MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059
SHA3-384 hash: 51ac807a5685ea12c02e92288e9d7defa66c40eaa9bd7de745373ef93ded439209fb3bc7c59c917e4390e36827ed0bf7
SHA1 hash: 129fe4f6b63412c22f728d7fec1da8cb69c9e0a5
MD5 hash: d8a5317c8c4e740557a01574cfebf71f
humanhash: pip-october-network-video
File name:d8a5317c8c4e740557a01574cfebf71f.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:771'072 bytes
First seen:2023-08-05 09:52:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:FfNMRf0t5/T4U0T2yhANAv3g5uFDztzT90QQpO:FfyRc3bQ22A2vjtzTiXg
Threatray 407 similar samples on MalwareBazaar
TLSH T188F4857804BB4E62C221D2BE6AC5E53FF6415CB6611C8D5B929A6F870D03D732C9EC2D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8a5317c8c4e740557a01574cfebf71f.exe
Verdict:
Malicious activity
Analysis date:
2023-08-05 09:57:41 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/9d3d0965-4e3f-4d40-bc99-350ba76120c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/440792/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68453388.17926.27945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling the 'hidden' option for analyzed file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36b17967-65ac-4966-b199-fb95acecec15
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286422
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286422 Sample: 3b7wE1V3VW.exe Startdate: 05/08/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 6 other signatures 2->53 7 3b7wE1V3VW.exe 7 2->7         started        11 oefbENy.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\oefbENy.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9929.tmp, XML 7->37 dropped 55 May check the online IP address of the machine 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 3b7wE1V3VW.exe 15 2 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 oefbENy.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 oefbENy.exe 11->25         started        signatures5 process6 dnsIp7 39 checkip.dyndns.org 13->39 41 checkip.dyndns.com 158.101.44.242, 49697, 80 ORACLE-BMC-31898US United States 13->41 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        43 checkip.dyndns.org 21->43 45 132.226.8.169, 49698, 80 UTMEMUS United States 21->45 31 WerFault.exe 21->31         started        33 conhost.exe 23->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 09:36:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeubtjnwsu26ivmjhaa6htvlykpvmwnccp7zhvejdm3mrl3uabmq._file
Verdict:
malicious
Similar samples:
065422f5a2797ef0b64e40890c4b00d60c2edda5bef5a73a6eb361ec8a81baa9
SnakeKeylogger
38e497ba967a7027611f38d868b02f7c00405cc0cde0500ee32a61103dddd4f4
SnakeKeylogger
555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134
SnakeKeylogger
5c9e41c57fc02e8a6832d92888f838a455e75ce93c833f2b730376a11f0040e9
SnakeKeylogger
73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403
SnakeKeylogger
80c0c7648149fdb4b41f5abc6316de36da5c3133676d4c9d68e783ba70cb46c0
SnakeKeylogger
9441f2f74776f33df8f0f42c53a6fccea0d3173c9a2f403a16d07958509116c7
SnakeKeylogger
a394d1c47fbaacefdfb9bf4b4e39471fd17ef82a107cc0d29306a7de6e45743d
SnakeKeylogger
aa2d0f4b6445d3f0f50a54a10d357abf7a51cf14cb63ab99f357ea3564f84e7c
SnakeKeylogger
d00f8dee3e81decbb37ef2651c88d3ba46a959d5bfe1d71fc17afd8b4704b4bd
SnakeKeylogger
+ 397 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/230805-lwmnaacf71/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
862f3cd524b29fc5b6ced9cfc4d13756cb90d6c95ca50fd2438e2d5df44bbf05
MD5 hash:
8ade068b8a62b6173f1d3e07bf0a7e04
SHA1 hash:
b63b1dddf4358e8826dab84e4206137d41718592
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/4e8b2ea3-4ad9-455b-9187-4f8cc51ec318/
Parent samples :
6b9078cd23ba0a810bb971fde08fcbe3b4124c84846b7446ebaf7eac57da047b
db7f70227c9ba4a6977cbd919bf9aa2f611d2557b145e5a8d7f06d184dd9d5d3
d1e6c1aa5e9ba581f78bb0270c55f94dc5013f5d546ad2524efb6b005dce36e8
d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3
14bc396bc52d43f2e370a4a65ad0b08012e48b0644ed66325848e0dafd195ce4
f6bdba555d1356168f7f1581949ab5ca8d6b20e9a6495e0cfcef8d3b129638a0
c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059
d757716097082fdcf35033613d1736f4cf02f07afb368b1381489ba8ebba3cb0
48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/4e8b2ea3-4ad9-455b-9187-4f8cc51ec318/
SH256 hash:
3b45b6cd6e65ef49aba151eaeb0ef2c8dfc95092caa0ca053294b31284133ed0
MD5 hash:
57c9823695537d3a83b41acf533a0bb2
SHA1 hash:
4330bd5334bfeeb98f7377cd333798668729e90f
Link:
https://www.unpac.me/results/4e8b2ea3-4ad9-455b-9187-4f8cc51ec318/
SH256 hash:
0b21c2aa6d9b8f807ff7171103c0d3311a852223f66c22c0223d2044dfcd8e60
MD5 hash:
d80ad864ea9b71a6f27a19209a17b26a
SHA1 hash:
33b7929963dba2dd3800a6e5ab8c530cb9cbd3ba
Link:
https://www.unpac.me/results/4e8b2ea3-4ad9-455b-9187-4f8cc51ec318/
SH256 hash:
c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059
MD5 hash:
d8a5317c8c4e740557a01574cfebf71f
SHA1 hash:
129fe4f6b63412c22f728d7fec1da8cb69c9e0a5
Link:
https://www.unpac.me/results/4e8b2ea3-4ad9-455b-9187-4f8cc51ec318/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/440792/

Comments