MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7
SHA3-384 hash: ebe7d927c8663377ec9f26186c6c41f798df0190f089249163d2dfdcb3ff856e5c51fc0196e2acfe27b879b6c0d92c28
SHA1 hash: 1c267718286e947bcae139c9f37cdb7d21c1f739
MD5 hash: 7ec6bfd61cbd6acddca22103628d95f3
humanhash: winter-moon-kitten-helium
File name:Export Catalogue_Pricelist_ 2022.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:597'504 bytes
First seen:2022-06-08 08:42:05 UTC
Last seen:2022-06-08 10:03:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:oi54jiy6sYsINMcYtueZVPEKbXZZraVrrHl3CiUuh/bo9q:PybUYtuerEKiVrrRoulbo
Threatray 1'680 similar samples on MalwareBazaar
TLSH T1C6D4121477ED0792CA7E47FED47900404BB06222951BFB4E1E8A74EA1F27BD2C662727
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Export Catalogue_Pricelist_ 2022.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 22:24:51 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/e87ee365-32cb-4777-9830-e3cdc6fc377c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277684/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.7560.5004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62a061218e867832d9e649e3/reports/0548585f-845e-4d1c-9e80-c602e737e01e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aafde94e-fa5e-425c-ace1-e11cecb05047
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008848
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 641345 Sample: Export Catalogue_Pricelist_... Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Yara detected Telegram RAT 2->39 41 11 other signatures 2->41 7 Export Catalogue_Pricelist_ 2022.pdf.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\BxbzOziA.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpC521.tmp, XML 7->27 dropped 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 Export Catalogue_Pricelist_ 2022.pdf.exe 15 2 7->11         started        15 powershell.exe 24 7->15         started        17 schtasks.exe 1 7->17         started        19 Export Catalogue_Pricelist_ 2022.pdf.exe 7->19         started        signatures5 process6 dnsIp7 29 checkip.dyndns.com 193.122.6.168, 49781, 80 ORACLE-BMC-31898US United States 11->29 31 checkip.dyndns.org 11->31 33 api.telegram.org 149.154.167.220, 443, 49783, 49787 TELEGRAMRU United Kingdom 11->33 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 02:23:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsey2767dizm6dyjyygmq5hhatr5tzf2zg6wib6rhtc6zr76k33q._file
Verdict:
malicious
Similar samples:
00509d2de60dcdf523ea44b90e5dbbb510f6298bcd9810686ea625d33160176e
SnakeKeylogger
06bf758c09b920259a4408855cdcac6a5d09d30370a32ec500cc90b1bf057e17
SnakeKeylogger
26179d1a09bd8ba828aa47a001dfc66df53a6ec1138eae15ae067b19db45b2cf
SnakeKeylogger
51a28140eb38dc879d567ab3909ba4b555f861ce1f5b603d2aeff4b47baedcd4
SnakeKeylogger
8397c04c6cebbfcb4ffbc18722a72e8485626304db1fb5c83875e1d64b873a23
SnakeKeylogger
b0e427b8e2db98edeea688cda0c6b0e33f936fae3a7b09b529a85a6190083df4
SnakeKeylogger
b7bf1de793e0d6dfa04d392dc0d9f3c51a45aee617e7ec27c95d5c2d6ac054d5
SnakeKeylogger
b7c289867d067d3d8f47d1d0b3e0fe63a7d18ebd8c8572037197aed2605a75ed
SnakeKeylogger
cb65b3fc65a1a1c68f0d8bbf3d46f3fe49063f0065ef5cbed58029136169c01a
SnakeKeylogger
e80c7b13d628b8269181e5ff4ab5b319b228281f519c74e741da00927be13420
SnakeKeylogger
+ 1'670 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220608-kl3q3saca2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5306431129:AAG7zqjMGo9xbTMSQp71EZzjHAmdrkeQ3aI/sendMessage?chat_id=1856108848
Unpacked files
SH256 hash:
e06f4a0017eecec88a3778f85deced0403d99a8de3bfe7432dcf5a893868236a
MD5 hash:
35e882bdcc9742ddb7a1fa41db031b76
SHA1 hash:
e2c1aaa7cab0ba1f52d9ac5424111688ef3af5b9
Link:
https://www.unpac.me/results/4e0da083-8ccb-427e-8b79-b2a3079e3f9b/
SH256 hash:
3bac7fd86b3bfc995608d22b63a2b30890f74542b04d25b604749eedbc7772d4
MD5 hash:
fa5b618548e39c45b96a0a656b895d5e
SHA1 hash:
df856f031bba4f4510cdd7fb3b595512d83def98
Link:
https://www.unpac.me/results/4e0da083-8ccb-427e-8b79-b2a3079e3f9b/
SH256 hash:
cfa8af02145ecd04d062936da832de19f450fc4b303074ad6e92517d321cdc8e
MD5 hash:
5e977fa9adf90cf0dded0de5c81bffe8
SHA1 hash:
bf193848f1c8b061895709c218b701b679dbdcec
Link:
https://www.unpac.me/results/4e0da083-8ccb-427e-8b79-b2a3079e3f9b/
SH256 hash:
4b3059a1fcd6c58c7fc4e574766133e89e95cb0fe6631b7f4aee664370c2571d
MD5 hash:
97f6ddc9c7e648e589849d8d6466bc18
SHA1 hash:
1104888244c872d5726728e0cb05ae6edaabf2bf
Link:
https://www.unpac.me/results/4e0da083-8ccb-427e-8b79-b2a3079e3f9b/
SH256 hash:
b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7
MD5 hash:
7ec6bfd61cbd6acddca22103628d95f3
SHA1 hash:
1c267718286e947bcae139c9f37cdb7d21c1f739
Link:
https://www.unpac.me/results/4e0da083-8ccb-427e-8b79-b2a3079e3f9b/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4898d7fdf1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277684/

Comments