MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9
SHA3-384 hash:	a549aa415af07f473ded574b9a5972d1da4a62626e4085d1062e91fe7546e1c360580757b5722df0cfcf0f6c7f9d6ac6
SHA1 hash:	4588c7477a2c459b5ae880a1ea6ab33acb561e37
MD5 hash:	94540b56b5e07b075620c30ee1d883d4
humanhash:	happy-zulu-alanine-robert
File name:	payment12.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'014'784 bytes
First seen:	2022-10-18 11:05:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:NlxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussOCD8RwT:Wgw4z8i1CvnFdj
Threatray	3'268 similar samples on MalwareBazaar
TLSH	T1EF256BB626D41257E42972B58193E1F322FBAD516411E1CB58C31FAFBC802BBE52734B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.3% (.SCR) Windows screen saver (13101/52/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321339/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Enabling autorun by creating a file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/634e88a166721ebd9b2efd51/reports/7ab910b1-5555-4466-9e47-2a602244f348/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07e25a9c-ec66-42d8-aaa3-2df2665ac564

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1092886

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-18 07:18:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uk6jhyplbunmshl4bh5padc6z6l7oua4rcbtshe5ln32lqr4theq._file

Verdict:

malicious

SnakeKeylogger

9f94bfaf7433e3b0142b5a57965199ec01c4e69b1c5598642d165138ebf742f3

SnakeKeylogger

a9a61d46548276ace7d943faa87221d5a9d25147a2419b80833b8e673185f3d7

SnakeKeylogger

f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365

SnakeKeylogger

fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac

SnakeKeylogger

ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298

SnakeKeylogger

+ 3'258 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221018-m7ebqafec8/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5788931871:AAEfkw_P98L88KrFlXGZzJolFlQrpqGegLg/sendMessage?chat_id=5649714338

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/65ff8c90-2103-4c86-8add-3c78df846cb2

Unpacked files

SH256 hash:

4035fab0fa6baa1644ef9c569698e92bd2da582aba6e37d145ec791f3f7738e2

MD5 hash:

5d7025962c08df30bc49388c5ab6b997

SHA1 hash:

a3c2974c7d5bdaa4c9185cd36fed5d259969cc64

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/2b7cf9fe-b2e6-40cc-9815-fd39c81fae5e/

Parent samples :

b89882fd492b452ad93021de3223a75912db541b71b4db756f248ba385b0d97c
d086e34cc5ee029f8acb9acd840cee22341982c2c2f4752e575d4f18c5a9d00b
0a22a2255fdbaba55a3d1901e74e709968f363362e2902c5a16bfa6a86e90481
768b0f2e493d03d6c314819ed2898e559350dc85c25631a77c254444f86bf6ee
a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9
337760975af1bfd2b9c43ee0f7326ca1cad747c3426edbb7de1db2be71d8e5f5
f5513ad2ae4942ab753e178eefecfc0c62396c9a1a9128c2a65591780faad3ef
16c6e27daa1a1e14e32a2a49ee97054d64a9ae4b4549db8d4d7c3bfca889c15d
6f8fda2c3717f8e5240615c1b03e0586a575cdca7625b1f62be50055d7eab52c

SH256 hash:

3b41dc8a9385b3c5d44b4e862a1927fae0c00448d9ec607084f8493750fd687b

MD5 hash:

4c9982628b5c74b208ef9359b8b2c9d0

SHA1 hash:

6c239e757fcc94458fd5c481a0e65866b0c95de9

Link:

https://www.unpac.me/results/2b7cf9fe-b2e6-40cc-9815-fd39c81fae5e/

SH256 hash:

0e6c6e66b4ba8765c81fe08b2137ab8c7846008cc50ae12622612c141f5755fb

MD5 hash:

212ef84ebd421b327f42e422e6c47c23

SHA1 hash:

6bf1e61895004da0db38873802fa09200a82085a

Link:

https://www.unpac.me/results/2b7cf9fe-b2e6-40cc-9815-fd39c81fae5e/

SH256 hash:

678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5

MD5 hash:

2da433d67db4775d8f02a8fed4b31bf3

SHA1 hash:

235fe8f2076f3b5cfffacc574825550cee8e61e9

Link:

https://www.unpac.me/results/2b7cf9fe-b2e6-40cc-9815-fd39c81fae5e/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/2b7cf9fe-b2e6-40cc-9815-fd39c81fae5e/

SH256 hash:

a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9

MD5 hash:

94540b56b5e07b075620c30ee1d883d4

SHA1 hash:

4588c7477a2c459b5ae880a1ea6ab33acb561e37

Link:

https://www.unpac.me/results/2b7cf9fe-b2e6-40cc-9815-fd39c81fae5e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe a2bc93e1eb0d1ac91d7c09faf00c5ecf97f7501c8883391c9d5b77a5c23c99c9

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/321339/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample