MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7d7859163969822019913ebc4c52ab50574d2ba6c6a8137ee023de0c746372c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	a7d7859163969822019913ebc4c52ab50574d2ba6c6a8137ee023de0c746372c
SHA3-384 hash:	0d0458f1cabf87fe88b0aee4800b5b7ac6f460108b8d34ed0ade64aec5fb3db6c3d9e4e212d394b5deda332445430d56
SHA1 hash:	9094d3ca8da6ab2bfe5d1746f0bcc5d6a65f8724
MD5 hash:	55651e819cdd4357f86979c170e17239
humanhash:	comet-zebra-oven-papa
File name:	RFQ.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	664'064 bytes
First seen:	2021-08-11 06:05:54 UTC
Last seen:	2021-08-11 07:11:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:C2T/BBYNPP4V4FR/PLJ1g+Pb7NBr1C3c64FMJx6pSO8nZGgNsx7I5kY:C2T8/J1RPVBM
Threatray	660 similar samples on MalwareBazaar
TLSH	T14CE46D3439FE901AF173EFB99AE475E69A6FB6733703A45D205103870A23A81DD8153E
Reporter	GovCERT_CH
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ.exe

Verdict:

Malicious activity

Analysis date:

2021-08-11 06:10:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8a668ae0-8e96-43b1-851b-d534482d192e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/178099/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.811.28536.25766.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/30fc3bfe-da38-4c4b-9229-d41e21f02a16

Result

Threat name:

Snake Keylogger Telegram RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/830631

Signature

.NET source code references suspicious native API functions

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a7d7859163969822019913ebc4c52ab50574d2ba6c6a8137ee023de0c746372c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-10 15:12:19 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u7lylelds2mceamzcpv4jrjkwucxjuv2nrvicn7oai66br2gg4wa._file

Verdict:

malicious

SnakeKeylogger

578aa3607cb34fde024d099b916e61c0a767d952312a2e8c9276f3167a65ad14

SnakeKeylogger

5c76aef388b4a8cdd706e882c0e441389c8730c36d17450d80e566d81095cac0

SnakeKeylogger

69950e3903237ab9d6441a23af192268cf49da8e1034f77990833a60738090a6

SnakeKeylogger

b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SnakeKeylogger

b5e1daebfb2aa234328dc9776a1ecc77dd2726a7709c353c0265d8b1f4803f1c

SnakeKeylogger

b9acd58a25a9493713c0b5a3be62db4338de550aad1b23054d4be3de0c1b0c46

SnakeKeylogger

c4e1ba047b2fa0d07de6a124e882025489d5ff95e2a2cef31c4526199636f3cd

SnakeKeylogger

dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659

SnakeKeylogger

e0c5194ec5dd17f0a5f77c156e99deafdee0c6e25b5c54c4bedc7bc5420f3a1d

SnakeKeylogger

+ 650 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210811-73wqaetkrj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/5f62fc6f-d6f9-42ab-89ed-c3bde5bc719d/

SH256 hash:

ba3cb9c4bf370fb8297661a006149b3c20941896fd6b9531359d09eba250321f

MD5 hash:

9b8d2c4407c2cddb91040bd5745295c9

SHA1 hash:

a788e0ea4668b05ea3059d3590c878db05027049

Link:

https://www.unpac.me/results/5f62fc6f-d6f9-42ab-89ed-c3bde5bc719d/

SH256 hash:

a9aa71be0fd668f23f7ca03289aefefe2081bbfa2239fec7273f37a0a1ed5a1f

MD5 hash:

ccfe7b4ceb632f94ab29f250a19fb93c

SHA1 hash:

576e06b8ef92b3aa41c4a364c102eb1d9d584225

Link:

https://www.unpac.me/results/5f62fc6f-d6f9-42ab-89ed-c3bde5bc719d/

SH256 hash:

a7d7859163969822019913ebc4c52ab50574d2ba6c6a8137ee023de0c746372c

MD5 hash:

55651e819cdd4357f86979c170e17239

SHA1 hash:

9094d3ca8da6ab2bfe5d1746f0bcc5d6a65f8724

Link:

https://www.unpac.me/results/5f62fc6f-d6f9-42ab-89ed-c3bde5bc719d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a7d7859163969822019913ebc4c52ab50574d2ba6c6a8137ee023de0c746372c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe a7d7859163969822019913ebc4c52ab50574d2ba6c6a8137ee023de0c746372c

(this sample)

Dropped by

null

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/178099/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample