MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327
SHA3-384 hash: 966faf3dd2538b56b3453afc621842f0c4ae6b0bf15396a9d2db35517976097f73c7ec06a6dde895590a6e3b4ee83bdb
SHA1 hash: 7d9cfcfe09c52303e9ab741353c06e014364cdd6
MD5 hash: 5302477a2c210083be8d25280a1d27cf
humanhash: artist-twelve-mockingbird-spring
File name:Week3.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:831'488 bytes
First seen:2025-02-03 17:16:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:zWmfDfxt7J0iJKfJDbV5wPw2a7iLv1/L5le289QgM:v2RfJW1Ciblvng
Threatray 4'773 similar samples on MalwareBazaar
TLSH T1C3058C5437DAFA85E82962B8D872C1F00371BE06D576C30F29D97DCB38727426616B2B
TrID 53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.7% (.EXE) Win64 Executable (generic) (10522/11/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 649094d652537ab4 (1 x RedLineStealer, 1 x SnakeKeylogger)
Reporter mgalde
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
539
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Week3.exe
Verdict:
Malicious activity
Analysis date:
2025-02-03 17:16:22 UTC
Tags:
evasion snake keylogger stealer
Link:
https://app.any.run/tasks/bf981918-eebd-43d8-93ef-c4e48fc380e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.LokiBot-10026309-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a0fae851193558eb19418f
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/67a0fa1706d12bc30bf62e2e/reports/56b8e5ce-e5ec-4449-83ee-bc1b037f6161/overview
Verdict:
Malicious
Labled as:
Trojan.Ransom.Loki
Link:
https://www.hybrid-analysis.com/sample/c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11192665-bc2f-4f32-bde0-07fd8078fdb4
Result
Threat name:
PureLog Stealer, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1605805
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-02-03 17:17:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqfscrrpupc6xpwudpx4gmdy65ct4twv4jmuvakrapa67zynmmtq._file
Verdict:
malicious
Label(s):
snakekeylogger
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
030c16ffccb55c4a06c3b93d11390e7b2c5b218e220594d45c9fb02f622b856c
SnakeKeylogger
61abb5aa05411cf92a1d762864cc824d594ffdd2dad4c2ca7f1c2f0c30e2a786
SnakeKeylogger
7995a7b70fd579b2d7562444301504e7fb8834fda0666b52386592d8e5ec13e4
SnakeKeylogger
b161be7554c0f571a5ae4db7a8c9ea60e7126c589339073b7c0aaacbd5679e9b
SnakeKeylogger
b22a347cb6ccdccbc3e68c48ed6ee69fff4526eb46a54d12e588e0cffc3e9c51
SnakeKeylogger
c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327
SnakeKeylogger
d63c8389d2b2cabed5b7c9a96a37199ef8509f21ea4c30907ef472a81703277b
SnakeKeylogger
error
SnakeKeylogger
+ 4'763 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection credential_access discovery keylogger stealer
Link:
https://tria.ge/reports/250203-vtrnwsxmes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Unsecured Credentials: Credentials In Files
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
Win.Dropper.LokiBot-10026309-0 404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/156e4f9a-7f88-493d-a6e7-d09f7ecee743
Unpacked files
SH256 hash:
c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327
MD5 hash:
5302477a2c210083be8d25280a1d27cf
SHA1 hash:
7d9cfcfe09c52303e9ab741353c06e014364cdd6
Link:
https://www.unpac.me/results/e44a6b29-8124-47fa-86e8-a7923ef124a4/
SH256 hash:
73eb6e44a70f3c59abf438955af5dc483030acc19df88fa21f443bbbef6c1338
MD5 hash:
7274d1c3f35593a253cc6cf5277b6154
SHA1 hash:
014a0fda185f7b1db6eaa19d2b4d927a68868e33
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e44a6b29-8124-47fa-86e8-a7923ef124a4/
SH256 hash:
a5d71d07e423e6c826ec2c007840c4da546f76b314d5d1c73962a7c6ad890a77
MD5 hash:
732ebe8ae3a767746a640e5b506205a9
SHA1 hash:
0af39354dff4bce6b68789dbeaed37aa3abb1b13
Link:
https://www.unpac.me/results/e44a6b29-8124-47fa-86e8-a7923ef124a4/
SH256 hash:
753bb6d3f2107a7ed0071a4efa04ddb1a9d09edbeb382020e4d558d46b572048
MD5 hash:
b5911e16822a39925df899d348f05e0f
SHA1 hash:
47690a21ed470fae27fa0e315dbbee4d97dd43ee
Link:
https://www.unpac.me/results/e44a6b29-8124-47fa-86e8-a7923ef124a4/
SH256 hash:
fedb655e7c7d5479a074cf90284028515c7617ec0ef8ddf15b284792fac75b5a
MD5 hash:
8033f11ee7303107ed1f446a0640ec3d
SHA1 hash:
6637ddd9dd0b0ac48ed6a24858758aec37804bcc
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/e44a6b29-8124-47fa-86e8-a7923ef124a4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c40b21462fa3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments