MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
SHA3-384 hash: f265c4fe7560a2d66e856a1b741a9fe39b2874136d440fa1d699f4f7b2af42b0a0183369beee2d487740652ab7c3a2dc
SHA1 hash: 077276bd8d242b7e1dfafbb57061cbba6d8b97f0
MD5 hash: 46b5ef87d893bba0027de00d2cd6c222
humanhash: pip-arizona-xray-alaska
File name:Factura N° 11097.PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:734'720 bytes
First seen:2023-05-30 10:28:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:C32B0xTGlxNqvNu2hZ+nUEsn9iCaavBPHie+2WdUGqcfZzZt89NCIRm:C3LaVUH999inarXnGtNZY0I
Threatray 5'837 similar samples on MalwareBazaar
TLSH T1BDF4F194B5BB4B2BC5BA57F5950463351BBA1AACBC72E71B4ECBF0C61961F010AC0B13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Factura N° 11097.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 10:45:11 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/cea7de04-75ab-442c-a554-1f35ad469509

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393516/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13006.26464.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Moving a file to the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6475cff06407f39ba8add781/reports/6b7c64e0-f35d-40d6-be50-10aa854f55f5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5df6da3-c6c7-4be2-95c0-3021b6c088c0
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245150
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 10:29:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zd2ni5p3jhculigpge33uadyumhwnd6v6y4nhvneorghn463os2q._file
Verdict:
malicious
Similar samples:
036f901bbb4baa9472c984aa6c7e9786f252371c85e469d56c656f4b97c47e9f
SnakeKeylogger
097f5dbc2976c1c2d16d12031bf0fb805f1212c695d9301877e00fc63591b240
SnakeKeylogger
1237eec0287f5d0590ef5a8d6bc33e37c3f1384ed1ee265645f8efa054255f38
SnakeKeylogger
26969921baa34c10f19e16987def5c7c640214907867e51ebdd2fcfddc5b684b
SnakeKeylogger
465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729
SnakeKeylogger
6852d72daa3cb833ad7303422696b68b2df654acab26f54f36732c3e97822cd9
SnakeKeylogger
6ba348dfac24550cca10be771bafa25a19f9baca0651f4467c71b8974a163061
SnakeKeylogger
77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
SnakeKeylogger
a7df5eb83434a5da24e394b94c775957e42ca3b36f3f76c582af50eeed525693
SnakeKeylogger
cc51d10e5165cb6ba234e1ac9b831d9ba93c8cf678a12890ff712386a8346398
SnakeKeylogger
+ 5'827 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230530-mh85sshd3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
bf8e27db2666d28e2c7102dc246f5b4ea15f567f98b6fa7378965d339ce292a3
MD5 hash:
37d088f4ee78c6b8fc03153e29bbeebd
SHA1 hash:
a552a49092ae86f3211f3dcb640be502533962ee
Link:
https://www.unpac.me/results/221bb10d-e2e7-420c-a377-320afbfdc27d/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/221bb10d-e2e7-420c-a377-320afbfdc27d/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
2ce28085a81ccca53b7a1798a247a8d6073351c7e82f1fe140a8e02ba5a6b4be
MD5 hash:
c54f8afa54219a3d8b729be9d2a30878
SHA1 hash:
3d90afa0cd694db05a30ab9be369fab5912d13e6
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/221bb10d-e2e7-420c-a377-320afbfdc27d/
Parent samples :
465f7a28242d2bcfa2ea5a965667f9d71c6a7e712da370a9a92b364180e2d729
c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
564b04babf3a9e21e6b6b3f5a1c7ea624e5036052382afc1ba15e206b6308f6a
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/221bb10d-e2e7-420c-a377-320afbfdc27d/
SH256 hash:
2ff008411604294741bf41e262f6bdcc735e4429a7be564f51a31cf9dfb39bce
MD5 hash:
5fa87fa0027757c163945f505cb9515c
SHA1 hash:
37759f6a98568baded3123a5bb9c3a39da73e1cb
Link:
https://www.unpac.me/results/221bb10d-e2e7-420c-a377-320afbfdc27d/
SH256 hash:
c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
MD5 hash:
46b5ef87d893bba0027de00d2cd6c222
SHA1 hash:
077276bd8d242b7e1dfafbb57061cbba6d8b97f0
Link:
https://www.unpac.me/results/221bb10d-e2e7-420c-a377-320afbfdc27d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8f4d475fb49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393516/

Comments