MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963
SHA3-384 hash:	17f3b027573a89e975225c145ea0d6c0a347c267db6d4670a3e88acf26c97e279f902c9676bf68e00aea0f20bdd9e648
SHA1 hash:	ee6a5a302957fe78b00d4d31d67651f12c4728be
MD5 hash:	11eb5cac6e0b51e22880225b464b1391
humanhash:	sixteen-undress-leopard-wyoming
File name:	INVOICE.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	284'609 bytes
First seen:	2023-02-13 14:46:33 UTC
Last seen:	2023-02-13 16:35:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:4Ya6KDmzD4J/VRI/WWspbdZxBOOb1xAEYC27wleaW6:4YMWD8N+WWYrxBdb1xrFW6
Threatray	11'305 similar samples on MalwareBazaar
TLSH	T17554120169F08AA7FA52CB720D7C972B6EF9F21588562F5B17508F4DBB67903A30E311
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f08f898c8e8a8fb0 (37 x SnakeKeylogger, 19 x AgentTesla, 17 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INVOICE.exe

Verdict:

Malicious activity

Analysis date:

2023-02-13 14:52:48 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/9faa815b-1d3a-42bb-acc3-54ea0125aa0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/365094/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.26123.15428.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ea4d6d19bdad834635c12c/reports/5a799d68-2d04-4d91-ae61-043a540677ab/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0e07386-32f7-4b4b-a445-4589f5b8b5f5

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1173826

Signature

.NET source code references suspicious native API functions

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Executable has a suspicious name (potential lure to open the executable)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963/

Threat name:

Win32.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-02-13 10:37:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vinol5hnsrdfo3n5plyykedqlai527hilpigxqhntcgwl2cvxfrq._file

Verdict:

malicious

SnakeKeylogger

25bd23617f88911622b49194f95acd02170df1bc2ec3cfc8c43415c9d7191508

SnakeKeylogger

263b98c749f448d51dd42f4e083ecda3e6701a08d62fa09c4f931685e52c884f

SnakeKeylogger

5e344f707afdedbfb16e731554ca97ff73407546bac845e9342d6932c6fd5a80

SnakeKeylogger

642de5360ff3669d769d18f1372853247895a6d4c0e72a9079869804ace6b15a

SnakeKeylogger

9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab

SnakeKeylogger

bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c

SnakeKeylogger

e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f

SnakeKeylogger

f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913

SnakeKeylogger

+ 11'295 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230213-r5wkfadc7z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5409930542:AAFxwqGbFuHLkEcoI_Wd5LmyaZ64bak9as0/sendMessage?chat_id=5492983899

Unpacked files

SH256 hash:

31e65fdfcb32fdc13136a332873dd9ca80db803ebd219ce87c86bdca4d213605

MD5 hash:

da6172512c3b57ba2e722031e3ea85f2

SHA1 hash:

e0e3c880f9e231e57c7d7d7a3467697758ab0313

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/89e5b395-96c0-4d53-a68b-9a166d340aa9/

SH256 hash:

6897514151c61188eef196109020bba0b5f53de689144928aea20ab97b9b8a03

MD5 hash:

5e6ecdca36b1e9559d3eb987a8d73f1c

SHA1 hash:

a3a86faa8bf46eebdf0e78a87f93edbd92a4d161

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/89e5b395-96c0-4d53-a68b-9a166d340aa9/

Parent samples :

ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d
35aeecd77643fc7df90432db30ef248cfba29a9cc98a2c164b3bb4d233974734
f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf
726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e
aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963
dec5bbf9420596e7e4b387c6331b6009817af7803e20f717ffb55dc313e60645
482f061d6359be2ae8cd7c5ff63fe997ef1dc42d1a286237db8729097647c507
16c366cb47a4b606f2b20a1a1ccb4a8e408c758afbae9b51922667abf9c2b92f
84cc129521b39e0182631b253637efda5e6305b8c484ab76f3a4184e81bbd812
73d18d7b6bd92fa3e85db713d39f932c483c0317607b93a2b31845d4e703a6a2
f20fc83d3adb7cf9f5dbaa5efab44527e0657d88529bc621ec489e37593d510c
64879bdaf4add0db2f52b2cfc4c579b15fa5263601aed7c3aeeb926f0dba1acf

SH256 hash:

14375189b047ba4bb3061e73487fc4bca04bab37b028ebe4951a270836c7680f

MD5 hash:

8e2fe88cefcb314cca2ef57952d2ab76

SHA1 hash:

bcf29d6555579799b4daa055ddf815418c058f8f

Link:

https://www.unpac.me/results/89e5b395-96c0-4d53-a68b-9a166d340aa9/

SH256 hash:

aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963

MD5 hash:

11eb5cac6e0b51e22880225b464b1391

SHA1 hash:

ee6a5a302957fe78b00d4d31d67651f12c4728be

Link:

https://www.unpac.me/results/89e5b395-96c0-4d53-a68b-9a166d340aa9/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aa1ae5f4ed94/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/365094/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample