MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f
SHA3-384 hash:	0509b1af59cd68ddd2bfe91bc7a7acf5514999ed0958610557354bb552ac3c9f8ce7dd0024a5082af8eff51cda667761
SHA1 hash:	090ca28c08c27505814063f71a7c719c307d6b16
MD5 hash:	c5b04e4ff247329d610c625fcc86201b
humanhash:	uncle-thirteen-virginia-hotel
File name:	QUOTATION 3000458.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	716'288 bytes
First seen:	2023-03-15 15:15:06 UTC
Last seen:	2023-03-15 16:56:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:gCx0c7pjoE8Q7WkqxwHqcYWLeS2nec3ATVu8Z3JGRTw:gC2gpr3zqiqc1SN93ATDpJT
Threatray	4'710 similar samples on MalwareBazaar
TLSH	T184E4120CB6AC4156CA2F767B86A209448335ED1D8722DBAF1EC574331EF1BCCEA42D56
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTATION 3000458.exe

Verdict:

Malicious activity

Analysis date:

2023-03-15 15:19:08 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/33798f1d-ba21-47ec-8e5f-5f69524e46ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374563/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1889.11866.26370.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6411e134e835ac64d683b3e3/reports/9a3024a9-57ce-4e1a-9145-89a41178d1b8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc8442d2-8ece-48bb-b173-2ef3cee5987d

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1194435

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-15 13:17:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 39 (53.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wq6dksdu4uiza2zkhk7ptw4wv4vc2cxmi3enat7hgv545ppqhjhq._file

Verdict:

malicious

SnakeKeylogger

08e04faa04ed269f7378476ccf3296ef3ed403817ca6ec26277a4d4fe82bce3e

SnakeKeylogger

1896efa72cff54069401ed803a33765d3f6ca525aba0be3c5d7f27c9f9e02269

SnakeKeylogger

36de80967b905a8119ff8a5f0871dc21086ff79c04ce3955662548c3e372de52

SnakeKeylogger

37060f2c77a3ef9365f60835a9a3c2e7f524095952a18bb805c6acbbd6388cd6

SnakeKeylogger

606157eb85fa1f90ad5b6def0cbddc1445298156aecb9da21bcc925e6cd7638c

SnakeKeylogger

77d6ae2c1312c08d5498931b983dc91a60721f86170ace8d47f9e3e33cc6bae6

SnakeKeylogger

b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987

SnakeKeylogger

d3277817e3f5dd9265d3797ceb8db5316f75c7f708f9ba2186d8380c7a6530c1

SnakeKeylogger

f2919d54bbf74198eb4bf4c43f7cbd394acff9af2e57f7b7ba9e59fd6a57f79c

SnakeKeylogger

+ 4'700 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230315-smyshsdh26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5300146648:AAHnGWyIYhkCfGzD7b3SfmLZj94Y8lXxD90/sendMessage?chat_id=5116181161

Unpacked files

SH256 hash:

d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

MD5 hash:

915aa3d78cab8eb6920c2cf8ab39e6a1

SHA1 hash:

f4dc2ac541b600883e4648aafbc92f5e0b1811f0

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/31b8733e-795a-491f-9001-79c931322860/

Parent samples :

9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c
54bae76ab64ae74ef5b97cef8aaffa2ec1254df6fea46d54c1387b6f5d5fb025
b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f
7e039e4d466d67e2e7fe4cf46aa141db13f2454161ebc86ec1dd02c33113d154
34ae82b3da999e17e5b62fae65be1827e3f6a54c599c68f1a02666772b70eb09
d4086b64b176925017dd2db176cb3754e172bcec944037e1f3ea53ce48c1303f
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
c9234000f8f576a39a7d2a957826094c1c0e37b141ef26ee2e8e36a62e09805a
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
0f629b4e11087c4e000457daa326269c1ed26198d5a5e8f963d10e0be9dd77a7
4df7854ec37d3d2d2f8b87ef3811ac4b4ea2f16c0d37329a91a4ebeca78337fb
d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

SH256 hash:

3dc7aeb5af08ce43f269dd7cefb350a96a321360065ea83867979d5b462a6e1b

MD5 hash:

098b84e8802db77f77bbe722cf788f8d

SHA1 hash:

ccd002be9a76ad0f4221976b47db11a87b971988

Link:

https://www.unpac.me/results/31b8733e-795a-491f-9001-79c931322860/

SH256 hash:

1dc47b1bfdfe682dd4cde239abb7040c3348cd7d3dca4d62eb9f053f4e6c54fd

MD5 hash:

eb342ae914b040276f8cd75c04644e94

SHA1 hash:

a9797ce99f8d0f269865fd08d654a718ec156ac4

Link:

https://www.unpac.me/results/31b8733e-795a-491f-9001-79c931322860/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/31b8733e-795a-491f-9001-79c931322860/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

916cc7ae2dbcdaf5a5abe55ccff373c0229a090989c57c9bd0a15171858614ef

MD5 hash:

723b6fbd6452cc15d25e34b2ca5f1beb

SHA1 hash:

288d44c44702e35551eedf509720dfb25917083e

Link:

https://www.unpac.me/results/31b8733e-795a-491f-9001-79c931322860/

SH256 hash:

b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f

MD5 hash:

c5b04e4ff247329d610c625fcc86201b

SHA1 hash:

090ca28c08c27505814063f71a7c719c307d6b16

Link:

https://www.unpac.me/results/31b8733e-795a-491f-9001-79c931322860/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b43c354874e5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/374563/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample