MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca
SHA3-384 hash: 35096f1a734809c62fe6be4f10a287e6cf9c8f4ae0c3dfb197c17993496912bc573ed5faafbc25a728244ad9d4bf0d5c
SHA1 hash: 4e6d5ef96bdec0a35a88847911c623ec76bac8d3
MD5 hash: 0dc0a3e0e5e66b83a24c2172bdcf3132
humanhash: hamper-echo-alabama-social
File name:17.11.2022-08.11.2022.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:972'288 bytes
First seen:2022-11-18 22:32:29 UTC
Last seen:2022-12-07 13:52:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:CwBnM33302IgFJN0V3foum0obkQobt1YHUkqhziCEasnu0cjZnbCkI:FBnG30YCoJkJzWUz7YuFjZnbCkI
Threatray 9'415 similar samples on MalwareBazaar
TLSH T1722549D1B0529CAFE8BA66BD6CB6A82055F35C684DC0551C41AC7EC62DB33C3305BEAD
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
17.11.2022-08.11.2022.exe
Verdict:
Malicious activity
Analysis date:
2022-11-18 22:33:08 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/b5c4f7dc-49ff-4047-9237-441a126d75f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335871/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.9128.14644.11017.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6378082265b4ed3de8c89809/reports/c56a2e21-cc53-4791-a281-6e112ef356b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef2a8f91-64e4-4ffb-a1ba-764e6d697a5f
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1116820
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 07:35:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4yf26utsskghskbbnj7dsduuqxbwc3mdftmj2bfedp46njealfa._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
09a476b31272d7aa3ba1e7f0a5ed54dda6834819fb360de18cd883fdb177686d
SnakeKeylogger
5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01
SnakeKeylogger
6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723
SnakeKeylogger
bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c
SnakeKeylogger
e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30
SnakeKeylogger
e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f
SnakeKeylogger
f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913
SnakeKeylogger
+ 9'405 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221118-2ghc1sbb66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU/sendMessage?chat_id=5350445922
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f7585454-4faa-4c1d-b750-c8011490c062
Unpacked files
SH256 hash:
cf63e9457af81a1c98f48956554e07e748f37f9e7acd88f5a38c48aaa1d925dc
MD5 hash:
a6a682bb0652b09f21e8bf9ed40352e7
SHA1 hash:
fa6ebb960886bf7b4f21067d019d609770433fb0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/d21b2159-01d5-4586-9774-3e3ea71441e4/
Parent samples :
94c24602a155b82d399f1fc7d998b49ff13852401458eacad8172f2baf378041
f286888db8588564fd55f45265e0e8dba3ed3bc3a028faebeab4329598aca8c0
03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34
8bbd67ae0b2c475d8e6585ab3f032e589ade4838574b9ef02f9523be14e6cb2f
2c9a5406517242f170bad2fb9d01d17e8fcb15aa50129089fae78666ac5d71d4
a4642bf9cbd641619645c6f4761ef8037b3844e948f588c8bd58e32eed70fb14
4d97061314f112ff5f64d8a7ebd5ddbd8ad6f51f0fe4c104d0db4c9d0ba8de2f
1f176fdfac20ab4ddb6978f2d9bb69dff8fb113d24dcf1cce2a2f2b422ffe435
6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
dc0440d22e5e04a348da6604a84406ae83ba0100514523bc01914c0d58a12a80
2d04f50f400321cefee5b2b580f1949716be8190bf43c7cb6b36abd33ce2964a
73a0327037d99cc1b679dd7a845323da2380535813892602400997cd7a7495d6
75bacff6d2d5eb004e04e769d940b82708b9ce976903ff7316aa19b2fe6e794d
0225ee8b379936c1ec1680d4d7d7924e86bd0d90d495f95003417c3f99d00015
bb53ea4486abfc99270b773a2b436fd58d68d1061c184098b6f1520c20899cfd
f44752101afb7338fa8d2140aa52c7e0fd174405ae84be04ba4bacbab37dbbff
7f827d0f713c56d3ea862dd32fe8a25ad442218818d24cf68f30d29e2d2833ea
8414a2b799387045388139ba2b42085b6293cfef47df716a3d6960819d990dcf
3e63d0e2399f0f8636782e175b48e954c6ec90a8df027b11a77a817bbab176ce
8122adb4b9e54516cbcbd5329f729c63e5df60401f081e38bc770df930d277d1
932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5
dfca98bd8e0eb54b1e7708da67016cff14e7de001e845afaa5c869ef5a75c0dd
43750d2354f27de904d8fec306226ed5c64b4df834912524e965aa9b95211e01
fc6b929d8045b7277b0e5db028eef63002c1f5fa952970d24a150974ed227fa8
e62512e7cf411e5f3c6b128aae7fdf86980e9c7e3b4bd4aca3e5f53b60af3237
4c68110055c5902ce7fb0b21937939ead3f5d1b3857618c4286e93653e5f2813
9d0ff50ebd77de7861b3770a71c3ddd6c9694b8c70fd2dd07aea0980f83d7247
72591e77bbafe38b00b3946db0ac4dfd559ff18a13562d6e58a9bdb10a668ae9
5184dee4018720301d37bc49fcf46eb957a4e847294902e90f34dcb277d36e2b
479d6d3179e41f5b8e6f331c099b5668dc92df52aa43790167f59f192e0d8db3
a316758201301fbb5bea1354ae7fee5f8a81e0ad449b527eb1b5c00ab475b6c0
d3169220e46eead42605fb4420da09e0c524c7a5d20b7b0d087c13c29c9de964
6c69f2907eccb9bc8715c3bbe0af8c8e55effab53abd16e5641b336f79bdc483
93efea0105183d17343bfbc418414d76c18c3fb9534a9898a8a43bfc65e20d55
7368e15e16845dd62299d43c9ecceed80ba8852a2f4ed36379337c1dd933d48a
2654c41feea51b45a2178689043103ff6b732c3dbb727b8987205a7e393017ec
bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca
a7cfc4cd3bc4c1c1069e9db79a026f0fa4e362fc3adc086a996a5cc355a64f6c
8328804519cd57938377dcc004babb2ff194ef1c2f6aa3ed5636c8c49befe960
d80650ed37463b35238a439658309270ab12dd0b360f1d6dbe9b3e27fa298929
50ca265fdfe8cf164553eab678b3d6491cc940fa0adf369aceb55a66fad1d4f9
f39c440765aab25976b17266085e6ac69a2baa05d0fc02299c36cf265efec341
2a23c0997bc444edc695a4abdbf44727e453e2a1aefe737edc550fc2d334a9c4
3987c7ba08298c6fc3d6007468e751b3b751e750ea3a0ae5b2c5e699bac97002
SH256 hash:
f0b878b4d695b390c29878085158066d86005c227212deeee98afe9c3e206053
MD5 hash:
5def71de9c8f797184a33bfa822a4f2d
SHA1 hash:
6a8ed44e3d5112d25ad94c26eed8bcf1c2633b6f
Link:
https://www.unpac.me/results/d21b2159-01d5-4586-9774-3e3ea71441e4/
SH256 hash:
a0e5004630d58eb755572163cb3f3c2eb6d50d04334bd32083204b0b7b324d14
MD5 hash:
fe27b7e68f6ae8577f9e30c18ad88456
SHA1 hash:
fcdc52ffc5323f69e2ba0673337574d3d68b8296
Link:
https://www.unpac.me/results/d21b2159-01d5-4586-9774-3e3ea71441e4/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/d21b2159-01d5-4586-9774-3e3ea71441e4/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/d21b2159-01d5-4586-9774-3e3ea71441e4/
SH256 hash:
bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca
MD5 hash:
0dc0a3e0e5e66b83a24c2172bdcf3132
SHA1 hash:
4e6d5ef96bdec0a35a88847911c623ec76bac8d3
Link:
https://www.unpac.me/results/d21b2159-01d5-4586-9774-3e3ea71441e4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf305d7a9394/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/335871/

Comments