MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab
SHA3-384 hash: 86d2e4e46117745eb9e124c8d4a013a80d74799b31bf65323a05f0178509b40dfbe9c6180b1a014993e112a4c0932ff1
SHA1 hash: 91d967921535b145673a8a76be7ae6b49c0df502
MD5 hash: 2aa362b1f5be5add269730f0102ac795
humanhash: avocado-hamper-red-video
File name:whatsapp-2023052908059.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'112'064 bytes
First seen:2023-05-30 06:54:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:wnHkmFx2iqNhujGjUBRAOWXz5YdkXmoXcIZplDQHlmo69U3:MEmFxUwDWXz5YdkXvGfI
Threatray 1'890 similar samples on MalwareBazaar
TLSH T15C35E0A1E2994696ED2A07BA50334C3503B7BEBD7D71E25D8D9FB1F45BB3382150280B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0c0d3331470c3323 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
whatsapp-2023052908059.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 06:55:24 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/3a72091b-a7a5-434b-8878-361bde6de164

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393320/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67285815.14280.25110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/64759dc96dd70dc931d856be/reports/f7ce0f00-1925-44a8-88de-6bd83695de36/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d064ba77-2813-4074-bacc-c27188b48381
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244939
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877951 Sample: whatsapp-2023052908059.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 6 other signatures 2->55 7 whatsapp-2023052908059.exe 7 2->7         started        11 tKckTAqanCR.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\tKckTAqanCR.exe, PE32 7->33 dropped 35 C:\Users\...\tKckTAqanCR.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpB74C.tmp, XML 7->37 dropped 39 C:\Users\...\whatsapp-2023052908059.exe.log, ASCII 7->39 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 whatsapp-2023052908059.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 21 tKckTAqanCR.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 tKckTAqanCR.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 158.101.44.242, 49701, 49702, 80 ORACLE-BMC-31898US United States 13->41 43 checkip.dyndns.org 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        45 192.168.2.1 unknown unknown 21->45 47 checkip.dyndns.org 21->47 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 03:38:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yohekscanfdcagztesrfvcvdqvhlowrfizmwkrd7vfhv33ux7cvq._file
Verdict:
malicious
Similar samples:
0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092
SnakeKeylogger
308a5ed2f79e93b600af3147ea292f64636d31b858a27436d175b933400ead85
SnakeKeylogger
3335efc2f973d87f8539324f664cbe0f6ac5b63f1c7fb7e0ef89cbdf5cb8174d
SnakeKeylogger
3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b
SnakeKeylogger
5eab60cf69738d99c74d355743502d3c3cd2c987e585396c00f2736792c6c9ec
SnakeKeylogger
734da354d0b8c982d436b43e4f8e105382af3d08def6114dfa685d1230bf64dc
SnakeKeylogger
86c51d21c17d07f820d88f41dea0e51f619a66573b72eee4442b50b799e1a73c
SnakeKeylogger
9f05a25d30b22c3d4a8da65f3ef034fc24ed35b97ed418f79d3af4def9f7ccdf
SnakeKeylogger
b060f747e4aa941b42d475cf40290b6211911e1e949d8a2df0705660cd014996
SnakeKeylogger
b6e2c83fca7727bb38feb6e83228c4157155868ec1e088ccd8d61e15477d3ad0
SnakeKeylogger
+ 1'880 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230530-hpsn6sfh75/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5439655272:AAGBLlvv-N9cRT8I6adunQ9W-np9xfppm14/sendMessage?chat_id=5477845350
Unpacked files
SH256 hash:
670a0231b86126885c4c6a55f24cfc04983b9dc33c2aec289c19aefc16e4ae13
MD5 hash:
93cfa6c9cd98de0080dd9b81a0cd69c9
SHA1 hash:
bd9925064a3b96bd106e0b6e2174bcc739449069
Link:
https://www.unpac.me/results/e9ae67d0-dc00-49ee-ad60-b324494d4646/
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/e9ae67d0-dc00-49ee-ad60-b324494d4646/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/e9ae67d0-dc00-49ee-ad60-b324494d4646/
SH256 hash:
c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab
MD5 hash:
2aa362b1f5be5add269730f0102ac795
SHA1 hash:
91d967921535b145673a8a76be7ae6b49c0df502
Link:
https://www.unpac.me/results/e9ae67d0-dc00-49ee-ad60-b324494d4646/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c38e45484069/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393320/

Comments