MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb
SHA3-384 hash:	93814fd420d4bbea4b72c181e49b8735f15379502075eb187a3cc74a21753db78cccd3b3bbb1e9a15c6595dfdb38415c
SHA1 hash:	e367050dc6f8eb61b1b18f4bd7ac376b05c85404
MD5 hash:	94479278aa85e2fbb5bb01078cd0b1f9
humanhash:	lemon-white-helium-pluto
File name:	Acc Invoice.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	665'088 bytes
First seen:	2023-08-31 05:40:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:kufOZ16VTQ1j9T9RG6q9srDdim9mQ3UInfvho3HlvEfmKd:bWZket9T95+sNF3Zm3Hlum
Threatray	314 similar samples on MalwareBazaar
TLSH	T122E4121891BD5713E87593FEA060A30403B26755A331E28D2CF9A1D7EE36F468EE5B13
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Acc Invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-08-31 05:44:22 UTC

Tags:

evasion snake keylogger

Link:

https://app.any.run/tasks/049bcd2f-ede0-496b-a3a9-800adb2bd1ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445409/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Moving of the original file

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64f027f07444d2eb09f3da90/reports/9c80b244-fb46-4f8f-9f06-9b2ffd54d343/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ae9f7e16-0c1d-4744-af16-e9d0b1649f93

Result

Threat name:

AgentTesla, Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1300818

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Beds Obfuscator

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u2uud2rusx4ivl6rrjp6vkp64kczcisvukxgkvwasctdeh37535q._file

Verdict:

malicious

SnakeKeylogger

0763c342c24ead7900fdc994102dd981fd66e0097bef7db0e665b791b24d00e0

SnakeKeylogger

126e048eed0b55d00c200460122394c059ad7e7fda97b0d52a97d478aa7b0998

SnakeKeylogger

1cbbc6347de33202780fa7897a7000328101978b7cdcf35a1135f59e48733bf7

SnakeKeylogger

2ea94454b1acb888df318792b9a81e621b95e54619d3306a4a11e26148fb3fe3

SnakeKeylogger

38c60a6428742188581a765d31ddd4f6e91869c4b1f11ffcfdbf01fa6226f1f1

SnakeKeylogger

503599b3a2d298fa796e77097522ddb79245d65a95099890dda26a73ea273ac4

SnakeKeylogger

a9ab4e13cdbebfec5197adfb01e69c3e1452c2dcc693bc366b082ef63cd5e3aa

SnakeKeylogger

c0cdbf1f06967ed21beeac44d82b6fa168ec433ee130c042c6ffaf16029d9003

SnakeKeylogger

e266f399bd4ae4bf061be020eb3b3cffd0a1a3621ff7985a200b9ead765f1238

SnakeKeylogger

+ 304 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230831-gdfd2adc99/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

1adc2ce9d4977bd97751000ecb2b9732ed0b80d9e80c36dd3cfd0ce6997f29f2

MD5 hash:

c5821c55f29bf21a218de21499c6cd64

SHA1 hash:

f979164b0a1f11d0714a5fe33994b0145403f07c

Link:

https://www.unpac.me/results/706f1e73-d47e-43b8-87de-15ee9a14c48e/

SH256 hash:

c094444932babf732e788625413d66665af54fa789015decb7e2da3d3ab25dc3

MD5 hash:

49204dbac9267797c9f6679a4bac06ec

SHA1 hash:

5590f19a53f6e6a88d14adfbc83ea1cd7ae002c7

Link:

https://www.unpac.me/results/706f1e73-d47e-43b8-87de-15ee9a14c48e/

SH256 hash:

3efe408bfa2533b3d821355ae54b698069f5b3bb4b21894e80da5c161814b188

MD5 hash:

5655a17dc4958e7cee0f5695d9d09fc5

SHA1 hash:

15c24acbcca5e026c5cca8e0f965e654e08bbbcf

Link:

https://www.unpac.me/results/706f1e73-d47e-43b8-87de-15ee9a14c48e/

SH256 hash:

598a766b26fc39c1092e2f20cee1f42df6d6049d618ac5d4d331c646ab6a8b47

MD5 hash:

00c960e10d544bd0961a993c3c6dbbe5

SHA1 hash:

04018db21d1b12800f1bc413b90ccb3264955bcb

Link:

https://www.unpac.me/results/706f1e73-d47e-43b8-87de-15ee9a14c48e/

SH256 hash:

a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb

MD5 hash:

94479278aa85e2fbb5bb01078cd0b1f9

SHA1 hash:

e367050dc6f8eb61b1b18f4bd7ac376b05c85404

Link:

https://www.unpac.me/results/706f1e73-d47e-43b8-87de-15ee9a14c48e/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a6a941ea3495/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe a6a941ea3495f88aafd18a5feaa9fee285912255a2ae6556c090a6321f7feefb

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/445409/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample