MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8
SHA3-384 hash:	ce869c5720145679b2258ba8f5cb46ad90c574bffcd4822d1f3059ad395a77a29b6e28ec5dd632648557b6d96ef96dff
SHA1 hash:	a08ba4284641da6d797a9b582637ef5aca4ee9f9
MD5 hash:	a7882f98e2a9b1c3a24491f3a7fbbc30
humanhash:	virginia-nebraska-papa-nitrogen
File name:	para.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	551'936 bytes
First seen:	2023-02-15 13:37:43 UTC
Last seen:	2023-02-15 15:43:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Go+eB2g+0R3oAl3ZUFwifHS75psNf3GWU/cVOja:h+Y2tO3owZUL/ijSfWWzVO
Threatray	6'970 similar samples on MalwareBazaar
TLSH	T140C4125036E45B2ADDBF27F138B4682517B6B05BF936E32C1CD072C90B62F518612BA7
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2c2c8d8b4ead2a2 (6 x AgentTesla, 5 x SnakeKeylogger, 3 x NanoCore)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

para.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 14:04:00 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/bb56c695-5c0b-4950-ac2d-7764322f4b55

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/366596/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1839.13588.32308.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63ece042846a958a58167405/reports/5fa75722-e51c-4a73-a626-9f4a51b4836f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5aec3f91-f043-4f6e-a7d6-b549ea39351f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1176466

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-02-15 13:38:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vvdjhsah5cxqbp7qalexeo4m2zkrtfxkv2jwxtn2u7womuttco4a._file

Verdict:

malicious

SnakeKeylogger

70d3e45f0a41222ee06aa33124206699e822e01114b968b80d1419013fd9a623

SnakeKeylogger

8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236

SnakeKeylogger

a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56

SnakeKeylogger

e3b1867b864128cf03b1700dd86f6f1fb379fd4002b8e7d7b35a5e9d9d6802ed

SnakeKeylogger

e4725b74ef0918aa1d0a812227ae9bc593528841c61bfa4db312c35158d77592

SnakeKeylogger

+ 6'960 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230215-qxefhsbf9s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713

Unpacked files

SH256 hash:

0a7a1018850a0fbb2a09c9ca2b1914766f98f82bc3e7b5ca766a8949471a05b8

MD5 hash:

a8600b4d206e9b6b47a04462ff56f98c

SHA1 hash:

ad0fa013757f4eb2a1351e5e164aec708bb00796

Link:

https://www.unpac.me/results/8aeed92a-b53a-483c-952d-ef21faedc7de/

SH256 hash:

3303a9e4fdbdea3dfe478ae5c9fbbb7d9e3e432aa930045916058b511e60bcc9

MD5 hash:

8d9ce4523ac97cb8202abec6a100d6fd

SHA1 hash:

5cba126ac66aec0459015c00f3262d950b51f191

Link:

https://www.unpac.me/results/8aeed92a-b53a-483c-952d-ef21faedc7de/

SH256 hash:

869a6ca799aa80d29a75967674a49a60421a45fcc8b60d10d54bd6024344a1e7

MD5 hash:

17403dd2e0eb346c18b7cb26d2f65217

SHA1 hash:

5bf8b228efd77f744549d94321f8b55f05046c03

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/8aeed92a-b53a-483c-952d-ef21faedc7de/

Parent samples :

c26e6e96f70d4e90215671fbd6943a8660ed3933cd78666fb6514f7666d1498e
ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8
fc3669875257ee267e479e6c1646c3fbb7427070fbb973453a771aa60069caed
7aec24add55bcd98a2653bbc7814f8e7cc51f3180b20f45e4c22293802e1c648
b932e7ec61f1cc9b3c858a55eb883accf378580572077c2676adcf2a0aa8dde1
12a5cceeda3e51444875cac53290564dcb180dc2c4b6608580a3b2777c4213da
8ab1910d7f3de293954247ef8f06fc69669c9049735fef3e324935c925ec19ca
d07db65b01e0b86a8e74ecd7cd9b2193d6cb5ecfc39efc28db59b681e2171205
ed5e7918456cfccd873fe19861241d97abf4b157f88e9da9a9119651480eae15
983c666a648fb57817c60b86c18a3ad671e246d7c6daabb16afffc36df5bee31
3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1
11448a58a01b27a0f74213c3c46c751abf0847cdc6bd22e8c59ac880605eb057
7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733
63df8eae2ebe31f97c4dcaf0587ffe4100d34892d03247fcba1201253c81423f
80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f

SH256 hash:

c12d2628d984c0b8071e1daa76812d8eae5cd9a18dd99eac444ba00d38977501

MD5 hash:

ec47f2cc8cb2264f192660aa1c81f96d

SHA1 hash:

50b322aa2022e5570911ceb2ca39aeaeca91e540

Link:

https://www.unpac.me/results/8aeed92a-b53a-483c-952d-ef21faedc7de/

SH256 hash:

8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7

MD5 hash:

7f225c69df031bf0560aed3847a1221a

SHA1 hash:

4d5f3ccdb2c6015d2b2a73326c0f32b173af2819

Link:

https://www.unpac.me/results/8aeed92a-b53a-483c-952d-ef21faedc7de/

SH256 hash:

ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8

MD5 hash:

a7882f98e2a9b1c3a24491f3a7fbbc30

SHA1 hash:

a08ba4284641da6d797a9b582637ef5aca4ee9f9

Link:

https://www.unpac.me/results/8aeed92a-b53a-483c-952d-ef21faedc7de/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ad4693c807e8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/366596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample