MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6beb68fd213bbdcb92da099d86ac4f913cba2c024dd8ea983d35f8f85bf5f53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	a6beb68fd213bbdcb92da099d86ac4f913cba2c024dd8ea983d35f8f85bf5f53
SHA3-384 hash:	b6533975e9422d42660b11af4d0421be8323c355b73adb66f780ea12dc06f35f92489fa918f184ba74ae59f011f1a38f
SHA1 hash:	628bf7c473edac4a0786185c4992cd92263e19f0
MD5 hash:	3712dbfae357fa47ef56b4fa061c0910
humanhash:	may-carpet-indigo-queen
File name:	NEW P.O3421280.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	480'256 bytes
First seen:	2021-10-12 17:39:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:NZSBaJ50xinr/UC6fkBigN8aBUhnOGjHd6R5iX6:WBa+k/UC6ibEd6RoX
Threatray	1'361 similar samples on MalwareBazaar
TLSH	T106A4134572E41701EAF67BFAAC685B6417B4742B3922FB0C0FD910EE3A43B51D252B27
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW P.O3421280.exe

Verdict:

Malicious activity

Analysis date:

2021-10-12 17:52:28 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/e791b253-5e6b-44a7-9c1b-3a11d079cab9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/197011/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6165c8761c2d58ba74037950/reports/f0e28767-6e95-492a-8462-a11608ec071f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/434fd4da-fee9-4a47-b051-bb8b486f61fc

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868934

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6beb68fd213bbdcb92da099d86ac4f913cba2c024dd8ea983d35f8f85bf5f53/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-10-12 17:42:22 UTC

AV detection:

11 of 27 (40.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u27lnd6sco55zojnucm5q2we7ej4xiwaetoy5kmd2npy7bn7l5jq._file

Verdict:

malicious

SnakeKeylogger

252225cfd4ec7a7b61e5138d1587a4a212909f596004b8a157fe9f0ed4c6496b

SnakeKeylogger

3776aaf0ca18645e4e245513a4aa3279cb6240221dac7f2401b63e8fba00ffbf

SnakeKeylogger

66031e4ff03fc8ec6928197fd807124ae2128324865b792ae1be3297a01d7fbd

SnakeKeylogger

726e779529f34143e4d094f0252f3c6e04547d062970d26c0cb553c57c98b1ed

SnakeKeylogger

9ff44ba44707bbdda0a858a2d0c11725b146fb4671ed91295ce2e0a3ac8b175c

SnakeKeylogger

c69aa221ec1df4acc67aac0fd7a1e7dcefa181f496b21839576343fd7fa8fb8d

SnakeKeylogger

d33dac65118a88b15580c028deba8f4ecc95ff7d0a316259612264a0b6e06d11

SnakeKeylogger

d57a5e8835ba746d89d2c4ecc9f904793b485c6affc1b9901486c84eb88f4e1e

SnakeKeylogger

f4b1855071cbbcebd0d229e5a22c8935b9dd4011f3c1166a0a98bd868db6ceae

SnakeKeylogger

+ 1'351 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211012-v8vn4acha5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

29f7d6ea06b162f3958d90e90f4dca764d61c4a59345014cc82580e6dece68ad

MD5 hash:

22db181b3bb1a0b3ad0fc8226d0482ab

SHA1 hash:

ffa90d1b4a472a3421385ac34b8cda3e71163c49

Link:

https://www.unpac.me/results/5f6a1ea4-c06f-4178-aa1c-89bf5d9e2c55/

SH256 hash:

859bcf3d3641ad78a3c047c490acf509d9a1ea498f7f63e6e8b059a32f2bce9e

MD5 hash:

77deae88dc3a54e68c2dba593e968424

SHA1 hash:

2cefe4a1c45a41474fab727f509ab2db1e49dca6

Link:

https://www.unpac.me/results/5f6a1ea4-c06f-4178-aa1c-89bf5d9e2c55/

SH256 hash:

eda4d687b865aed0078ab87078de7d9722888b2d2af71c6fc0dcdc986ffb7567

MD5 hash:

12cf5402be16590c300b442a66e9ebc1

SHA1 hash:

0ea28394d301ca1ce840f039d2da62a5ce6d9334

Link:

https://www.unpac.me/results/5f6a1ea4-c06f-4178-aa1c-89bf5d9e2c55/

SH256 hash:

a6beb68fd213bbdcb92da099d86ac4f913cba2c024dd8ea983d35f8f85bf5f53

MD5 hash:

3712dbfae357fa47ef56b4fa061c0910

SHA1 hash:

628bf7c473edac4a0786185c4992cd92263e19f0

Link:

https://www.unpac.me/results/5f6a1ea4-c06f-4178-aa1c-89bf5d9e2c55/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a6beb68fd213/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/a6beb68fd213bbdcb92da099d86ac4f913cba2c024dd8ea983d35f8f85bf5f53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197011/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample