MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e53e11a224acd92fa205cc233d086ff8b0645ff81bebdc1aa905546f949516a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	9e53e11a224acd92fa205cc233d086ff8b0645ff81bebdc1aa905546f949516a
SHA3-384 hash:	a42574da280d8d61fb8d017040a6d9fd0dfe5dfdecfb3a23a1c588b4f9be5acdb4992e6ba783cea8312270d1f035fc97
SHA1 hash:	caaccd0ca21b908b1e24cb7090ed770602284abb
MD5 hash:	a447b15bfb3ceb51f655a5b650b08e7a
humanhash:	alabama-thirteen-lactose-ohio
File name:	SOA_Balance_Payment.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	497'664 bytes
First seen:	2022-02-01 07:54:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:G+ErghGWVO7Jk73G32AjUr+hZlTUFpRjEiGQ:G+SWVOV6GTArFp2i1
Threatray	2'979 similar samples on MalwareBazaar
TLSH	T17BB49E74A2A74651F01B8BB424F8F86007F271E3FACA8D395B7435858FA9F552E4824F
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/229040/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/61f8e75e6d25ac9e79f436e0/reports/ff3c87aa-13fb-40ff-8b30-a516d4098c4c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0ace60a-d97f-42a3-b5ae-82adc602c68d

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/931756

Signature

.NET source code references suspicious native API functions

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/9e53e11a224acd92fa205cc233d086ff8b0645ff81bebdc1aa905546f949516a/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2022-02-01 07:55:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

8 of 43 (18.60%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tzj6cgrcjlgzf6raltbdhueg76fqmrp7qg7l3qnksbkun6kjkfva._file

Verdict:

malicious

SnakeKeylogger

7239068bcab3d2fe02a0a3faf8f703dc78c57fec8935bcd68f4a61e5de6ae07f

SnakeKeylogger

82c48c73887a3f56ba4945e9265d9c616658b0f367d99e25d80df35beab5b6d7

SnakeKeylogger

a6beb68fd213bbdcb92da099d86ac4f913cba2c024dd8ea983d35f8f85bf5f53

SnakeKeylogger

c741bc5e6d20f519e3329890102cb8422952f266ae0bbfe475086a8869794ed0

SnakeKeylogger

d33dac65118a88b15580c028deba8f4ecc95ff7d0a316259612264a0b6e06d11

SnakeKeylogger

daa604a27147db1e06e4270188789963871cc7fb12c9b70d10d6b7e270d61176

SnakeKeylogger

+ 2'969 additional samples on MalwareBazaar

Unpacked files

SH256 hash:

29f7d6ea06b162f3958d90e90f4dca764d61c4a59345014cc82580e6dece68ad

MD5 hash:

22db181b3bb1a0b3ad0fc8226d0482ab

SHA1 hash:

ffa90d1b4a472a3421385ac34b8cda3e71163c49

Link:

https://www.unpac.me/results/aaf7716f-e734-47ab-85a9-4292bf3ef50f/

SH256 hash:

a0ba12746713366d6ea1b0624a35c723858e979ef3d6703a08cd428b104f9650

MD5 hash:

9277de7f2f997a5ff051f10bdbda8d2f

SHA1 hash:

b4b2755b3253fdd120d7ee9db1e9073907844340

Link:

https://www.unpac.me/results/aaf7716f-e734-47ab-85a9-4292bf3ef50f/

SH256 hash:

6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc

MD5 hash:

60a604887b3616e3ed86d81fab0a9ebb

SHA1 hash:

8db84f5f4c569c86c69aff464b2ffc4ce3dafa20

Link:

https://www.unpac.me/results/aaf7716f-e734-47ab-85a9-4292bf3ef50f/

SH256 hash:

9e53e11a224acd92fa205cc233d086ff8b0645ff81bebdc1aa905546f949516a

MD5 hash:

a447b15bfb3ceb51f655a5b650b08e7a

SHA1 hash:

caaccd0ca21b908b1e24cb7090ed770602284abb

Link:

https://www.unpac.me/results/aaf7716f-e734-47ab-85a9-4292bf3ef50f/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9e53e11a224a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/9e53e11a224acd92fa205cc233d086ff8b0645ff81bebdc1aa905546f949516a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 9e53e11a224acd92fa205cc233d086ff8b0645ff81bebdc1aa905546f949516a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/229040/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample