MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31
SHA3-384 hash:	881247afe6c9a599c53d3012deb35c08fc0a8624215f8975c27098aee519d630cf0053876df7f520c4fa8b3bdb64055b
SHA1 hash:	0fb28b28c416d21f1db2d54355e89fa8ec3e3324
MD5 hash:	350dfc66657d2d9b2231bf8bfe33497b
humanhash:	whiskey-rugby-lima-mountain
File name:	EGGMM.EXE
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	129'024 bytes
First seen:	2022-07-31 14:36:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:MXEZ+s94zczB0G3HfVhpb81UyHSv+cuwBkRFbY:f94zG/VHb2bHPb
Threatray	3'740 similar samples on MalwareBazaar
TLSH	T112C3F75D3BFC8804E6FF8A7305B15211CBB5B852151ACE1D5AC2F4592A7CA80DE2BF93
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	0xToxin
Tags:	exe SnakeKeylogger SRRBomber

0xToxin

dropped from stager C++ exe:
https://bazaar.abuse.ch/sample/62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec/

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

first_payload.exe

Verdict:

Malicious activity

Analysis date:

2022-08-01 06:16:58 UTC

Tags:

snake warzone trojan stealer rat avemaria

Link:

https://app.any.run/tasks/f6af7ec0-4be5-4cd8-9c1b-fda3791c7dab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295368/

Detection(s):

Win.Malware.Snake-9953539-0

Win.Packed.Msilperseus-9956591-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

stealer

Link:

https://www.filescan.io/uploads/62e694098d188266ad34a457/reports/322d2a62-72ea-4bcd-bd0c-d3fa584dfe21/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c2b640ca-afff-4256-9c52-bfb588ece0d9

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043790

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31/

Threat name:

ByteCode-MSIL.Infostealer.Mintluks

Status:

Malicious

First seen:

2022-07-06 18:11:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uk5ybazborooai43lkcmpcuaczcnsa6orjvlq4mtgn5k6lib7qyq._file

Verdict:

malicious

SnakeKeylogger

15b8325df5457903aa6a8f86ddd64b7ea2fca232231e2e63044a1a0f9cc3f73b

SnakeKeylogger

218c08cec6f1611911718ce26eb572771eaf353c7cec7b2b32f11e1dad2c466d

SnakeKeylogger

480e6eafca7220040b5c881ba63412843e888fb54e21b158a2568bec0cce0acf

SnakeKeylogger

4dbd5b601bf249b13219a11acf0231f865bff52a7403b0fc19b9fb4104ccec0f

SnakeKeylogger

62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec

SnakeKeylogger

6f0b53e03949038ea08eb5e798961c86237849fa4d403808fc43b4c783c032af

SnakeKeylogger

f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203

SnakeKeylogger

fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048

SnakeKeylogger

+ 3'730 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220731-ry481ahdcl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

MD5 hash:

350dfc66657d2d9b2231bf8bfe33497b

SHA1 hash:

0fb28b28c416d21f1db2d54355e89fa8ec3e3324

Link:

https://www.unpac.me/results/97ae2f05-11ac-4ef9-b2a5-c28b77281f48/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295368/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample