aa005c7b6d4b4b6b01f

Link:

https://www.unpac.me/results/c5be8879-41fa-4cbb-8832-a41318c44973/

SH256 hash:

93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda

MD5 hash:

51db1438add32e8dc189ff7f91c25be7

SHA1 hash:

d2fc0330dca9ccfde2134890e8983ee0f20ebce3

Link:

https://www.unpac.me/results/c5be8879-41fa-4cbb-8832-a41318c44973/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/370309/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample