MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59
SHA3-384 hash:	3f8a54c224ebd6ac4d0c24522f7fd99d5a30d1cd5ccbf60421d4156fdb47e6ec1a13a0f1b100de92fdc4ee404f9c3e42
SHA1 hash:	3112a3a8e318e95e625e9c4230e285235bf64ca0
MD5 hash:	1d83d4cc2dc21a8ecf3aa9d253c5ca87
humanhash:	moon-delta-two-eleven
File name:	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	75'776 bytes
First seen:	2022-07-13 12:39:53 UTC
Last seen:	2022-07-22 12:06:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'797 x AgentTesla, 19'709 x Formbook, 12'278 x SnakeKeylogger)
ssdeep	1536:YGAHHXOUesdIS/Q1OeLKGLj4kND7yVQGSBLVgOb1pTvPX7HbA6q60dJiarX1ETwM:XTNVECb1pTvPr7A6q6IJiarXAwLMJzCS
Threatray	5'172 similar samples on MalwareBazaar
TLSH	T1F373BFA0E754D9F5E806127EC977D8F53023BD69D9B10C1B31AD7E2AB97334290E680B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	4d4dcdd4c4587895 (1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/287044/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62cebdab0b00dfa734ec4926/reports/4658eda1-b674-4ea1-8acc-49ca89e53e2b/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd9bbddc-d336-4d99-80d7-f78157269d58

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-07-13 09:52:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w7rnfpj4qk5k34plq7zten32ephfzc4h5tskpvmgtekxywshb5mq._file

Verdict:

malicious

SnakeKeylogger

32df08aad657ce92e28ff241d127158682cfea1d9260ba44fc5b06bcf4ac7612

SnakeKeylogger

7501983c1a978a1a77485daf4811f9bebe31c18f28d95d456402b27860289c1f

SnakeKeylogger

7d343083e149e5d4e396c15eb6c1b23beb53c864f554b4d72ee364a1b587a274

SnakeKeylogger

b189ba60839a515b25f12ed2af1f67f2874806e23611ee8d12584d07db10b4b9

SnakeKeylogger

c7725dacf76779cf2802a0dcc23598cbc1d5f5d7a1dad90a3fbadfa5bf21d825

SnakeKeylogger

c9151e8571e2c7030ef3670eff006139e6d8770eb4e2fcb11883a7b85b5133fd

SnakeKeylogger

d20fa082b9fb505b6f694b65d21580dfcb62493cd84fdb2e080d42efa0df1c70

SnakeKeylogger

d9d77012eb626662ef5c28583d9627b5be68b69756c9f815963c3cb5b67000c7

SnakeKeylogger

+ 5'162 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/220713-pv7hvaebcj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5412895406:AAEj-XWjEH6Xgz-M_j2Kpqqdv6KOeN4GaH0/sendMessage?chat_id=1467583453

Unpacked files

SH256 hash:

b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59

MD5 hash:

1d83d4cc2dc21a8ecf3aa9d253c5ca87

SHA1 hash:

3112a3a8e318e95e625e9c4230e285235bf64ca0

Link:

https://www.unpac.me/results/3b0ae45f-fefa-4de6-884a-3c3afcdb9661/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7e2d2bd3c82/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Discord_Attachments_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/287044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample