MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2250bc36323f4a640c885e4ee94f89ca3bd3961b35efe852f47bc5baaf69f21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2250bc36323f4a640c885e4ee94f89ca3bd3961b35efe852f47bc5baaf69f21
SHA3-384 hash: bb284218e70231cf8701c4cd220e1d6f0d63ac7eb014f3ca611ea3f54dd6dd9c8b0366797b818dcf49ea86dfdcfc4f14
SHA1 hash: fc773085898c9dc675ea26586552493f227adc1d
MD5 hash: 5bfc0841da94e7662ecdfdde9ced7209
humanhash: fourteen-winter-spaghetti-july
File name:Invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:615'424 bytes
First seen:2022-04-19 03:44:29 UTC
Last seen:2022-04-19 04:38:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:LAkAlAfZ9AslyIebak7MkmDmHPT101V1z7RtgPonEDx2nMeT2Epd6K1A:NbEFbsWTMD7E0MeJ
Threatray 3'187 similar samples on MalwareBazaar
TLSH T138D42336B7228A92FB6D037E90491C41B7F563172833E74D68D3A29E5D6B7874380A73
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 71cc8e2b2b8ecc78 (5 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264467/
Detection(s):
SecuriteInfo.com.Variant.Ursu.713017.25395.26338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/625e303fffe27d5119070b54/reports/c09ed5ac-3c1c-4237-a8dd-6a16b7e7e6a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82a9b101-c3de-48df-93c7-68280cf4ae3a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978583
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2250bc36323f4a640c885e4ee94f89ca3bd3961b35efe852f47bc5baaf69f21/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 02:20:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wisqxq3dep2kmqgiqxso5fhytsr32olbwnpp5bjpi66fxkxwt4qq._file
Verdict:
malicious
Similar samples:
0bc6152941893e5d36af2520150b93cc439e5efdb476038e6fac9a17dacc743f
SnakeKeylogger
459ffd564cff546baed72dc2ba79fff156b533600495098f319eed8239d0bb21
SnakeKeylogger
4fcb2f07521077077f50ae8068724da515e6d5594cf7a8cabf193300fee5bf79
SnakeKeylogger
742526bc4de3287b0d55149acdc82c1578cbaae2c42066e40ac5812ed9fd3159
SnakeKeylogger
7529261b01e2f6d420aa0239c584a7d6c0022ea71ce562335d1384a03d529bbd
SnakeKeylogger
ae13fe36ae25d1c276ec9efaaa8599e186f9df2b2d742c7999b895fdf2d302d7
SnakeKeylogger
c15a83bff3c8bcc0e48254ea814726d372eaa0e11d83a7246f18690c93b3a7cc
SnakeKeylogger
f4a5cd70c20e32b8ed1e883e8f57d81a14b19468f711db3ccf7c1c5267b77ea7
SnakeKeylogger
+ 3'177 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/220419-ea23hsacfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
50ba456e07a54f7f578c1894ebd76fc1820b6b3023a894dd0fbc07a02c80f984
MD5 hash:
1da080c4f755b102dfb82623a1bf6901
SHA1 hash:
c2ad1ce050f30f9e8b92e8959dcf9013271ff75f
Link:
https://www.unpac.me/results/c082030e-c9be-4f50-b0c6-de33dcfd3327/
SH256 hash:
7bacc3889a44be5a47195530281373ac947f3d3851cb6e36b8f9e70f726106ba
MD5 hash:
4aaae931e6d7732ba1278cbdafd71563
SHA1 hash:
ba602f5db5b9386418d98ebf7fc4cbe7fbc52196
Link:
https://www.unpac.me/results/c082030e-c9be-4f50-b0c6-de33dcfd3327/
SH256 hash:
2a84583751866865c03fcb790fde1fe9895ee4c26f709b72d5b3d7c174be8b73
MD5 hash:
6f8400d1a294a8fe5f5305b6b31d19d2
SHA1 hash:
7c9ce73024b6174f3e33a1ef64276f4d5ccea908
Link:
https://www.unpac.me/results/c082030e-c9be-4f50-b0c6-de33dcfd3327/
SH256 hash:
7172472f86ff1ff133d5c8ba5bad21ecad8457bf416a5f54e95bee9606639e7d
MD5 hash:
e70ed9e06e6161eebd8c96f36e7b50fa
SHA1 hash:
1789866b0f4ba135471a28d8eaea75151b1bb2c8
Link:
https://www.unpac.me/results/c082030e-c9be-4f50-b0c6-de33dcfd3327/
SH256 hash:
b2250bc36323f4a640c885e4ee94f89ca3bd3961b35efe852f47bc5baaf69f21
MD5 hash:
5bfc0841da94e7662ecdfdde9ced7209
SHA1 hash:
fc773085898c9dc675ea26586552493f227adc1d
Link:
https://www.unpac.me/results/c082030e-c9be-4f50-b0c6-de33dcfd3327/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b2250bc36323f4a640c885e4ee94f89ca3bd3961b35efe852f47bc5baaf69f21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe b2250bc36323f4a640c885e4ee94f89ca3bd3961b35efe852f47bc5baaf69f21

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/264467/

Comments