MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a
SHA3-384 hash:	d1dfb8396d48d29d318b210baec65a8dfb0fdf7846870a695f87953df32783b39eb8366b92d1a20bde62f12c9407630f
SHA1 hash:	8eb29a593a96bea2b1e7f3fa15fded8aa52c4d8e
MD5 hash:	3fd4e0858cef859eb1aaeeaf3ac8e639
humanhash:	november-fanta-lemon-fruit
File name:	Payment_Advice.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'059'328 bytes
First seen:	2023-02-27 10:03:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:CRwEx2iNYh/yE10hOSc8Pr0qqbWzTI3bOgVA03kdZXZ3vUotvEApTFLky1NpYBXR:Iwk1OdKvPWKzTI53KXMmRpZOBX
Threatray	4'428 similar samples on MalwareBazaar
TLSH	T192355A8036F9C115EDCF323D091C968E7D79A107A252B22AEB7676C6A7077F772C8091
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment_Advice.exe

Verdict:

Malicious activity

Analysis date:

2023-02-27 11:17:32 UTC

Tags:

trojan snake keylogger evasion

Link:

https://app.any.run/tasks/6d0b47c5-2abe-417a-b9a4-f744b0c79113

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/370152/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63fc8016589e1e4c5bd97f72/reports/62914b99-d1ba-4c45-9419-5a36efec5e67/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8f9597d3-b661-4c3e-be7d-967cad044303

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1183827

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-02-27 09:33:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xohpf7t32e3dvb25c7tisgv4i3kztdxg3cdkdlczp34hhzthaz5a._file

Verdict:

malicious

SnakeKeylogger

17f48160e5a9e6bd0ee34d7216346fc3165f5428421e9312a2d12382401bca49

SnakeKeylogger

480e6eafca7220040b5c881ba63412843e888fb54e21b158a2568bec0cce0acf

SnakeKeylogger

5bbeb09102c0876fc3d18a31c5aefdfc6f42a4354422611bfefedba2d51da208

SnakeKeylogger

6897412732ce8f38317aefff9c2bb19b15a91caccb0922c53fe29c36474de665

SnakeKeylogger

6f0b53e03949038ea08eb5e798961c86237849fa4d403808fc43b4c783c032af

SnakeKeylogger

7f84e33755bb2df640edb35bd2f346135e80bdc5cd7a012596f3284e76e48c16

SnakeKeylogger

f7b5512ca0d67dbe16d59a5ccfc7bbd5f59021adcb6fac0b09dd5533aac6e820

SnakeKeylogger

fa6901852ed9fd26b1adf6140ea9f8fe498edcf73f6b2350f825c10d71783a15

SnakeKeylogger

+ 4'418 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230227-l3zanach3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5519372058:AAEQzlnVdrLo6pt_R7VJyv-Tbte5lUyTQBY/sendMessage?chat_id=5557063310

Unpacked files

SH256 hash:

14a309e31bbd0856aaf73b6b1e5cf0f6aea899e1cc4e95392a4aca0922d9cdcc

MD5 hash:

d93c730409e92c4940cfb1ed3444dc65

SHA1 hash:

d015637b7967a000f15bb229ebf64e084ce93bb2

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/0ca784b2-c819-47e8-b943-b2dfe48a1eb1/

Parent samples :

486beb1ea2f92f9f7b097cc37407b852ae3910bcd0d93e3f4a64ee0e9cb9ab2a
d1002023bc21124f3d49a6b6e3e957ec6679031525cce7b4e698af3db9c2d418
24e5e059f51fe20d5ba4655d4eb6530740eeaa0464710af26efc6f143294ba13
7f67d68e60053f36c54541fb5485491e3db0c418b615e6d5d738afa715a250fc
dafd3ed55d5c4319b8d0efc9f2c7c65ecbb042000438c56deadf40d33e580a05
cc485a2ac8fd59090c4bb77d2e66be5fe082922a6559a3fe3be7060722c8652e
6e21c799f14d0104ee3fc1f6142aab3b1cd8b00260c3a8100386a0f44405b967
bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a
3ae45c91266fe6bdd2d48f8b9d6ddc09e896239545256e00960fc792a41c061e
1a0ffc17583a6b31dead35d7afa49248b3fc970c77dba990367aa130f8ac4a3b

SH256 hash:

e3d2ac5024ce2aa7049dc1004cf30bd6fb937ffcc9c4cd5c94005550376d3ef6

MD5 hash:

3ecce558121d03e0e28a5212bd130ebd

SHA1 hash:

c18c31eb5d0633112b865719880b2c66da4020b2

Link:

https://www.unpac.me/results/0ca784b2-c819-47e8-b943-b2dfe48a1eb1/

SH256 hash:

91493350521caacbff4aa9556eab05aafa8090e72105694f203bb90287ed870a

MD5 hash:

600a7edd88ef231bd17bbd4cbfe72432

SHA1 hash:

28db091580ad2a344d0e68e0e7cd7f449ea3a0df

Link:

https://www.unpac.me/results/0ca784b2-c819-47e8-b943-b2dfe48a1eb1/

SH256 hash:

e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29

MD5 hash:

d170ab8c03b9c37d5be449454db131d2

SHA1 hash:

2031b6754a65d21b47dd11a34fee86f048d6048d

Link:

https://www.unpac.me/results/0ca784b2-c819-47e8-b943-b2dfe48a1eb1/

SH256 hash:

219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38

MD5 hash:

88dd74207f3882979e21e26bf33a0e9c

SHA1 hash:

02a2db1bcbdb700f16c730a45d6ca62f805af8d4

Link:

https://www.unpac.me/results/0ca784b2-c819-47e8-b943-b2dfe48a1eb1/

SH256 hash:

bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a

MD5 hash:

3fd4e0858cef859eb1aaeeaf3ac8e639

SHA1 hash:

8eb29a593a96bea2b1e7f3fa15fded8aa52c4d8e

Link:

https://www.unpac.me/results/0ca784b2-c819-47e8-b943-b2dfe48a1eb1/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bb8ef2fe7bd1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/bb8ef2fe7bd1363a875d17e6891abc46d5998ee6d886a1ac597ef873e667067a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/370152/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample