MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
SHA3-384 hash: 1da150a1b78c6e0ca3a8d5050cfd1e5553615cf7b352695f3a5317d6aa73460bba6de84b3846d73c32552defe2ecd9e3
SHA1 hash: 20f3b233af7602534a42910a271c5452ac369f7e
MD5 hash: 8b8625d4ccfe4cd652bf3b16ba94fcfe
humanhash: california-washington-arizona-seven
File name:PRESUPUESTO.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:744'448 bytes
First seen:2023-05-05 11:26:24 UTC
Last seen:2023-05-13 22:55:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Qp11KcP5eJ6VTBeNg2bOAc94Kg3Q2rboYP9VDkgcmr6unoN5lo:OPKcPtOg21Kg3jXoaVwNmdej
Threatray 757 similar samples on MalwareBazaar
TLSH T1BEF4E12523B9BBA5ECF683F82618A4015FB42D2153BAD5E84DCAF0CD5158F09FB20797
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRESUPUESTO.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 11:32:36 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/6d8eba68-fb66-41d9-af04-e3b799b16f44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386816/
Detection(s):
SecuriteInfo.com.Variant.Lazy.339156.3218.13622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6454e80a03145f701ea2b1ef/reports/fee5b29d-1a79-4f3b-bad3-31f3e83a2d13/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dd26ccad-796e-49dc-a38a-82325fcce3b6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226853
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 859817 Sample: PRESUPUESTO.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 42 checkip.dyndns.org 2->42 44 checkip.dyndns.com 2->44 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 7 other signatures 2->60 8 PRESUPUESTO.exe 7 2->8         started        12 qCvnmudVgOLbhH.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\qCvnmudVgOLbhH.exe, PE32 8->34 dropped 36 C:\...\qCvnmudVgOLbhH.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmpCE9C.tmp, XML 8->38 dropped 40 C:\Users\user\AppData\...\PRESUPUESTO.exe.log, ASCII 8->40 dropped 62 May check the online IP address of the machine 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 PRESUPUESTO.exe 15 2 8->14         started        18 powershell.exe 17 8->18         started        20 schtasks.exe 1 8->20         started        26 3 other processes 8->26 68 Multi AV Scanner detection for dropped file 12->68 70 Injects a PE file into a foreign processes 12->70 22 qCvnmudVgOLbhH.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 46 checkip.dyndns.com 132.226.8.169, 49699, 49700, 80 UTMEMUS United States 14->46 48 checkip.dyndns.org 14->48 50 192.168.2.1 unknown unknown 14->50 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        52 checkip.dyndns.org 22->52 72 Tries to steal Mail credentials (via file / registry access) 22->72 74 Tries to harvest and steal ftp login credentials 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 32 conhost.exe 24->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 11:27:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjbwtsjlthceccqty24pdbzeyrwsifc4qup5orgfuprjy7uqvopq._file
Verdict:
malicious
Similar samples:
2d6c9ac070f5bb55d66de498da4a8c26d377eb79d7917d03af6d3608e350ac08
SnakeKeylogger
72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
SnakeKeylogger
87ec8dcb44c20195f72ea0d6d2ac3572a9241bb1e0c7f770d8d13e65a4cf9155
SnakeKeylogger
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
SnakeKeylogger
a150a0e7dcd71a30b911d577b58895caba94c325e415915a1d60ff64be0bd733
SnakeKeylogger
d0f80693d3549f105e2db006994180bb647006072a107571c0f408fc187d1621
SnakeKeylogger
d9fcc1602122022a5c2ad597168eed6137a55b2356d767f5a877083c99989561
SnakeKeylogger
e94f95707bc1ee3c1516cce43846a594acf5a1024ae7a76cb34afe5639fe95b5
SnakeKeylogger
+ 747 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230505-nkgn1ahg88/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/e89a3771-f430-4a68-ad4f-d071f37e14c2/
SH256 hash:
9c28f4c8e05f64529da88db6e757edfadd660c7512eba41960db7dc7d3bbaa52
MD5 hash:
544ef55a200db62270ac39bf2461cc05
SHA1 hash:
af7da93a2a94406139696a87e0ebf25e223c88e7
Link:
https://www.unpac.me/results/e89a3771-f430-4a68-ad4f-d071f37e14c2/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/e89a3771-f430-4a68-ad4f-d071f37e14c2/
SH256 hash:
efbcf87f13a95fe2cb2423e72975e6166c5ca49f2ebabb5ac7a50e023308fb20
MD5 hash:
7e8482b1d94188c47319239f258c6869
SHA1 hash:
92e81ae84d1abb80a53907986dea46afa4d9f391
Link:
https://www.unpac.me/results/e89a3771-f430-4a68-ad4f-d071f37e14c2/
SH256 hash:
6a232f25d7fc22bd0014580eba27830fa38429b7630286af3c8b984c88460abc
MD5 hash:
59f70bc3b413fbd65f0c1cb2c04b28d6
SHA1 hash:
1e4e7e40d87290b7947f4cc9fdbdd61640b7d1cc
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/e89a3771-f430-4a68-ad4f-d071f37e14c2/
Parent samples :
97f310bcb89ddf0a6c1582f47c46b59fa153997a11d5dedc862a62a468977e61
6651fc9d40430503d651012b74149b5b99f2a6b758ee59498a21b7592722a3ed
4735fe65c5f86a0bdc62754823cb6470b3995e392527d0a20fb5f61a7acecafe
aa6c2ef24b150191c159fae081258ad96844a9dc1d02d4366168fc48640770ef
8ecfe073dffd0f788e9d22b4d25854b0b9f2407725988a19d0bd54ac1990ab1e
e710d551910b6751fc61ebe64138b020526a8d6d24ff282c96d7f74249da0a5b
d3b15a575e1cbb1fb69ff44063e584385027d4f6c1ce73ccaa97208c8b77fb4e
ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
547f397336be3f2ad50692798f02db867c52d0e2ed2022cdc72d895f159a8ad2
59c2f70e5cd0cd6c24c2ab51aaefb332d12dbb46dd9ffdd84d4848dc290476a8
a2c60612d5450af22322938dad549462026ec1fe256cdcaf9719f27be7fc901f
SH256 hash:
ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
MD5 hash:
8b8625d4ccfe4cd652bf3b16ba94fcfe
SHA1 hash:
20f3b233af7602534a42910a271c5452ac369f7e
Link:
https://www.unpac.me/results/e89a3771-f430-4a68-ad4f-d071f37e14c2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca4369c92b99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386816/

Comments