MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
SHA3-384 hash: 4615d792b6ba947779d31eebdfd9f97bdab5c9d74d8cf0420d3e73b4dfe8dd4c68b123b200acc7b46b3914efb50fdaa5
SHA1 hash: 07733a041aff2fecf1a185fd29d394a1743df7a7
MD5 hash: dad3ad7520f3b97bc4649824ac440b3e
humanhash: maryland-victor-delaware-item
File name:AWB & Shipping Documents.eml.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:537'600 bytes
First seen:2023-04-11 13:13:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:0NEpaRGptmZ2p17AirmO/CZ4zAEI4Dr2+Kn:qsaUpB17d/y4Iir2+
Threatray 5'027 similar samples on MalwareBazaar
TLSH T13AB4016E17B5DB61E59C0FB414846885237CB255B064DDAC8CD323F78AB3FA210897EB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB & Shipping Documents.eml.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 13:17:45 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/c4e24c35-ded7-4cd0-b1cf-f69550e0491b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381499/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64355d1a0dbc8763b8a10c9f/reports/2df69499-7ee9-4c67-a8d6-d757482ba116/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/615ac68c-5517-4deb-a3a3-ae5de433e535
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211814
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 13:11:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ulojea52i2mtww662szhycmqxaa5a6qsjeq26tttazz26oew4tq._file
Verdict:
malicious
Similar samples:
033deaaa0a55c91052dfe7abc3aaf77b5310d26437330e402a102d060ae0ace9
SnakeKeylogger
1bfa5ea815d3c9b69e80acf3f3fe868a650d9f88b205d1c8229b9598c5ab5847
SnakeKeylogger
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
SnakeKeylogger
568b0931eebe6b767a01812f4d1912953db0a0a5f6c0e5923f3651753b7f93b3
SnakeKeylogger
6bb9fdf792419626fd6b48173ceffd5be560fc6d665246d304ada5b0f5f4a60b
SnakeKeylogger
718eee7bcad2b1b029985fa7feef3603565ebc761d2ab8a30322b4fd6ffcdb60
SnakeKeylogger
7959fe1242f4450308fb981ef7018073a3351251598abb8dca09b350cc884fcf
SnakeKeylogger
+ 5'017 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230411-qgm3qaec2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077
Unpacked files
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/745af0dc-a69f-4e27-b0df-1033af256cc2/
SH256 hash:
fbb699bd0cf7893bf3fbf78d962ebbfcf3a39f079cd7590b1bc491c472fa0228
MD5 hash:
009f2255ece8cb2cca9129985f55667e
SHA1 hash:
87d541045381112ce3191d98fb21b1bd6c36f928
Link:
https://www.unpac.me/results/745af0dc-a69f-4e27-b0df-1033af256cc2/
SH256 hash:
9afc59a1faf1ee4e44fa6de79337a40e2e5788a520390fc1bb16bdafac69f167
MD5 hash:
46e0dcd3d49bbe200b7700ff00e2d363
SHA1 hash:
62b0d2128dfc61d5213cffac6dec2eb3f79b1281
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/745af0dc-a69f-4e27-b0df-1033af256cc2/
Parent samples :
1bfa5ea815d3c9b69e80acf3f3fe868a650d9f88b205d1c8229b9598c5ab5847
d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
2425598129b104c77948e02bdbfab451e7696de693d90f875d0cb0e3ffdb300c
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/745af0dc-a69f-4e27-b0df-1033af256cc2/
SH256 hash:
1c06f75c57c345e836e2c106e71d3f538d6ca5bd449b92bb0732621ce67c19b4
MD5 hash:
975bea17f781c957fed08211c668e96c
SHA1 hash:
05a259bce86fb9dc391d7e634657fb1abf3d4e65
Link:
https://www.unpac.me/results/745af0dc-a69f-4e27-b0df-1033af256cc2/
SH256 hash:
d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
MD5 hash:
dad3ad7520f3b97bc4649824ac440b3e
SHA1 hash:
07733a041aff2fecf1a185fd29d394a1743df7a7
Link:
https://www.unpac.me/results/745af0dc-a69f-4e27-b0df-1033af256cc2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d516e4901dd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381499/

Comments