MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b537575965b350dc123f9eaa2aa3480cdaae7abb3d4cf17b87f0f2a7ebaefecb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
SnakeKeylogger
Vendor detections: 9
| SHA256 hash: | b537575965b350dc123f9eaa2aa3480cdaae7abb3d4cf17b87f0f2a7ebaefecb |
|---|---|
| SHA3-384 hash: | fec09ad84d1aa86f66e74401763e48ce9ef93d6a1a0a5955c1f7f53b4f2866c4b8a4c82a9cc871c047b52c356d5b670b |
| SHA1 hash: | aea6c5cd5d81803a866b8ce2e7c9f04c7aad56f6 |
| MD5 hash: | 7a02cadb81b737d85fa769befb798f26 |
| humanhash: | summer-steak-foxtrot-gee |
| File name: | 7a02cadb81b737d85fa769befb798f26 |
| Download: | download sample |
| Signature | SnakeKeylogger |
| File size: | 881'664 bytes |
| First seen: | 2021-06-10 16:14:07 UTC |
| Last seen: | 2021-06-10 16:40:42 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger) |
| ssdeep | 12288:zqJYrb5/dUZ1wO8H5NS30nAUGgBHJB+A7yUju5KhuTtvF8siNGcAXxSujBShey2R:eJ/ZGZNSE1GgBpls |
| TLSH | DA15B39C366072DFC867DD72DAA81C64EA613476931FC207A02305ED9A0DA97DF246F3 |
| Reporter |  zbetcheckin |
| Tags: | exe SnakeKeylogger |
Intelligence
File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.doc
Verdict:
Malicious activity
Analysis date:
2021-06-10 14:34:32 UTC
Tags:
exploit CVE-2017-11882 loader evasion trojan
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-06-10 16:14:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
22 of 29 (75.86%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Result
Malware family:
snakekeylogger
Score:
10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
987d11154fde63b560016c3ecc4615f35171f7e5a1cfc8a95fd1e4f58c7bd220
MD5 hash:
e234ff86e5270049ccb435004adb7563
SHA1 hash:
e1f52445b04555f5c7e89bf73ae5f5fe9f9b9add
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
SH256 hash:
81d5889cdcb2e7203a91b0f73f432b3a1c19fd4d3e9043139fbae232035aedf2
MD5 hash:
c6fc16f7f54765306b8f58170c88c3b7
SHA1 hash:
3df851f381beb62ba9c44dfc4f23fffa9ead5350
SH256 hash:
b537575965b350dc123f9eaa2aa3480cdaae7abb3d4cf17b87f0f2a7ebaefecb
MD5 hash:
7a02cadb81b737d85fa769befb798f26
SHA1 hash:
aea6c5cd5d81803a866b8ce2e7c9f04c7aad56f6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with ConfuserEx Mod Beds Protector |
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | MALWARE_Win_SnakeKeylogger |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Snake Keylogger |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.