MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5d7dc1f0a8570c6e84fa51e259025a5b09594ba8c11a632ac95df7eed359d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5d7dc1f0a8570c6e84fa51e259025a5b09594ba8c11a632ac95df7eed359d5d
SHA3-384 hash: a90e4087fb5c500626fde202edb6a4546f47a77c895af47268dffb3cb1d03bf7b86f0806486633eda4225973289fc713
SHA1 hash: 78285aae38ccb6fa66d64e997fcfada71a997038
MD5 hash: de3c3c1f1ce7b3da2b7704e7180a9efc
humanhash: mexico-cold-alanine-magnesium
File name:203948392029093094902293893-2343.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:643'072 bytes
First seen:2021-08-09 05:32:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dJH4N5VwPVFbuGegE57JEq/y6INX6LRgU7e9kcPRB2Hp9Cj9c:LH+EnqGq/wKgDpPR3
Threatray 947 similar samples on MalwareBazaar
TLSH T196D4D03AB7C56E6AC96C0FB78417224553F8C02B7273F3AB39D869F51C12748860F5A6
dhash icon d0c888848e9eb8ec (1 x AgentTesla, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
203948392029093094902293893-2343.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 05:43:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50f065b6-5bd2-421f-8181-4e8e57e6fb50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177422/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Blocking the Windows Defender launch
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7cd6aa5d-09a9-4381-a0f2-968dc2df6758
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829009
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461445 Sample: 203948392029093094902293893... Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 7 opeir.exe 2 2->7         started        11 203948392029093094902293893-2343.exe 15 7 2->11         started        14 opeir.exe 14 3 2->14         started        process3 dnsIp4 62 Writes to foreign memory regions 7->62 64 Allocates memory in foreign processes 7->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->66 68 Injects a PE file into a foreign processes 7->68 16 InstallUtil.exe 7->16         started        44 www.google.com 142.250.185.228, 443, 49714, 49723 GOOGLEUS United States 11->44 28 C:\Users\user\Music\opeir.exe, PE32 11->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 11->30 dropped 32 C:\Users\user\...\opeir.exe:Zone.Identifier, ASCII 11->32 dropped 34 203948392029093094902293893-2343.exe.log, ASCII 11->34 dropped 20 opeir.exe 2 11->20         started        22 cmd.exe 1 11->22         started        70 Multi AV Scanner detection for dropped file 14->70 72 Machine Learning detection for dropped file 14->72 file5 signatures6 process7 dnsIp8 36 checkip.dyndns.com 193.122.130.0, 49734, 80 ORACLE-BMC-31898US United States 16->36 38 mail.shopalldealsnow.com 104.219.248.49, 49737, 49747, 49748 NAMECHEAP-NETUS United States 16->38 42 3 other IPs or domains 16->42 46 May check the online IP address of the machine 16->46 48 Tries to steal Mail credentials (via file access) 16->48 50 Tries to harvest and steal ftp login credentials 16->50 52 Tries to harvest and steal browser information (history, passwords, etc) 16->52 40 www.google.com 20->40 24 conhost.exe 22->24         started        26 reg.exe 1 1 22->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5d7dc1f0a8570c6e84fa51e259025a5b09594ba8c11a632ac95df7eed359d5d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 00:58:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxl5yhykqvymn2cpuupclebfuwyjlff2rqi2mmvmsxpx53jvtvoq._file
Verdict:
malicious
Similar samples:
14b33650cf6497ab5a9f973f61ca8b43ad33a0b1a85f378345f51855567f4d2a
SnakeKeylogger
1538239719a2e9ebb9fb648f8e7a53bc6c55794f2a8c87d90f5c5d732d2767d1
SnakeKeylogger
40279a0eec5f0080c04b299b86bc5aab31d1900b5d63787d713e48fa96d3b8e9
SnakeKeylogger
662c88c4e608ecb3c0d5b9104a12a42154df357b743af6557cbd7c2cba2fb51b
SnakeKeylogger
94aadc2aaf34a412aeae31d815fc4d22cb6f14707915d020f6cb31fda4beb31d
SnakeKeylogger
a7c7eb1e99bbe1e3258d4257a23aafa0ba3f7ce8926ae307615762784fcf461a
SnakeKeylogger
bd9fc23a41c4112c346a69c0a750405ff5590c1e5e7b6851eeeb6eda5a0743b6
SnakeKeylogger
e1b831abf47d6c22de272d0a2218f864189c810fc301fff7bf4e724748693d05
SnakeKeylogger
e7def3c5e90cc4793a32a6637e8390b504f5df9734e434ae19871365f0df2209
SnakeKeylogger
+ 937 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210809-wl5at1z6za/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Unpacked files
SH256 hash:
a5d7dc1f0a8570c6e84fa51e259025a5b09594ba8c11a632ac95df7eed359d5d
MD5 hash:
de3c3c1f1ce7b3da2b7704e7180a9efc
SHA1 hash:
78285aae38ccb6fa66d64e997fcfada71a997038
Link:
https://www.unpac.me/results/0c2522d2-d24d-4f9b-938c-80bc5bae04d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/a5d7dc1f0a8570c6e84fa51e259025a5b09594ba8c11a632ac95df7eed359d5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe a5d7dc1f0a8570c6e84fa51e259025a5b09594ba8c11a632ac95df7eed359d5d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177422/

Comments