MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0306fe7e4473bc993cb5cca599a38712c12ec90bd4296c450b0a79a9077a3eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	b0306fe7e4473bc993cb5cca599a38712c12ec90bd4296c450b0a79a9077a3eb
SHA3-384 hash:	c439df1c56a3d9936d58b77f8f7039f9b36a64ddd17b36e5eece69670b1caf4cfcef6d58b84b2ebd02f5aa17d2ac2a8c
SHA1 hash:	aeb298a03a13018b58b2b476ef02fb58eb5287d1
MD5 hash:	ab52b04756f4592285f2e96801786f03
humanhash:	happy-fillet-violet-king
File name:	SecuriteInfo.com.BackDoor.RatNET.2.26549.14680
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	812'032 bytes
First seen:	2022-09-20 00:52:12 UTC
Last seen:	2022-09-20 13:09:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:3FnvZ0A+iX8Rp5hMiI1JOv2EW4SLhQSMp785Znml:Bv+ZH5Kr1JO+0+MGml
Threatray	4'210 similar samples on MalwareBazaar
TLSH	T1CE05C0241736CA07CCAAA571D8D2F2711EA46DC5836FC25B09DC3CBBF63A3987991361
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	f0e8e2c6c6e2e8f0 (5 x AgentTesla, 5 x SnakeKeylogger, 4 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.BackDoor.RatNET.2.26549.14680

Verdict:

Malicious activity

Analysis date:

2022-09-20 00:55:33 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/d7928506-be31-42f0-a054-1eff648ebe57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/311493/

Detection(s):

SecuriteInfo.com.BackDoor.RatNET.2.26549.14680.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/63290f6ab333b2ec6b37b196/reports/d5479b1f-216e-4263-8403-76b3a59f9b1a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a7d8fdb-ca3a-4f75-a2c8-7e2fc9690968

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073338

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0306fe7e4473bc993cb5cca599a38712c12ec90bd4296c450b0a79a9077a3eb/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-09-20 00:17:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wayg7z7ei454te6lltfftgryoewbf3eqxvbjnrcqwctzvedxupvq._file

Verdict:

malicious

SnakeKeylogger

158eb8ce0ff9c64f21622db564612ad494dd26f85ffca36664dd10f8d5aac2c5

SnakeKeylogger

48712214c8917adabb23b1d7f215db81e7431d4143ae9c3f773ec43c1e8f2aba

SnakeKeylogger

6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423

SnakeKeylogger

accc171460a87b3ec4934c65261884592cc54ee58433665590663604b045f39f

SnakeKeylogger

e081465f75b5fc1a981ad522ad595642d28c19df648d26c2694f6d09d8035872

SnakeKeylogger

f99578c5197a92ba74cdeb977f96e4338fd6fadf547ddd1a3dcbaccd85d91236

SnakeKeylogger

fd3ad1ad1650875cef812f9574d44d0c2542eb6cc7fe8006d27234ac18ac2c48

SnakeKeylogger

+ 4'200 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220920-a8mm9sfcgk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/25e5bbbd-65b5-4062-8bc5-8cfe266c1392

Unpacked files

SH256 hash:

e4cdb28336c11729067be6c5ab9f59633258b4f35a2d0d415543fb235edffd95

MD5 hash:

2b1bcf7c5c3674925b4cbb11c1ac0077

SHA1 hash:

e5dee39d4e4bb3894ae5330b6bd7bf692ba2ccdf

Link:

https://www.unpac.me/results/20b8714d-48de-4417-a92e-fe395bff184a/

SH256 hash:

d7d091a70e931e3dc9506c5f28314fac1a01392f5639f153fab790428aba948c

MD5 hash:

48c188ca03e2e2a0152a55d3f104cafb

SHA1 hash:

316d12dbe08c30b3acd013fb72fee68d2c816ea0

Link:

https://www.unpac.me/results/20b8714d-48de-4417-a92e-fe395bff184a/

SH256 hash:

83bfcdab81f9323de1402d026243aa558b01991ccbe75b345756c31d7f2dd835

MD5 hash:

dd1ca48033e2972cdda108ac46dfbcf6

SHA1 hash:

2af255dd7154ca4a63c40a6caac9346dfc7d4698

Link:

https://www.unpac.me/results/20b8714d-48de-4417-a92e-fe395bff184a/

SH256 hash:

44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc

MD5 hash:

d012ba9057bf67c7f29871326f2af919

SHA1 hash:

1d5b8b512b37f0e1900496b578117082929654c7

Link:

https://www.unpac.me/results/20b8714d-48de-4417-a92e-fe395bff184a/

SH256 hash:

a982a4482046d38498bc2d0fbfc2e04773539872821a50d48355c3219e4ecc4b

MD5 hash:

3441a96d16d24c04cb1cfa4cb3473607

SHA1 hash:

08009c8dea9118670b41df3f43dc3872c87fe98d

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/20b8714d-48de-4417-a92e-fe395bff184a/

Parent samples :

9e99feb370661801fc9d86d724ecf3586353fd7f389f020111367d739673d3ff
760fb3792679c7fec49a37dd132d7fe007ac2be5639aec0d8f3aa5574aa40b0e
b0306fe7e4473bc993cb5cca599a38712c12ec90bd4296c450b0a79a9077a3eb
80e8b701fd11b9e2f3736d0fc1a385d2075675e2cbdd3821ae24501722820898
75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980
44e798b75739e6fdededf5b7ff28cae9f7affa32c47e2ee447e7a81ee6e7e266
e4a84a2b70e197eb91c303201e597e097011cce846ee55f6dcfd50688c2e96f3
f2b78e759ea577cba8ce76cf8fb591abd0f54c7ce8ff7cc43c5442f2021921f6

SH256 hash:

b0306fe7e4473bc993cb5cca599a38712c12ec90bd4296c450b0a79a9077a3eb

MD5 hash:

ab52b04756f4592285f2e96801786f03

SHA1 hash:

aeb298a03a13018b58b2b476ef02fb58eb5287d1

Link:

https://www.unpac.me/results/20b8714d-48de-4417-a92e-fe395bff184a/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b0306fe7e447/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b0306fe7e4473bc993cb5cca599a38712c12ec90bd4296c450b0a79a9077a3eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311493/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample