MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d
SHA3-384 hash: 3e5d5c13b1b7fb3ca23d09b6dbe8fb04f123489d01d17f9f377646141dc23c6eb8dc1323834e6c00a1668dea6c1711fd
SHA1 hash: a910f1cc76616ea7c1544b5b9c7aa72d257d5741
MD5 hash: 02a2e732c17eb9bd45ae18a1d417a0bb
humanhash: magazine-queen-two-may
File name:02a2e732c17eb9bd45ae18a1d417a0bb.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:580'096 bytes
First seen:2022-11-01 08:37:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PwhuJhQv8VrBUhAQ5I/ITRGEA+iYzps7:suJHrahaITR5A+Ps7
Threatray 8'719 similar samples on MalwareBazaar
TLSH T18CC42253322A8DEBD82917F845CA43B127F0BD54B821D95E288722EE2C357C7DB12767
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02a2e732c17eb9bd45ae18a1d417a0bb.exe
Verdict:
Malicious activity
Analysis date:
2022-11-01 08:45:10 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/ceb6d535-e895-4534-89c7-8c934e9b5f61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326746/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46086.25775.18262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6360daeba5db8d309cbc27ec/reports/e4e6d525-d565-47ae-8c1a-c824f52f3400/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89180ac5-9cde-40ba-bbeb-69810cd99701
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102417
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d/
Threat name:
ByteCode-MSIL.Trojan.REMLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 08:38:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zze74mloacxpodgodvkdaobgcnuswwota243mjj6rcwfzfdtfmgq._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
09a476b31272d7aa3ba1e7f0a5ed54dda6834819fb360de18cd883fdb177686d
SnakeKeylogger
5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01
SnakeKeylogger
6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723
SnakeKeylogger
bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c
SnakeKeylogger
e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30
SnakeKeylogger
e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f
SnakeKeylogger
f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913
SnakeKeylogger
+ 8'709 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221101-kjqczahgf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5409930542:AAFxwqGbFuHLkEcoI_Wd5LmyaZ64bak9as0/sendMessage?chat_id=5492983899
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ad1f0d2-6863-419e-9cfb-3011ebed3a4a
Unpacked files
SH256 hash:
15d73a776fe344c81d89f8c1403a88694e798a4698997b7e71ff8cd285043e5e
MD5 hash:
30f4d7c4a68786ee7add65357696b171
SHA1 hash:
f1dc5ea4551456140bda5f1be92ea156260cab2f
Link:
https://www.unpac.me/results/90436aa6-f5d9-4d08-bdbd-c62ee1876f7f/
SH256 hash:
6897514151c61188eef196109020bba0b5f53de689144928aea20ab97b9b8a03
MD5 hash:
5e6ecdca36b1e9559d3eb987a8d73f1c
SHA1 hash:
a3a86faa8bf46eebdf0e78a87f93edbd92a4d161
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/90436aa6-f5d9-4d08-bdbd-c62ee1876f7f/
Parent samples :
ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d
35aeecd77643fc7df90432db30ef248cfba29a9cc98a2c164b3bb4d233974734
f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf
726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e
aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963
dec5bbf9420596e7e4b387c6331b6009817af7803e20f717ffb55dc313e60645
482f061d6359be2ae8cd7c5ff63fe997ef1dc42d1a286237db8729097647c507
16c366cb47a4b606f2b20a1a1ccb4a8e408c758afbae9b51922667abf9c2b92f
84cc129521b39e0182631b253637efda5e6305b8c484ab76f3a4184e81bbd812
73d18d7b6bd92fa3e85db713d39f932c483c0317607b93a2b31845d4e703a6a2
f20fc83d3adb7cf9f5dbaa5efab44527e0657d88529bc621ec489e37593d510c
64879bdaf4add0db2f52b2cfc4c579b15fa5263601aed7c3aeeb926f0dba1acf
SH256 hash:
b85803f7fc02d0cd585b19f2f42ad7d129616457aa700da7f4f4f1fd6650da06
MD5 hash:
36c9b183f201f6c42c485f292ff4e14d
SHA1 hash:
8b98323dbf7249dfb05aa2d30dfa7815973538a4
Link:
https://www.unpac.me/results/90436aa6-f5d9-4d08-bdbd-c62ee1876f7f/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/90436aa6-f5d9-4d08-bdbd-c62ee1876f7f/
SH256 hash:
fce1f7f172b36a4a1bd8d3a47b30e27c547ca0b7a8bddc4891d19ae7877d8d39
MD5 hash:
ecb3e1f72bd637f6adc8f0e4b3bf3b58
SHA1 hash:
2ec22fc5d92e0142a5d599d3a72158c5fd33807b
Link:
https://www.unpac.me/results/90436aa6-f5d9-4d08-bdbd-c62ee1876f7f/
SH256 hash:
ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d
MD5 hash:
02a2e732c17eb9bd45ae18a1d417a0bb
SHA1 hash:
a910f1cc76616ea7c1544b5b9c7aa72d257d5741
Link:
https://www.unpac.me/results/90436aa6-f5d9-4d08-bdbd-c62ee1876f7f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce49fe316e00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2322914/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/326746/

Comments