MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c
SHA3-384 hash: 21a9ef0fdd815eab5ebbd6009d9d559e6dd5b2d3c8cea5d4964e2783e805ace3b1175e7829f87e9d3d16b5a83167b260
SHA1 hash: 144712ebcf4896ffa949ad7152844373f19ff8c9
MD5 hash: 021f8fe2b3553b82ccb1f6bd50a00177
humanhash: queen-blossom-thirteen-kentucky
File name:gz3khWMGKg5ZSjN.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:538'624 bytes
First seen:2023-05-15 04:45:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:j8whh2Y4YpsRQkdgGvWA23VH7dZ/j54wlCphQUhH:j8whh2xRjoAYZJtjCwlCDvh
Threatray 5'302 similar samples on MalwareBazaar
TLSH T1A3B4D19BC2789F11CE645BFD0E67C5C60AF589B47C24D9305F8728CDD9A2E2F248826D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gz3khWMGKg5ZSjN.exe
Verdict:
Malicious activity
Analysis date:
2023-05-15 04:47:31 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/7504832c-c3b3-411a-a1bc-af0d862db0f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389922/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67006597.32241.16308.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6461b90b5f4bea86090bf176/reports/6f588d86-1f24-42eb-b433-3aaf0c043814/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/811f7ec9-5dc7-4ac1-b7ad-09608c2b5800
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233339
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-12 13:07:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7mmsnrto2i6vg3ib4staawufdfcc3bak3opgae6znlg6hthhfoa._file
Verdict:
malicious
Similar samples:
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
SnakeKeylogger
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
SnakeKeylogger
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
SnakeKeylogger
+ 5'292 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230515-fdy1pseg58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5869797424:AAFj7jfdzfUw1CCCNzehFXiYeFWrzxnHnAs/sendMessage?chat_id=1715191138
Unpacked files
SH256 hash:
f4e9cc47225d19f05fe05b7e80dda21d7850f5344b8aa4bbabf11722979dc822
MD5 hash:
1df230e78af5084c086a977cb35bb2e8
SHA1 hash:
f6144903d5bfab0e095c3753eb07a0789cbeb156
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/de524088-ddf5-476a-a669-9d4173840446/
Parent samples :
105564f796b71e908a08ce7cdac01b5e441569cc03cf14293f7e482790ad51dd
790f8d85765401dc539584fc2075b326e306982adc99010f06637a769bb9443e
ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172
823a206dcc8e78823dd154d935da7c7ba7029b9b51adfa1caaaca282fc7df829
c74b241653dd2fbda789f9198ab86773d71603ff64cce3356a4cbbd7f01ce2a4
afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c
78875bd0e64072dd764f4de0b576eb4f9bba96db457422699986e9542bde530b
7ade52d9d7e7aa377a7855a6effe236cebdccf32661cbf1329ea4da9951f2df7
80a3bcecad3c5b6fe13c41124af786341400fec9cec151490d7861a3fc83be75
ac18f1cbdf0303e840e4da9594405257df6300374d748956c8378b07181c6129
SH256 hash:
16a568987855204d04cbb3fc2e8416aa7907f5b66af2353ba43c95d69ddf9c2e
MD5 hash:
f513dfa2cf5f2557b85d0cc72fc001aa
SHA1 hash:
f5eaf6369b1375b8ef011fa4ddc53cec263d16f3
Link:
https://www.unpac.me/results/de524088-ddf5-476a-a669-9d4173840446/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/de524088-ddf5-476a-a669-9d4173840446/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
ca1b37e42ceec03aded1b5cbca9d2edbedf1de9436c3629dd1c8e6733e1b9c91
MD5 hash:
7299bdf424a5713ad60b215a6f309168
SHA1 hash:
71f6ff2b0075e3daba633f3e4d709051156642b1
Link:
https://www.unpac.me/results/de524088-ddf5-476a-a669-9d4173840446/
SH256 hash:
af9799c676317a1878dba229e964b33aee6ab6fbf68d308ab9074599241bae77
MD5 hash:
cad7acc3fb62b6f17a8183e76d082335
SHA1 hash:
4c55becdb415d5a34d4d3154c80551e990f0687d
Link:
https://www.unpac.me/results/de524088-ddf5-476a-a669-9d4173840446/
SH256 hash:
afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c
MD5 hash:
021f8fe2b3553b82ccb1f6bd50a00177
SHA1 hash:
144712ebcf4896ffa949ad7152844373f19ff8c9
Link:
https://www.unpac.me/results/de524088-ddf5-476a-a669-9d4173840446/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/389922/

Comments