MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46
SHA3-384 hash: abbf29e400ed71b2a854dcb41f02504ff947104d5868831a176fd2dfdf3b1bf3d7d9f964e6a3ee5167ebb3e32a582c8b
SHA1 hash: 440cdc2bc2fa44d143ea773e170fc241aec116f8
MD5 hash: 5c2cb86288cc8daa244dd600f3a930e6
humanhash: thirteen-iowa-chicken-india
File name:orden de compra.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:741'888 bytes
First seen:2023-05-05 11:21:11 UTC
Last seen:2023-05-13 22:54:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8bkcdXHwni4IyS+nAx75uyTjxK+SKH6ELruOSOxCIToq6eIb2lcU4lMRLx:8bJNwLnetuINK+J2YCIkqzG4x
Threatray 5'073 similar samples on MalwareBazaar
TLSH T13DF4016710B68390E02F8BB07969FD6427B732DBEDD6AE35072A69C54E49B113C8C14F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:ESP exe geo SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
orden de compra.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 11:27:06 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/c8b17e0d-4b0e-4398-9278-006fe095af17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386783/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.99250.29933.11423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6454e6dca0e44899e3102b2a/reports/e8d651a8-0ed8-4b7c-a656-6b6b475d9873/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c1a01c3-ddf5-443e-bb93-407627a53dd1
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227288
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 11:22:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2d7rbwxzrl43cytdywa2b5uok5cjbccevax4zgfojt4ael7lnda._file
Verdict:
malicious
Similar samples:
1404d60fc92ad4f5e3059a37a50bc70803f25404635f969333b4618b891e64bb
SnakeKeylogger
29a028df9898f4d21557863d584879c54b759de951022a419cb4b2b6b40a87bf
SnakeKeylogger
351c0e2125e4a520bbe97ba66e4596f6a95fe1f52e2fafb7baef5cc0034aeb19
SnakeKeylogger
886a8581f310f5d4244c1f263a9e2bbc2d759bcc8078351990bf7ab2f1c1e717
SnakeKeylogger
88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71
SnakeKeylogger
99628c0b82d5d6794b69800b25902a475fafd4676d50ccefbb93682c7e090f9a
SnakeKeylogger
9cf00726354c301f618cbec84d26ff15c79ef3e488082c64add590eaf3cc007b
SnakeKeylogger
a664143868ba14df65aac079d2039c105c2450ae12d0cbc8b0ba75ce931f734e
SnakeKeylogger
dce7af2c2162f2fa2be0ca63706446e0b3c4bebdf1ae8791f22cb76ca7aa375c
SnakeKeylogger
e3d6bf1ce9fea9bd1248afa6e927a1d763a3e0e899be2f0c0c77d12de4870654
SnakeKeylogger
+ 5'063 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230505-ngklgshg34/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6211421153:AAHeRHp_sRbnZsNC_iCcj1JzI0_X_zXJLFA/sendMessage?chat_id=2126102657
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/2a54887f-a272-4925-8105-b17c287bde8f/
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/2a54887f-a272-4925-8105-b17c287bde8f/
SH256 hash:
1a6c5c9b7ec8b762c544bbec0089d8ad742d82b350ed5bcbc117c04a3a53dd8a
MD5 hash:
1b829038c27fdc634b8782279a384678
SHA1 hash:
c26d409c07e32a350f73c39796d99a604b0d0393
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2a54887f-a272-4925-8105-b17c287bde8f/
Parent samples :
a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46
b050f56ceec41d0c409065b66cf598cbaf75a565afab1b47552624e085a3a9c4
ec5a5103e89195cb445c89737a73996d34374ea0a99ddbfb0165b70b645dc414
0f58f85ab0efa3f0bfc29e709be86ffae888cbec851e761bacb3303ab74a29ef
SH256 hash:
e8927ae7d65ac4c3b8691d0504400d8d521f12b9eaf1d0e8f8fb483d7aec5919
MD5 hash:
fee08b9356f192983dd7f0b5853b2502
SHA1 hash:
9ea87e55d19186b7f266391a4385b8f0acec7760
Link:
https://www.unpac.me/results/2a54887f-a272-4925-8105-b17c287bde8f/
SH256 hash:
fc52612527b13568ec81df1e70a308b13445d74c1306d747345e338e68b8b10e
MD5 hash:
b5245aa99e52ed961f830d0aecfcc160
SHA1 hash:
2d61e096f3bba6ff6a732f69a0afac31d671a024
Link:
https://www.unpac.me/results/2a54887f-a272-4925-8105-b17c287bde8f/
SH256 hash:
a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46
MD5 hash:
5c2cb86288cc8daa244dd600f3a930e6
SHA1 hash:
440cdc2bc2fa44d143ea773e170fc241aec116f8
Link:
https://www.unpac.me/results/2a54887f-a272-4925-8105-b17c287bde8f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a687f886d7cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe a687f886d7cc57cd8b131e2c0d07b472ba24844225417e64c57267c0117f5b46

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386783/

Comments