MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5aa94475a74fe3e23364858f4b40c1c96c236ae284fda36d6fad080c2ed7123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5aa94475a74fe3e23364858f4b40c1c96c236ae284fda36d6fad080c2ed7123
SHA3-384 hash: ccfb5677e1d374b041c66033c70f42b48af5fba7a55054ccb99ece54cda225b3d3a12ec2d81947052a14b37fbeb75f09
SHA1 hash: 82a049debfd8f25f33fffcc238ef14294bec4fb4
MD5 hash: effb66c9d8705895ec697afb69ef041a
humanhash: delta-golf-five-alabama
File name:effb66c9d8705895ec697afb69ef041a
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:397'824 bytes
First seen:2022-01-27 13:51:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:eRE3xiNO+hgmaal6FgBK4+iouk/Qi6Lz3bP6OVpzcPd:eexwO++alGgloPZ6LSoNi
Threatray 4'220 similar samples on MalwareBazaar
TLSH T106841D2C3A454672FD2DD2714DE10A04BB660F0F2248AB9AA7DF25CAC76F4BE5D05CB4
File icon (PE):PE icon
dhash icon 0932534b69533201 (3 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
effb66c9d8705895ec697afb69ef041a
Verdict:
Malicious activity
Analysis date:
2022-01-27 14:07:17 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/2841ce9c-12e1-4f81-b470-4349de134477

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/224339/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.6638.29851.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Running batch commands
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Unauthorized injection to a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61f2a392c4bcf3287a614a1f/reports/f2e0fad7-819f-495e-af55-5954be3cb6ec/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70fe0530-83b6-4405-8400-431f9a813ccc
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929213
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5aa94475a74fe3e23364858f4b40c1c96c236ae284fda36d6fad080c2ed7123/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-27 11:16:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwvjir22ot7d4izwjbmpjnamdslmenvofbh5unww7liibqxnoerq._file
Verdict:
malicious
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
SnakeKeylogger
193ac87ce3fbdcbc7def7776cac94b2548c0eabcfa179f701b96f65d9cfe7631
SnakeKeylogger
3b423344c5fff0aee78a4802681bac29d85c0b5edc1761caf455dc6bf0fce59a
SnakeKeylogger
67a070a61c8d94294f7b4eb0b4d7978a8b3dd8b5f72f63ad84aa116f95cfa996
SnakeKeylogger
9afeb5862b218ce5c8b9ea67600fa9af8a1f531715d601045a131093ce6dd13f
SnakeKeylogger
c2ba54cb48c0dda45316d446406221e5cdb331bf6147d956071e41727502be2f
SnakeKeylogger
df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f
SnakeKeylogger
fee5158177e7960671d9a1126ce5d7e0bf56501f914ceed43c87cfa392c72768
SnakeKeylogger
ff8c96889acbf40646676632e44a50c37f1abd7828a34c19ec7462d7b2175af0
SnakeKeylogger
+ 4'210 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/220127-q6e4eadgal/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Uses the VBS compiler for execution
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
bfb0bd292cffb0394728298fdbf07198d6f0370c585ff4d4c418f3287a3d360e
MD5 hash:
a468949be4a8c126885966c89836cd77
SHA1 hash:
8ea4f30d9739c3de0416a7d3cf2433e97cd15605
Link:
https://www.unpac.me/results/f389c83b-4e1a-434d-88b6-3f6fb9540eb2/
SH256 hash:
a5aa94475a74fe3e23364858f4b40c1c96c236ae284fda36d6fad080c2ed7123
MD5 hash:
effb66c9d8705895ec697afb69ef041a
SHA1 hash:
82a049debfd8f25f33fffcc238ef14294bec4fb4
Link:
https://www.unpac.me/results/f389c83b-4e1a-434d-88b6-3f6fb9540eb2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5aa94475a74fe3e23364858f4b40c1c96c236ae284fda36d6fad080c2ed7123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe a5aa94475a74fe3e23364858f4b40c1c96c236ae284fda36d6fad080c2ed7123

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2009334/
Cape
Cape
https://www.capesandbox.com/analysis/224339/

Comments


Avatar
zbet commented on 2022-01-27 13:51:34 UTC

url : hxxp://18.159.59.253/cut/615472927758389.bat