MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d62400abebfe810e81606b5b269bd81a41d128c4d7ba514b60c1583130757303. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d62400abebfe810e81606b5b269bd81a41d128c4d7ba514b60c1583130757303
SHA3-384 hash: 9e3a8761803476fb338c186ece80e2f978115344bd55ea72edf4ce2c2265871a912c1979988eb5d0740c4cb8ca5c2764
SHA1 hash: d203516552672390e363b948879e277b395aa214
MD5 hash: 4a14611fb9b1b0e7191d26ff0ae2459b
humanhash: seventeen-pennsylvania-asparagus-yellow
File name:Payment Status.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:753'664 bytes
First seen:2022-06-16 05:58:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/MgIiYstbrBhLuyAH+2iNsbaWfUCyVU7B8DlRBhFD232VQnB6dyAMi5lHA:/FIitZrBhLuyy+1qaW16QB2lzi3CLd4x
Threatray 4'748 similar samples on MalwareBazaar
TLSH T16EF4DF213A9C6B54E47FC7759061805053F0A84FFB36E61D7EA728CF1D36B8093A6A72
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280496/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62aac6e77046ab63f875c00b/reports/8435ff81-c2be-430f-9217-0808f3fedf1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d500610-a69b-424d-9442-fa3faba29be0
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1014276
Signature
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d62400abebfe810e81606b5b269bd81a41d128c4d7ba514b60c1583130757303/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-16 04:53:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ysabk7l72aq5alannnsng6ydja5ckge265fcs3ayfmdcmdvombq._file
Verdict:
malicious
Similar samples:
14fcb8a4565e90550de5237fccbf8b283c970055ba9b11e206fdf7329c3ad51d
SnakeKeylogger
1e0e310e145e9a874e9bf8cadc3dc90a33e40bd61297f57c1ad94ea9190e6238
SnakeKeylogger
1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f
SnakeKeylogger
2b317db474aaa5798fa907d94e7d1cd8a284386c988c924c9f5dd156f21ebc54
SnakeKeylogger
893b1e23d4b8063982788ef53a44dc855f36a8d769ae921952cd59b9a8910c78
SnakeKeylogger
a91c01cd252a97e5807ee969f0a645c1e9c4328fa8c83a562ab536d00a26f3b8
SnakeKeylogger
b0fce56ee3c896927ce1968dac5d875e260011538e2e4f8fa00ae5b74543e9ea
SnakeKeylogger
dffe45189680dbc7d56ae5aa90861f798b109efc8cae5a693c0e521b08d2184a
SnakeKeylogger
+ 4'738 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/220616-gpqn5secap/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
4578f8f23983c2d7734c14b8d34c323066f2e4be4e75e29f75b2cf4d71319f95
MD5 hash:
4f564c8003429cd029d903af591f82f8
SHA1 hash:
b1e587ccb711189035f201a70b406d9cffacfe94
Link:
https://www.unpac.me/results/c6003edb-1cab-4821-ac21-70ed23678ce9/
SH256 hash:
12d271b0e143097382a0f5733634a8547c3af17bc214ef542f3ebdea06a6f768
MD5 hash:
6b00d3d11becbc5c39852eeba67d9123
SHA1 hash:
462d1688c401ee781c93e478dbf509a145eced1c
Link:
https://www.unpac.me/results/c6003edb-1cab-4821-ac21-70ed23678ce9/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/c6003edb-1cab-4821-ac21-70ed23678ce9/
SH256 hash:
d62400abebfe810e81606b5b269bd81a41d128c4d7ba514b60c1583130757303
MD5 hash:
4a14611fb9b1b0e7191d26ff0ae2459b
SHA1 hash:
d203516552672390e363b948879e277b395aa214
Link:
https://www.unpac.me/results/c6003edb-1cab-4821-ac21-70ed23678ce9/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d62400abebfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d62400abebfe810e81606b5b269bd81a41d128c4d7ba514b60c1583130757303

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d62400abebfe810e81606b5b269bd81a41d128c4d7ba514b60c1583130757303

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/280496/

Comments