MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5dcb351fba849e7723ab851411031f722af525793a0805b611045e68149189b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5dcb351fba849e7723ab851411031f722af525793a0805b611045e68149189b
SHA3-384 hash: d11708714cb800249950af381a25b458da4f342009f3dc6bfa7e09d3028ab088ad9e00ed9e24d4cc0097b12ffbbc2231
SHA1 hash: dd1f0147223623b193c33a2c0610540418eb506a
MD5 hash: f6c4902b5c81d68bffcb13259441778a
humanhash: iowa-early-hydrogen-network
File name:SecuriteInfo.com.W32.AIDetectNet.01.19493.17719
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:696'320 bytes
First seen:2022-08-11 15:54:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ivpc++f21940dIsDLBcuNCGnjlkZgbArbSM2TgN/0s:OpSe160dZLTjMAgi
Threatray 5'827 similar samples on MalwareBazaar
TLSH T186E49DEFAF8C441BCD618B31E84C81B99F65ACA13522CDEF79937432D5702AC661DE14
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
516
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.19493.17719
Verdict:
Malicious activity
Analysis date:
2022-08-11 16:00:32 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/92398438-5ec1-453c-8b76-806013502574

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/298048/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.19493.17719.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f52665e456f39ac941ed89/reports/42643c4d-b920-4518-b9af-3bb3182be02d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52e0b2c4-f603-4350-b93e-a6ff937c749d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050076
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682582 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 10 other signatures 2->41 7 SecuriteInfo.com.W32.AIDetectNet.01.19493.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\xxTVanxzsk.exe, PE32 7->23 dropped 25 C:\Users\...\xxTVanxzsk.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp36C8.tmp, XML 7->27 dropped 29 SecuriteInfo.com.W...et.01.19493.exe.log, ASCII 7->29 dropped 43 May check the online IP address of the machine 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 11 SecuriteInfo.com.W32.AIDetectNet.01.19493.exe 15 2 7->11         started        15 powershell.exe 23 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.com 158.101.44.242, 49749, 80 ORACLE-BMC-31898US United States 11->31 33 checkip.dyndns.org 11->33 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5dcb351fba849e7723ab851411031f722af525793a0805b611045e68149189b/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxolgup3vbe6o4r2xbiucebr64rk6usxsoqiaw3bcbc6nakjdcnq._file
Verdict:
malicious
Similar samples:
65cdfaf2f1780649028e28012f826da60bc9c2f2c36ea8239a2378a5abcf083f
SnakeKeylogger
6dfcff052e814a7d04a6b6f063f47fb468f2d75cfb99dcc00af5cfcdae0cb9d1
SnakeKeylogger
8e15475dec4c34e76a289e3b1cb867ba701ce6269532ef87bdf6a52ce042beee
SnakeKeylogger
8f97580803df8eb3e32d130be5dea795ec8091af2aa41337c606193242bc7e90
SnakeKeylogger
999077089b1cf34450d1b5aebcd29040131731b327e4d5545707a842ee041162
SnakeKeylogger
a4e2f9a2a5b5922e91915d928edd8088f3faf121c34419b93c3b6dd3dbd0e566
SnakeKeylogger
d264f787515144ee6ea0ff22b472ca4929883131d12e84d5706691270fe60f5c
SnakeKeylogger
dee874f4b08d29f84f63efb0887ddef3ee7e14846b638eb3a416314034141582
SnakeKeylogger
f38ee5e07bb763cd82cec42999e6e975322e387a2c84db981a01c0273bf8aa80
SnakeKeylogger
fb3a91a50d13151bcf7521ff3f8dc8a1ebfbbd737231660f5f07e29d4bf387b5
SnakeKeylogger
+ 5'817 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220811-tcszyshcaq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e9f9e942d9eb1b8e7f90c883574e694d23133d348d0272238c5d906ac1bd8151
MD5 hash:
984b4a41ad9272dc66617e909b9db9d7
SHA1 hash:
d6e65d5b79e0a13cc2eefa41ec7f5188991f65fd
Link:
https://www.unpac.me/results/60addd4a-7cb1-4a52-833d-6a189648070f/
SH256 hash:
18eb60c0eb3e1c610526d9f4b42684ac36a2ebb521514a8770dca2f2afd7f471
MD5 hash:
7ca239778f9f46d28b08876564dba525
SHA1 hash:
973b0d0d98a83b7dfcf1bfce04a179b0f070b98c
Link:
https://www.unpac.me/results/60addd4a-7cb1-4a52-833d-6a189648070f/
SH256 hash:
85799148d4c25051b6cb369a3621750f64561d4e1560c422c7dc2b503bc0687a
MD5 hash:
27bc7b2d9d9e6f1548c647718874af65
SHA1 hash:
92aa814a91e0839dec746f546d794b4264cbed06
Link:
https://www.unpac.me/results/60addd4a-7cb1-4a52-833d-6a189648070f/
SH256 hash:
753698c5f1176544f0e065e3d4e78d26626d87251e5d130afaede1e7973b5779
MD5 hash:
0ff800cf39097d9c5b00f40bb946f554
SHA1 hash:
335ff029216df9b857b3b4e9d687d5e437419478
Link:
https://www.unpac.me/results/60addd4a-7cb1-4a52-833d-6a189648070f/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/60addd4a-7cb1-4a52-833d-6a189648070f/
SH256 hash:
a5dcb351fba849e7723ab851411031f722af525793a0805b611045e68149189b
MD5 hash:
f6c4902b5c81d68bffcb13259441778a
SHA1 hash:
dd1f0147223623b193c33a2c0610540418eb506a
Link:
https://www.unpac.me/results/60addd4a-7cb1-4a52-833d-6a189648070f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5dcb351fba8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5dcb351fba849e7723ab851411031f722af525793a0805b611045e68149189b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe a5dcb351fba849e7723ab851411031f722af525793a0805b611045e68149189b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/298048/
  
URLhaus
https://urlhaus.abuse.ch/url/2271653/
  
Delivery method
Distributed via web download

Comments