MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8
SHA3-384 hash: c634d5f7557275157a60d8a117405a03f2e3babbcea37041278efce45e9a8c0d5af1ecb9edee772e8fb93a3200c6e5a0
SHA1 hash: 75d703203a24ff7e6a0f451598837d57304bfa27
MD5 hash: a9236435368f55bbb462fd7d03a832b2
humanhash: cola-oscar-mobile-mexico
File name:RQ039423.PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:762'880 bytes
First seen:2023-08-30 05:53:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:pv953k9WSr3qJlVsLGxQKDx/MDJI/BLHCPtUKSVgVI3ny6iZ7btZIlrcHewyQJ3y:pvnk9RMlV1xQKDx/MDJqBLsUNyC3x+7Z
Threatray 30 similar samples on MalwareBazaar
TLSH T10DF4F11836B85B26E6B983F58434964847F877AA253EF38C4CD274EF2765F420E51B23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RQ039423.PDF.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-30 05:56:59 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/c1364e63-59ba-42dc-9c6f-bb9dd6d0be80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445194/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Forced shutdown of a system process
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin masquerade packed
Link:
https://www.filescan.io/uploads/64eed97e1d3a8c6c1217df88/reports/39f08437-4160-4d6a-8e84-a1ebe84ab6a0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/339ed05c-cfab-46c1-b3ab-e0b411109aba
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300129
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8/
Threat name:
Win32.Hacktool.Mimikatz
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 04:19:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 37 (48.65%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpqkm4el3jd2h6wrqtlz4kphqayazzyfvjc7atxfa3qfl3kq3o4a._file
Verdict:
malicious
Similar samples:
4431552eb37f8003df4c66bd640a4951c10317aadb858b42d174f461909b4fb7
SnakeKeylogger
5e451077fb7fef7d63de5d16408ccac22b93e1d57d9ffdb8285c9293ec6232ea
SnakeKeylogger
946c1319c6a08e50e191cc56cac6895bfac47b2e766901a8714251f40a06bdff
SnakeKeylogger
9a2008be914863b763da0fec53a39e995cae4bb95a03aeb634c95ba7a6943522
SnakeKeylogger
a0fef35dfcd0a26bab66af912e02360f499d55297f9ce71c55abd9ef180305c8
SnakeKeylogger
b34d5f723853264502eb255218c41fcd86396a3d15025484836182b0c97d5531
SnakeKeylogger
b7a1f477403fe537f3a53d1c9a553a0c8fe37c78a0119888df0b2c4ec77dd5ee
SnakeKeylogger
bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32
SnakeKeylogger
c0545f16fbbecef4ff1983c05e620651f24c48d3debaf525fd3e057ef688fae4
SnakeKeylogger
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/230830-glxchsaa43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
9e9b12793284d115d7e1ea40f8052c61c8cd84a379d177b7ff63383cd66edd86
MD5 hash:
b59ce4661993125911520b704c70cda8
SHA1 hash:
e2f8ba815caa5dcc4e1d0583967e7c8e38e62436
Link:
https://www.unpac.me/results/ff8f757f-40f0-4168-823d-5d239f7b4d6b/
SH256 hash:
b4380e6ae55e4f76a19ed97588acebf6712bde7474d1d3286d619b84307b8c1f
MD5 hash:
3af8025db89ac9a966801be4832a6577
SHA1 hash:
da797d8207fb94a9a8552606a06634ffc8dce9be
Link:
https://www.unpac.me/results/ff8f757f-40f0-4168-823d-5d239f7b4d6b/
SH256 hash:
3b90e1b8273dfce9ab7deda7c6671fbdc099aa3d9c8968e6f74c67b90617c6bf
MD5 hash:
2a2d67e22ffffb8006d160e5a3e26ce9
SHA1 hash:
c914c2a60be7cfab79aa423dadd46ffdaff5c461
Link:
https://www.unpac.me/results/ff8f757f-40f0-4168-823d-5d239f7b4d6b/
SH256 hash:
2a995b5b64848a9eb8fd76a8b8092290314f8277e32dd9777514f1f743655d71
MD5 hash:
b64f9b22dbc01029545a7755d42c00e3
SHA1 hash:
b562d820f62236292a5f63a80751960cffed9e06
Link:
https://www.unpac.me/results/ff8f757f-40f0-4168-823d-5d239f7b4d6b/
SH256 hash:
abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8
MD5 hash:
a9236435368f55bbb462fd7d03a832b2
SHA1 hash:
75d703203a24ff7e6a0f451598837d57304bfa27
Link:
https://www.unpac.me/results/ff8f757f-40f0-4168-823d-5d239f7b4d6b/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abe0a6708bda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe abe0a6708bda47a3fad184d79e29e780300ce705aa45f04ee506e055ed50dbb8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445194/

Comments