MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
SHA3-384 hash: 103618220c3760211fa5f00a81734072a5fa74c86384236f3a3e55db557265b7d514d4fc0f1475cde91330cde05d58df
SHA1 hash: a1703ae8fb57128ab149c3394bc322334c8a7f31
MD5 hash: 5c8f6096d8a0485b1e01217421765b1b
humanhash: robin-december-idaho-summer
File name:fTNo8xm1Pj9nr0B.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:632'320 bytes
First seen:2023-06-26 08:19:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:h5dPG2f4nKJaGlvZzmSuFMDIV1/DzD/Pca7pVbMMMDMMM:H4JcZ/A1/o8bMMMDMMM
Threatray 28 similar samples on MalwareBazaar
TLSH T1B6D4173938BD5227D1B4D7B78FD3E423B278982F3021EA25688657D506A6F1225C363F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c44484ad8d8aa444 (8 x SnakeKeylogger, 3 x Formbook, 3 x AgentTesla)
Reporter spatronn2
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fTNo8xm1Pj9nr0B.exe
Verdict:
Malicious activity
Analysis date:
2023-06-26 08:21:08 UTC
Tags:
evasion snake keylogger trojan blackguard
Link:
https://app.any.run/tasks/ca073b19-3673-4b2a-a03e-80f85542fb8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402828/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14562.27754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Enabling the 'hidden' option for analyzed file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64994a33ee55f1e1b4b58430/reports/c08b9398-45b2-477a-a5df-413491d165db/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfbcb21f-1fb4-46db-8597-832b8921ca81
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261340
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 894359 Sample: fTNo8xm1Pj9nr0B.exe Startdate: 26/06/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 7 other signatures 2->53 7 fTNo8xm1Pj9nr0B.exe 7 2->7         started        11 wKacYzPcTV.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\wKacYzPcTV.exe, PE32 7->33 dropped 35 C:\Users\...\wKacYzPcTV.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpA490.tmp, XML 7->37 dropped 39 C:\Users\user\...\fTNo8xm1Pj9nr0B.exe.log, ASCII 7->39 dropped 55 May check the online IP address of the machine 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 fTNo8xm1Pj9nr0B.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 wKacYzPcTV.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 checkip.dyndns.org 13->41 43 checkip.dyndns.com 158.101.44.242, 49718, 49719, 80 ORACLE-BMC-31898US United States 13->43 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 checkip.dyndns.org 21->45 29 WerFault.exe 21->29         started        31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 08:14:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxuppbvaqqdk2pj37y43bad4xwyrqlh4mdjall3hbg2tfvpqk5gq._file
Verdict:
malicious
Similar samples:
1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9
SnakeKeylogger
2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562
SnakeKeylogger
61e75e123449c092c36171ad72de1ddbce425c8a82de0704f868295fab5df3a1
SnakeKeylogger
72d1ca783a74d9e5e8024a44759419ea5221177d53a2739960a8457e21e773d6
SnakeKeylogger
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
SnakeKeylogger
8e3c95bcf195b498bdd53c1ad2adb5329718601ed0abac5fb45ecdc9c8855916
SnakeKeylogger
912e8de60b256356d9d56d77bd1441e5b7692af26fb320e7645bf5edde861baf
SnakeKeylogger
b2c1a9091f518029dbac23fab825be576244e2b8d07a82fea5b93778072dd6c7
SnakeKeylogger
+ 18 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230626-j8er4aha85/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5604026443:AAGvrHypAo66IzhqZoZmCUuAxemGPV9TmF8/sendMessage?chat_id=5114872101
Unpacked files
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
cadf6d1b8e116b0ddd813eebd708a43a310f3e6795483afc4958db0bf45acf30
MD5 hash:
f0d798a5e917425f8a1c1c8e3660b686
SHA1 hash:
7bd83221a922ea35d7699a348580305eb294596e
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
Parent samples :
b72d9ebed9288c70618aaf8eb4f7439abf464f1a10519e035e5fb37d274184dc
ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
0b6c38d4c1adf6e71d0bc6b4fe1ce1fb347cf6acf11e9cb94708dea6005a8c18
MD5 hash:
626a804f1a95772b449f9012b00366b1
SHA1 hash:
18ef47e83f5caf1fe57d875d05e7e98dae6df6ad
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
cadf6d1b8e116b0ddd813eebd708a43a310f3e6795483afc4958db0bf45acf30
MD5 hash:
f0d798a5e917425f8a1c1c8e3660b686
SHA1 hash:
7bd83221a922ea35d7699a348580305eb294596e
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
Parent samples :
b72d9ebed9288c70618aaf8eb4f7439abf464f1a10519e035e5fb37d274184dc
ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
0b6c38d4c1adf6e71d0bc6b4fe1ce1fb347cf6acf11e9cb94708dea6005a8c18
MD5 hash:
626a804f1a95772b449f9012b00366b1
SHA1 hash:
18ef47e83f5caf1fe57d875d05e7e98dae6df6ad
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
cadf6d1b8e116b0ddd813eebd708a43a310f3e6795483afc4958db0bf45acf30
MD5 hash:
f0d798a5e917425f8a1c1c8e3660b686
SHA1 hash:
7bd83221a922ea35d7699a348580305eb294596e
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
Parent samples :
b72d9ebed9288c70618aaf8eb4f7439abf464f1a10519e035e5fb37d274184dc
ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
0b6c38d4c1adf6e71d0bc6b4fe1ce1fb347cf6acf11e9cb94708dea6005a8c18
MD5 hash:
626a804f1a95772b449f9012b00366b1
SHA1 hash:
18ef47e83f5caf1fe57d875d05e7e98dae6df6ad
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
cadf6d1b8e116b0ddd813eebd708a43a310f3e6795483afc4958db0bf45acf30
MD5 hash:
f0d798a5e917425f8a1c1c8e3660b686
SHA1 hash:
7bd83221a922ea35d7699a348580305eb294596e
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
Parent samples :
b72d9ebed9288c70618aaf8eb4f7439abf464f1a10519e035e5fb37d274184dc
ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
0b6c38d4c1adf6e71d0bc6b4fe1ce1fb347cf6acf11e9cb94708dea6005a8c18
MD5 hash:
626a804f1a95772b449f9012b00366b1
SHA1 hash:
18ef47e83f5caf1fe57d875d05e7e98dae6df6ad
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
SH256 hash:
ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d
MD5 hash:
5c8f6096d8a0485b1e01217421765b1b
SHA1 hash:
a1703ae8fb57128ab149c3394bc322334c8a7f31
Link:
https://www.unpac.me/results/634ebcc0-a960-4351-b07e-e41330185b48/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ade8f786a084/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe ade8f786a08406ad3d3bfe39b0807cbdb1182cfc60d205af6709b532d5f0574d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/402828/

Comments