MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
SHA3-384 hash: f41b3a54eb747e2b4fed5376f5419c6601d0d0dc3593ce04a25354c632ad822c5b338c054e8ee14db6042a76a6bec2df
SHA1 hash: 00495a5b7b25d536ca6b00bffdd3d393473596f9
MD5 hash: aeabe20e0e3be1c8f518e4d0f1c3cab0
humanhash: tennessee-princess-avocado-india
File name:aeabe20e0e3be1c8f518e4d0f1c3cab0.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:659'968 bytes
First seen:2023-07-03 08:07:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:39XncxbhgiIpoAzaolJ0UCA0fBSlnmDp+VsvcQXLud8:imiIv2MSf5omDBkQXLK8
Threatray 107 similar samples on MalwareBazaar
TLSH T1A9E4383829BCA3A7D034C6F48FD5A423F764952B3025EEE5ACC253994752F1225E363E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 32ceaeaeb2968eca (42 x SnakeKeylogger, 23 x Loki, 9 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aeabe20e0e3be1c8f518e4d0f1c3cab0.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 08:13:01 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/93926e5c-52bc-4178-8be4-929a158c6ae8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/405751/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.101466.18484.23362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64a281e2fec95302e26329b9/reports/ce2a7c1f-7562-42bb-bf80-46027d9cac2e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0df220a-2823-42fb-b7e7-639c9ff884a5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266156
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266156 Sample: JYb5igFk46.exe Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 7 other signatures 2->58 7 JYb5igFk46.exe 7 2->7         started        11 FuoLkeatOZtsSs.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\FuoLkeatOZtsSs.exe, PE32 7->36 dropped 38 C:\...\FuoLkeatOZtsSs.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8902.tmp, XML 7->40 dropped 42 C:\Users\user\AppData\...\JYb5igFk46.exe.log, ASCII 7->42 dropped 60 May check the online IP address of the machine 7->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 64 Adds a directory exclusion to Windows Defender 7->64 13 JYb5igFk46.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 70 Injects a PE file into a foreign processes 11->70 21 FuoLkeatOZtsSs.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 46 checkip.dyndns.org 13->46 48 checkip.dyndns.com 193.122.130.0, 49700, 49706, 80 ORACLE-BMC-31898US United States 13->48 25 WerFault.exe 24 9 13->25         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        50 checkip.dyndns.org 21->50 72 Tries to steal Mail credentials (via file / registry access) 21->72 74 Tries to harvest and steal browser information (history, passwords, etc) 21->74 32 WerFault.exe 21->32         started        34 conhost.exe 23->34         started        signatures8 process9 file10 44 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->44 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-06-29 09:34:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhwyesnliv65ph6ktu6syhmy57gcj2ind45jzovzoqkdj4yppefq._file
Verdict:
malicious
Similar samples:
024bfd09e9c0b5a0c81d377dc99b2a441f6651480c63b5ece0a4be575d659c25
SnakeKeylogger
0dfed6a80612475d64b34d2c0264f41ee06da61747fd3086786bcbc61212daf3
SnakeKeylogger
2fafb501cd734bb370ebf3a5e7b49089620aa4c4556b6a1d79277b1fce36118d
SnakeKeylogger
3105a7886bb62b4a95672ed5a801e8063dfba87139195dfc5a7cfe32f3b4edf2
SnakeKeylogger
3dedd91d5d734fdea8fa04714e99b1fdcac4c06626ad2e10aa825e71fc18c3c3
SnakeKeylogger
47c89c8b504cdbd28b1e573025fc005b8a89fe4e7e6d61a608921881f41a7f44
SnakeKeylogger
6511b8de737137d9209598f8120c06deae656eaa9d555d8fad4b00ccb1456e16
SnakeKeylogger
692c119609424c3689b271f8a3c793907c9fd3849f391f4640959ff7cdffb052
SnakeKeylogger
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
SnakeKeylogger
f60667b9e2a0a25221cdb47844149beb3b1cd08abbc3360e8684fad9d8aaa20e
SnakeKeylogger
+ 97 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230703-j1jq3sfe79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6286794299:AAFoOBbC33diFxmvBnHwbQi1CQh8FcdddPw/sendMessage?chat_id=1696657848
Unpacked files
SH256 hash:
5943528174cea0e8017c9ca35ca7aa75f8a50812e8a3a5225ea9ec5e6823d18c
MD5 hash:
aa39aeef425073a4032808fe487ae25c
SHA1 hash:
c3233e83a44f690058438613830d1c28b71a703e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
d021c3534ad863a3b04d8c4ba7588091e89d54333239cf4910de1d620ccf68a5
MD5 hash:
fba96aca2f3742164d1e2382674e1d6f
SHA1 hash:
4950ddc5fa26cca16eef7c871dd1f3681ec357db
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
Parent samples :
1b87add557e732b93c288ac361f45b9e22674b9c5914b21ece4f8b0f2694f0c5
b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
5943528174cea0e8017c9ca35ca7aa75f8a50812e8a3a5225ea9ec5e6823d18c
MD5 hash:
aa39aeef425073a4032808fe487ae25c
SHA1 hash:
c3233e83a44f690058438613830d1c28b71a703e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
d021c3534ad863a3b04d8c4ba7588091e89d54333239cf4910de1d620ccf68a5
MD5 hash:
fba96aca2f3742164d1e2382674e1d6f
SHA1 hash:
4950ddc5fa26cca16eef7c871dd1f3681ec357db
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
Parent samples :
1b87add557e732b93c288ac361f45b9e22674b9c5914b21ece4f8b0f2694f0c5
b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
5943528174cea0e8017c9ca35ca7aa75f8a50812e8a3a5225ea9ec5e6823d18c
MD5 hash:
aa39aeef425073a4032808fe487ae25c
SHA1 hash:
c3233e83a44f690058438613830d1c28b71a703e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
d021c3534ad863a3b04d8c4ba7588091e89d54333239cf4910de1d620ccf68a5
MD5 hash:
fba96aca2f3742164d1e2382674e1d6f
SHA1 hash:
4950ddc5fa26cca16eef7c871dd1f3681ec357db
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
Parent samples :
1b87add557e732b93c288ac361f45b9e22674b9c5914b21ece4f8b0f2694f0c5
b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
5943528174cea0e8017c9ca35ca7aa75f8a50812e8a3a5225ea9ec5e6823d18c
MD5 hash:
aa39aeef425073a4032808fe487ae25c
SHA1 hash:
c3233e83a44f690058438613830d1c28b71a703e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
d021c3534ad863a3b04d8c4ba7588091e89d54333239cf4910de1d620ccf68a5
MD5 hash:
fba96aca2f3742164d1e2382674e1d6f
SHA1 hash:
4950ddc5fa26cca16eef7c871dd1f3681ec357db
Detections:
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
Parent samples :
1b87add557e732b93c288ac361f45b9e22674b9c5914b21ece4f8b0f2694f0c5
b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
SH256 hash:
b9ed8249ab457dd79fca9d3d2c1d98efcc24e90d1f3a9cbab9741434f30f790b
MD5 hash:
aeabe20e0e3be1c8f518e4d0f1c3cab0
SHA1 hash:
00495a5b7b25d536ca6b00bffdd3d393473596f9
Link:
https://www.unpac.me/results/46f28f15-f692-471e-b5ea-94f3d4fe1187/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9ed8249ab45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/405751/

Comments