MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32
SHA3-384 hash: 1167db62ae608e7f1aed03b22307dfbaec895ccfdb9873b1f3f439c30cd5f42b1ab6547bc825d2795a3c259ff3cd8fdb
SHA1 hash: d8d6352a8d9362600db113467a5abeb654ddc0cf
MD5 hash: 2dbdc96135002d650ff6ec39bce979d7
humanhash: happy-mississippi-jig-summer
File name:RQ038023.PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:602'112 bytes
First seen:2023-08-15 12:19:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GPV/OvRm6fQv9/DkdVl4cq8UTxW1U/4uUPE2lETspFhdmQZD:LvRAFbO4cq8UTxWntqWr
Threatray 651 similar samples on MalwareBazaar
TLSH T117D423567DE82DA1ED6DDAB811310C5713396E266C13E2FCCCC622C01A9BB89964DF73
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1010109022529410 (5 x AgentTesla, 2 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RQ038023.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-15 12:21:14 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/139fb054-3fdf-42ca-aac7-8c1c043a0f73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442773/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8b0aa6f5-50ad-4102-bd3c-e7eec7644269
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291394
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-15 04:08:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxx5qdv4thbtxmf7vhnsjfuayjmlupsv7vyeyix5uhyblst25uza._file
Verdict:
malicious
Similar samples:
120f07b74d3851e775ca166a3f24e4c797370fba8ff5de503bc11f9f2e096638
SnakeKeylogger
2eaf94da95c7c5bfeee85e0c9b2eeb4203bc708e8538061624082b61866bc3b5
SnakeKeylogger
358659e950dae1b469fca25fb75167cae886174d21a9226fd8081fbd71d5abbc
SnakeKeylogger
55979041c0dde9e724da45ec9d88c717a18b0fb414adc96fce5387ce9b6e772b
SnakeKeylogger
a1b22bb99dfebf6b3fc3fa288b770d64120cb17e0c9d904aac2f8a813b47e579
SnakeKeylogger
bd9df3adf1e6c84fcab2206d63d2f02e3f1ce1b715c09459d21ff47c09cac2f8
SnakeKeylogger
dade1a3b53b651efe40452781b07585baab2f75133c1d8be528a4ebb942b595e
SnakeKeylogger
dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942
SnakeKeylogger
e4f1164364a86e7ae9293f9df8d976c8037e6701c7fb7103182186c2f5cd4968
SnakeKeylogger
eac955e21979be52d265a31b6d4d7434089ec180b116f5fd70792978ddb87d01
SnakeKeylogger
+ 641 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/230815-phra4aaf64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
b6ff18077f8db45009e22953ae866107e32149ab99121893e1871379f5442b82
MD5 hash:
d703d0defd3793ae9c41d0026e0c58ca
SHA1 hash:
f804b52e578b3fa096bfdb6ed73ca2557df60739
Link:
https://www.unpac.me/results/5f978bf7-9a68-4373-ac77-c16c18abbd9b/
SH256 hash:
3b90e1b8273dfce9ab7deda7c6671fbdc099aa3d9c8968e6f74c67b90617c6bf
MD5 hash:
2a2d67e22ffffb8006d160e5a3e26ce9
SHA1 hash:
c914c2a60be7cfab79aa423dadd46ffdaff5c461
Link:
https://www.unpac.me/results/5f978bf7-9a68-4373-ac77-c16c18abbd9b/
SH256 hash:
d49b6b98ce2072303df26f7fdd3bcf642267bd4d44be0bbbfabf7e9742618dd8
MD5 hash:
9668fa7d79bba30a0080007d155a5bd4
SHA1 hash:
c3df87d81ec44a86f03d12e8184fd9d8f2365233
Link:
https://www.unpac.me/results/5f978bf7-9a68-4373-ac77-c16c18abbd9b/
SH256 hash:
598a766b26fc39c1092e2f20cee1f42df6d6049d618ac5d4d331c646ab6a8b47
MD5 hash:
00c960e10d544bd0961a993c3c6dbbe5
SHA1 hash:
04018db21d1b12800f1bc413b90ccb3264955bcb
Link:
https://www.unpac.me/results/5f978bf7-9a68-4373-ac77-c16c18abbd9b/
SH256 hash:
bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32
MD5 hash:
2dbdc96135002d650ff6ec39bce979d7
SHA1 hash:
d8d6352a8d9362600db113467a5abeb654ddc0cf
Link:
https://www.unpac.me/results/5f978bf7-9a68-4373-ac77-c16c18abbd9b/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdefd80ebc99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe bdefd80ebc99c33bb0bfa9db249680c258ba3e55fd704c22fda1f015ca7aed32

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442773/

Comments