MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948
SHA3-384 hash: f4a92b56dafe888a859a1677a4fd3fa6b9f1d441e2a44a3054c8698928834ee1b1d3f3f6716f58f2fcc4a1ad76881cce
SHA1 hash: c5f044d7dcce9457877362574cf610ae6d46c87b
MD5 hash: be12a12a38cc4f094c8944ed245d801a
humanhash: six-floor-nebraska-failed
File name:be12a12a38cc4f094c8944ed245d801a.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:814'080 bytes
First seen:2021-08-01 06:59:46 UTC
Last seen:2021-08-02 11:37:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:28C57iS/d348Bi81OzCS/CI5UhAgCxZ78wHWHZ/fiBqlMh/PPFobT:LTS/d3riISqImSgCbQw2HZnzs
Threatray 453 similar samples on MalwareBazaar
TLSH T12405BF64848CEBBACC5843B50B8D82642DF08E97F4B1D5A03E4A7EF1B1B4D59DB79381
dhash icon 000616168c39f2a6 (1 x SnakeKeylogger, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be12a12a38cc4f094c8944ed245d801a.exe
Verdict:
Malicious activity
Analysis date:
2021-08-01 07:02:00 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/877cf3c6-032e-4496-9c80-843de813f3d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175546/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2158041a-6b19-47a1-836e-204e64dbe2a7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/825034
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457446 Sample: ggx6bFSU05.exe Startdate: 01/08/2021 Architecture: WINDOWS Score: 92 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Machine Learning detection for sample 2->41 43 2 other signatures 2->43 7 ggx6bFSU05.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\qfwGDayzyESzj.exe, PE32 7->23 dropped 25 C:\...\qfwGDayzyESzj.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpB780.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\ggx6bFSU05.exe.log, ASCII 7->29 dropped 45 May check the online IP address of the machine 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Injects a PE file into a foreign processes 7->49 11 ggx6bFSU05.exe 15 5 7->11         started        15 schtasks.exe 1 7->15         started        17 ggx6bFSU05.exe 7->17         started        19 ggx6bFSU05.exe 7->19         started        signatures5 process6 dnsIp7 31 checkip.dyndns.org 11->31 33 checkip.dyndns.com 132.226.247.73, 49693, 80 UTMEMUS United States 11->33 35 2 other IPs or domains 11->35 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 01:02:30 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a
SnakeKeylogger
4b6d2d4d20ed03f56ffffc9c92549c99b7bd4494c7335790e9cae0e0b5824193
SnakeKeylogger
71d43dd5594e4d74bc9c4e79f13089f1f8938831f8155c49025d634cb9ab2423
SnakeKeylogger
8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0
SnakeKeylogger
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
SnakeKeylogger
96007bdda9d12cf59fd2844843f62d3a86b85cb732ee76004e2f93ac38d8c8af
SnakeKeylogger
d935261d62e1721db7f65671dc26c56c532b98d8b3335fce23455b2404a39ed2
SnakeKeylogger
fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8
SnakeKeylogger
+ 443 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210801-tw7n5tp11n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
CustAttr .NET packer
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendMessage?chat_id=1407381447
Unpacked files
SH256 hash:
591090d00f8a32a01c99697a8022e249802a1c3076a416f9ea32cf6d693938c3
MD5 hash:
cf8d32cd78b72c50313897d1cc5d9bec
SHA1 hash:
ef701191e0b036844ea43ec8b4dd12f4a2f54314
Link:
https://www.unpac.me/results/169bae79-b77f-4d79-8003-d49586529462/
SH256 hash:
61c572d40d955937e1fde42176426bd672a575cb4799c93e1b0c65cd163951cf
MD5 hash:
c85b3b40fb6cd301b42c5fc465eaefa5
SHA1 hash:
b33f709676a4209f25f128bfc809373ddcd7e356
Link:
https://www.unpac.me/results/169bae79-b77f-4d79-8003-d49586529462/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/169bae79-b77f-4d79-8003-d49586529462/
SH256 hash:
c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948
MD5 hash:
be12a12a38cc4f094c8944ed245d801a
SHA1 hash:
c5f044d7dcce9457877362574cf610ae6d46c87b
Link:
https://www.unpac.me/results/169bae79-b77f-4d79-8003-d49586529462/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1491590/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175546/

Comments