MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab
SHA3-384 hash:	ffcfb83aa8e505479b8c630e223b7ff6b870b8dffb94f96c3f8a2744a1e30b73983406358e3ebfa5bf2877bc73094d73
SHA1 hash:	b46b9622a7f077dfa018fb75393c499cd5764ed3
MD5 hash:	234de8e9b3471bb25ecc397cd4f2b080
humanhash:	timing-artist-washington-maryland
File name:	Scan29092022.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	740'864 bytes
First seen:	2022-09-30 06:21:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:D32iNZCEfTVzviMKiskExugOWfMqm4frhl+KTEuZO:L1fRH5skgJmT4TJA
Threatray	5'367 similar samples on MalwareBazaar
TLSH	T1AFF4DF371BEA4B0BC11976B894D1E2B6A7ADCC01F567C2C72BCA2D1FF086661D760391
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	GovCERT_CH
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/315054/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/63368b0dd5955f6f49d555b0/reports/d9b01a79-0a32-4261-859d-0959e56d0a80/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e39115ba-36ad-444b-9248-eb3cbb820bcb

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1080669

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-09-29 14:52:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x22udfoc2x252aq3rkiwwj6wsknwcfgc5xjrd4urwfifjvbz46vq._file

Verdict:

malicious

SnakeKeylogger

282959044383be468d1abaf470f749e7d88769d5f4251839d2cb7ea5ebf164a0

SnakeKeylogger

3fd707dbbf7a289a8cc02b0e3ae49cda05d20836991d0fc19723ecb42d4bcf76

SnakeKeylogger

a0baf98ce28c1245d78159191bd0fafaf80c8c6b76b5e80b43bea8874af910a9

SnakeKeylogger

d38aff0f99e34f5eccdb505a8c2d6d65cfdbc7ae8b7c5fcd0845f55c83b9bb11

SnakeKeylogger

dee874f4b08d29f84f63efb0887ddef3ee7e14846b638eb3a416314034141582

SnakeKeylogger

fab9b1f85614f437c8badd9fa07890a1925451dfb9f94b3bfe10ec2593685f4b

SnakeKeylogger

+ 5'357 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220930-g4xe8sdehp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5582701255:AAG6EwFmBC6AWDB7ijWIdb3jOpyBEYRlBgU/sendMessage?chat_id=1856108848

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/02cba75f-d583-4a71-bc9e-681902ded56a

Unpacked files

SH256 hash:

d6865655dba6cce5eece0f88b66879fab6c91dcec52a4ffae8f08ad943e75495

MD5 hash:

aaf0043325f3ffd42bb065cd8278d103

SHA1 hash:

c97384aa1797d8e9492da7ab1bceab7e474aee37

Link:

https://www.unpac.me/results/3311d49d-db88-431f-999a-791d139f2e22/

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/3311d49d-db88-431f-999a-791d139f2e22/

SH256 hash:

0aa70cb843e7da5a36a4b9a93d751bfcad2699a95e865c34093dc07d8a0df4ec

MD5 hash:

b80bcb8a4a44b2a631b02d6db0d3d2e8

SHA1 hash:

72715b8c792c476204d03c90f7e52ecae28bf222

Link:

https://www.unpac.me/results/3311d49d-db88-431f-999a-791d139f2e22/

SH256 hash:

48dce2631822613e7ceb0ff9100ea0584132cdad07a32467a8c5df90c76b87f2

MD5 hash:

156e9142d2df0ef51b311e0443b50e9a

SHA1 hash:

4f542b57a462526b16f3d9d857b28f792c24ae78

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/3311d49d-db88-431f-999a-791d139f2e22/

Parent samples :

6b010af0223bd5f11bfc896701e2151a2feee5e48127367f2f760d5110af4857
2eb68d9acd4f3bf8816e682b1c87234e909cd8f1d53bc4d6df8a0acb74daea52
ae5aa180e80601126d73c2da070cd4fc5d041d4cbd66566d01569fd1ad33738b
beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab
fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f
e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef
50109664df17c305d63866d276484eff9131d9fb4bbb091275f07d940e7435b5
8e88b06d2325abd6c323cac3064f6ca4f81e4fee843b04efc255a3105f82e507
4a7c732e04071421b16fceefad0a2a2c046d8d59b2ece54f50f89645b4eac10d
081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/3311d49d-db88-431f-999a-791d139f2e22/

SH256 hash:

beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab

MD5 hash:

234de8e9b3471bb25ecc397cd4f2b080

SHA1 hash:

b46b9622a7f077dfa018fb75393c499cd5764ed3

Link:

https://www.unpac.me/results/3311d49d-db88-431f-999a-791d139f2e22/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/beb54195c2d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab

(this sample)

Dropped by

snakekeylogger

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/315054/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample