MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19
SHA3-384 hash: bbc8ffca7720fbeb035d7df8e9dce06bff2bec13fb343df12011e0c258594349911daf5933ddaf4c4638d3dda3502521
SHA1 hash: 32e75a939b0ae09a898339004afa4bbeb3ce6d68
MD5 hash: 3270695f929b3f2499f9f56d76c9b08f
humanhash: london-seven-timing-oklahoma
File name:05.12.2023_tahsil_senedi_bilgileri.xls.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:697'344 bytes
First seen:2023-12-05 07:02:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Xy7KE6jD/62iNG5nF8rmi9VEsqhzUoo3j3D829wV1wIctP/T:X6KtD/61IGzEsGInjwV1wFtX
Threatray 6'044 similar samples on MalwareBazaar
TLSH T15DE4022472D86F4AE9BE43FA0571910027F1BD6A0076D71C1DC2B2CB2775FA19AA1B73
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462515/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/656ecb2818cffa73b1da4b1a/reports/b3590c6d-68f8-4d2b-8507-db69dac5eff6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1538e983-a1a1-4f82-a301-e701e2620f68
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353736
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 07:03:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7akej2ec6oddgiq27evbcdg5p6g2nn653uejocgfovzybfpjmmq._file
Verdict:
malicious
Similar samples:
6ea20989d66aa35efba273fe6d634b8a7c269c7f03a8df6dcb9c5653dcbba810
SnakeKeylogger
7ea4a70d11f9b347dc1130489ca32322875d587f11963d3b8c6e8583eac113b7
SnakeKeylogger
b7396095e008ad0155c5ca1ec15b3febd04ce95db7ce45b217ecc463f4d95c68
SnakeKeylogger
ef1f59cd6a322060ca09ae2611fa9be5f60469a6c1f165799f2339a98ca892e5
SnakeKeylogger
fe2ed4220640da4d6e2e1e89e4a0dcc0bb67aaa2905b22276fc8a31ed65ea9e3
SnakeKeylogger
+ 6'034 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/231205-hvcj5saa32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/8443e7f5-3c9b-4f0b-8461-222040eccd27/
SH256 hash:
7fa6342560b497a18146dd6b9841992b18d9c077135977fe26139821058a4cd3
MD5 hash:
b4bbca1c613fcae703f1ec6fd514c496
SHA1 hash:
4145d88512331f57472fac46cf1742d97a2d1a8c
Link:
https://www.unpac.me/results/8443e7f5-3c9b-4f0b-8461-222040eccd27/
SH256 hash:
2cbedf8a5a55e760a8dab3c97a25bdcb72b7bcb59b3d934dc582ff017d98ce87
MD5 hash:
07630c805697938d4629b34599b9765c
SHA1 hash:
36ec2edec9b1cfea7b7b01d37e92865521b72fec
Detections:
snake_keylogger
Create hunting rule
win_404keylogger_g1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Link:
https://www.unpac.me/results/8443e7f5-3c9b-4f0b-8461-222040eccd27/
Parent samples :
a3ba5851c9d979b726e0c0e28e3dc4e7fb896b9198c592af71791c20a6c8d081
6ea20989d66aa35efba273fe6d634b8a7c269c7f03a8df6dcb9c5653dcbba810
ef1f59cd6a322060ca09ae2611fa9be5f60469a6c1f165799f2339a98ca892e5
c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19
1c058ff86662b1c0157e5f550ac61052fb776859e5d7ffd2a73f5c192b509058
SH256 hash:
a0282cd8949b2a2f4a5f25e3ea6db8e87ee1a78d1a5b7c17f2f7fb28a832a034
MD5 hash:
e2740d506b33beb541311284ba4b5607
SHA1 hash:
084828fb113d3f6a245d0eb0a7bf472f5d0dda52
Link:
https://www.unpac.me/results/8443e7f5-3c9b-4f0b-8461-222040eccd27/
SH256 hash:
c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19
MD5 hash:
3270695f929b3f2499f9f56d76c9b08f
SHA1 hash:
32e75a939b0ae09a898339004afa4bbeb3ce6d68
Link:
https://www.unpac.me/results/8443e7f5-3c9b-4f0b-8461-222040eccd27/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7c0a2274417/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462515/

Comments