MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 971fa2ed128f50036addbec8c360f50ceb498d6e4da5aec1e420f569a516bd76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 971fa2ed128f50036addbec8c360f50ceb498d6e4da5aec1e420f569a516bd76
SHA3-384 hash: a524ed20834fb4a32eb5f9df580502f7f49d9d826a900fd75cc327ddbad8c3569bd7e2417e47e10f25edb1aa79a2987b
SHA1 hash: 669f5ff1d01c8146e4a185228d297e9103850d44
MD5 hash: 30679ae66fc7eb24ed978ee2ec2b6b7c
humanhash: arkansas-nine-single-cardinal
File name:30679ae66fc7eb24ed978ee2ec2b6b7c.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:438'272 bytes
First seen:2023-01-10 19:04:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:qYa6AJ1bNM6nwIxtkUhkyRO/RTbv13TaSVbooLTfy2OCAM1MK:qYuJVNMowInk25R+Tb93TaZoLTK2OCdf
Threatray 10'591 similar samples on MalwareBazaar
TLSH T1489401486189E12ADBD637311F31DB750BB1ED8D2660873B27F05D4B7ADE613AA09322
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order.doc
Verdict:
Malicious activity
Analysis date:
2023-01-10 08:44:57 UTC
Tags:
loader trojan evasion exploit cve-2017-11882
Link:
https://app.any.run/tasks/e4c6f21d-016b-4288-879f-a0f8a22520b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351663/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17727.12441.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63bdb6ad0fdf1633326e36c3/reports/72bbbc67-f770-4017-8274-ec439e091c09/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3e8d7e8b-8f76-4971-a4bc-f566c723d02d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149072
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/971fa2ed128f50036addbec8c360f50ceb498d6e4da5aec1e420f569a516bd76/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 15:27:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4p2f3isr5iag2w5x3emgyhvbtvutdlojws25qpeed2wtjiwxv3a._file
Verdict:
malicious
Similar samples:
0dd996545ef3178719d3a8253b674b1fedfcf0ea1d9bb6af1409f6a47000dc1d
SnakeKeylogger
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
SnakeKeylogger
540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1
SnakeKeylogger
7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd
SnakeKeylogger
887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7
SnakeKeylogger
c311d7bb48a8076e141608660d414516d535948c93ff903969208adc8bd09c4b
SnakeKeylogger
cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
SnakeKeylogger
f2d560f960b4ab660621fef4d25d6b83b27da3deb53c1b0159c8abbc935a0ce4
SnakeKeylogger
f56dcde7d06b05096835f277eb1e597526745b7f7607627855a56fd6f1fc3f50
SnakeKeylogger
fb27645c5ba18a9e7e61876df54e4220c89cfdea419892dc08c32a9a7fe9b443
SnakeKeylogger
+ 10'581 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230110-xqz7zada2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bd05370d-672a-4f32-9d77-1c298857b031
Unpacked files
SH256 hash:
689fad979226f118c9bd1022306d623de0fef15756946533c49813378416b064
MD5 hash:
7c9832c03befdf4b6c34710ede9d6137
SHA1 hash:
31ae733fceaf035e86f3d3e74043dc1d1c65daa5
Link:
https://www.unpac.me/results/5f869733-0f77-4af5-a4b1-5952376f33d2/
SH256 hash:
971fa2ed128f50036addbec8c360f50ceb498d6e4da5aec1e420f569a516bd76
MD5 hash:
30679ae66fc7eb24ed978ee2ec2b6b7c
SHA1 hash:
669f5ff1d01c8146e4a185228d297e9103850d44
Link:
https://www.unpac.me/results/5f869733-0f77-4af5-a4b1-5952376f33d2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/971fa2ed128f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/971fa2ed128f50036addbec8c360f50ceb498d6e4da5aec1e420f569a516bd76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 971fa2ed128f50036addbec8c360f50ceb498d6e4da5aec1e420f569a516bd76

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2482441/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/351663/

Comments