MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e786b08de5350314dadcab93bf6b41ae62006f1dc611cbcf60a246e1643138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	b2e786b08de5350314dadcab93bf6b41ae62006f1dc611cbcf60a246e1643138
SHA3-384 hash:	0790a3359852a6e351e57a919bf7574f3c5c0c5628bbe329f4f6d2085b24f914daeb14382681a3b6f34fa574d9cde508
SHA1 hash:	91e5bc2e60816cfaa31b77284d6325acbfa4b0bc
MD5 hash:	53fb27028f098d1df6e3c664ad545afe
humanhash:	eleven-salami-ohio-sink
File name:	53fb27028f098d1df6e3c664ad545afe.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	750'080 bytes
First seen:	2022-02-15 02:02:53 UTC
Last seen:	2022-02-15 04:02:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:eYjQk3/igUcFxMRhFbOW1RHWQdqruwqMrx2Kut4S/C31+0Lz+BcrZAae3ELIjH:J73/izexUFbOObwqMre4iC31HLSCrZAd
Threatray	3'114 similar samples on MalwareBazaar
TLSH	T128F4010163B89736E47A53F86934513813B63C0A61B4EF8F9EB2A5CF5C36B815811F6B
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/241504/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.42163.12743.1401.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Launching the process to change network settings

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/620b09dfa2660f3bb9d56dfe/reports/1ad42efe-2333-4bbc-89cf-7d2ccab7e5ff/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6db14395-43dc-4818-b016-b5d822a4e0dc

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939862

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/b2e786b08de5350314dadcab93bf6b41ae62006f1dc611cbcf60a246e1643138/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-11 05:20:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 43 (65.12%)

Threat level:

5/5

Verdict:

malicious

SnakeKeylogger

3e198db7957682b5111d4a3184697b5addda7e6a031643be34ac60a8e43f1d6d

SnakeKeylogger

4b42b08f71663433e141c099172c2fb0f694068fd0cd28c7ff44bacc72b0b670

SnakeKeylogger

4caa0ca1608f5982bbedace751bde8798f481a68e44542f9c834d0774ad1e1e0

SnakeKeylogger

8a2a6b216395521669c364a3f7478688a495e007c1e547db45a94780e32663f9

SnakeKeylogger

9671b4f2b7a6424eacbc9cbf0e5f7a8ad8d01fe6bad328c8bc6fecdc670a4261

SnakeKeylogger

a6c24707be3c73bc3f82c0c2992824355c2f8300027e45598fc850628890cb57

SnakeKeylogger

b95a01b8b7d6c29696f7cba379e4c37cfd8e6bf236e8559271b779615a9f0b81

SnakeKeylogger

ca5bfc42daf3182e19891fca776764678e338143367bc203cdf598e72eb32293

SnakeKeylogger

d54edb4986821e6032b6d63787036b23d7e04b95a95a5d4487b7cd306958ffc4

SnakeKeylogger

+ 3'104 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220215-cgpdwscbbk/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

5c9afb00cf1efbcadf95db607788c0e8cc0ab2eb63557030da0345c948f25f18

MD5 hash:

f16ee9fa04cda362be260b35ec20bfeb

SHA1 hash:

ea978722f9152ef0b9791b1a24fc18c9ab2bc8a4

Link:

https://www.unpac.me/results/a99daa4f-9dfc-49fe-bd89-9526fab9432a/

SH256 hash:

c1a44404ff27f6ee7fa23cf4f4177ba566fa0e24f976bbeac64845832233b033

MD5 hash:

58d39653e2388d99af14812c464eed7b

SHA1 hash:

e61498bf87597b59ef7164c6a9c2fe6494b5b9fb

Link:

https://www.unpac.me/results/a99daa4f-9dfc-49fe-bd89-9526fab9432a/

SH256 hash:

f365b92b11041eed57b6f7534e83e04167fce1cfacc570e79335292f3c0ea8aa

MD5 hash:

9147a2ef317fe384182d1281e5af8110

SHA1 hash:

bbe360e6eca29a32e1f787e1416ddad4d35dcf1a

Link:

https://www.unpac.me/results/a99daa4f-9dfc-49fe-bd89-9526fab9432a/

SH256 hash:

944d1ad5dd4754f1c56257ee3f826d8fc0c82c281af1bccebdb0d3288685ac7a

MD5 hash:

c41a971e992d506ce77ac672238915ee

SHA1 hash:

25d8a90381170433491bb77dac6259f295c7454b

Link:

https://www.unpac.me/results/a99daa4f-9dfc-49fe-bd89-9526fab9432a/

SH256 hash:

b2e786b08de5350314dadcab93bf6b41ae62006f1dc611cbcf60a246e1643138

MD5 hash:

53fb27028f098d1df6e3c664ad545afe

SHA1 hash:

91e5bc2e60816cfaa31b77284d6325acbfa4b0bc

Link:

https://www.unpac.me/results/a99daa4f-9dfc-49fe-bd89-9526fab9432a/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b2e786b08de5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b2e786b08de5350314dadcab93bf6b41ae62006f1dc611cbcf60a246e1643138

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/241504/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample