MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae37f44dfeb8e4ccee9388c6dd3b3675270af7e35cc4e2fae2193cefad209820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	ae37f44dfeb8e4ccee9388c6dd3b3675270af7e35cc4e2fae2193cefad209820
SHA3-384 hash:	76e8039d07cb021208e0af5ab0894a18826eb6b92381af9626b813335a59e2540e4a24f66447ecaa573ade17864d8df0
SHA1 hash:	76efa33c6890aeade9e903c525b1d27617980445
MD5 hash:	9d0a913a848c23da99323e53b18cf890
humanhash:	foxtrot-music-river-butter
File name:	RQF #100028153.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	261'120 bytes
First seen:	2021-08-30 16:51:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:2xtvJ/xazapBvpbN/9SP4ygJZ+Pkv89rJdCQ1BO:2jFxUarhN/9SQyI+PRtdCqO
Threatray	869 similar samples on MalwareBazaar
TLSH	T1B344022A726272E1C3BE0BBA6D34C300537CF9804867EA6E7E4591CA156370157E0BEF
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RQF #100028153.exe

Verdict:

Malicious activity

Analysis date:

2021-08-30 16:54:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ff4885fe-9695-4e75-9069-9def0d01d621

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/183858/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.48544.14412.11094.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a UDP request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Forced shutdown of a browser

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7cbe5ad0-89e4-4a8e-a1b6-ca17e52ff06b

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841771

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae37f44dfeb8e4ccee9388c6dd3b3675270af7e35cc4e2fae2193cefad209820/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-30 16:51:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vy37itp6xdsmz3utrddn2ozwoutqv57dltcof6xcde6o7ljataqa._file

Verdict:

malicious

SnakeKeylogger

62488642461ae96d137e5f3a8cadecc900975889cc9f2c8b94894ba0cf1204c6

SnakeKeylogger

8ec22a18a5d2317b14ad0d9023f19c88e37eac1186a425c83a2f69ed366aabc2

SnakeKeylogger

91e8763b50b0155b4984134d95d36fb9d92bca3a5db8d37bb75ff8faf88dbc63

SnakeKeylogger

dc157362e9c0469b3d8909770c5879a1e5cbaa6ae5e0d8203c536cbce6131901

SnakeKeylogger

+ 859 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210830-vsf5x2k26a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

af35c93b3e00997af1ac486047fd5eb5ebb1ad0ef1c76b318329141cff779347

MD5 hash:

6cb637e6c978b2d4b4097ae940b7c24a

SHA1 hash:

fcff1062591af626759a62d25a971d3dbf802a56

Link:

https://www.unpac.me/results/d35e3572-67c0-486f-bad4-2a6483761296/

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/d35e3572-67c0-486f-bad4-2a6483761296/

SH256 hash:

adf51eafee6bd98dd9ba9c14f188ad0cab35d6e52133d470573c6bd3a820f4e8

MD5 hash:

0b8a363d429982f57a4b634ce3a6edd5

SHA1 hash:

aa41a4c905bc9a190b9265634704dfd4aaccc3a9

Link:

https://www.unpac.me/results/d35e3572-67c0-486f-bad4-2a6483761296/

SH256 hash:

ae37f44dfeb8e4ccee9388c6dd3b3675270af7e35cc4e2fae2193cefad209820

MD5 hash:

9d0a913a848c23da99323e53b18cf890

SHA1 hash:

76efa33c6890aeade9e903c525b1d27617980445

Link:

https://www.unpac.me/results/d35e3572-67c0-486f-bad4-2a6483761296/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae37f44dfeb8e4ccee9388c6dd3b3675270af7e35cc4e2fae2193cefad209820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/183858/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample