MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d
SHA3-384 hash:	d64af0b6b34c4ad5ef89b87f88c768a7a73dfae725b479022eba8010ee518b4aca6d09cc51daeab80fd449cde49e2326
SHA1 hash:	09e58555f77a71b58a04f3687801937faa5f9f0d
MD5 hash:	4bc9873d8029befe50ec4a8f1b23dadf
humanhash:	harry-twelve-single-louisiana
File name:	FedEx_Invoice.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	485'376 bytes
First seen:	2023-04-13 06:54:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:bOG9Oqj828mzm5OfoYsRB7cB60pIyFp7Xd:SG9O28Om5OAYacEQjL
Threatray	62 similar samples on MalwareBazaar
TLSH	T1B0A41252BBA51E27D5BC82F9095094020BB26425FB72E2CD4CDF74FDA6EA7414E20F4B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FedEx_Invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-04-13 06:56:22 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/d9fc4018-d093-4deb-9f90-08dfc79859aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/381964/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/6437a74722e0360a4c27fae6/reports/17ef7221-96ba-4caf-bfd7-4d14575c1375/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a2efe9a-899c-4712-b756-194c59764cb9

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1213065

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d/

Threat name:

Win32.Trojan.SnakeStealer

Status:

Malicious

First seen:

2023-04-13 06:33:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=24aiybvmwf4gfhxphntfy4u3pmj6xdb4g4jtnhhxdxlvivznomoq._file

Verdict:

malicious

SnakeKeylogger

22966ba42f0a0adda0c87caa3aa1b8b9fcc8537081b2a6c2791df3b37a4ca5cf

SnakeKeylogger

3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294

SnakeKeylogger

66b54ac951afcaae39c61d837f9f38543e164f8fa93e1479fb458e8e445f7e59

SnakeKeylogger

80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f

SnakeKeylogger

a8fe73642ab1caf476e2b0f547261adf305a85f6b25776393e543a7a6a15511d

SnakeKeylogger

bffea4bf5d2cda8c23b02e73e1a5cc9a43da3816c7193f23db798e4982916c66

SnakeKeylogger

c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec

SnakeKeylogger

ce3c9c47d811745d5534bf268331382438b274a112d2327396cdc8623e82f98b

SnakeKeylogger

f86378105b4028797386149c63ced3dfb596164326381b99257b49ae61d90db9

SnakeKeylogger

+ 52 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230413-hpr3msbc6s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403

MD5 hash:

c768bac25fc6f0551a11310e7caba8d5

SHA1 hash:

95f9195e959fb48277c95d1dd1c97a4edff7cb3a

Link:

https://www.unpac.me/results/000ac8be-9ce4-4c5e-8339-009d1b97efd7/

SH256 hash:

5534a6cf1efb6d5edd018476e26385576a611c60d5cd48d7131c0481aae8a0b7

MD5 hash:

809c742e8b706616b249450fdc450348

SHA1 hash:

907a9da44050185cb1f4277ad7b57db952937231

Link:

https://www.unpac.me/results/000ac8be-9ce4-4c5e-8339-009d1b97efd7/

SH256 hash:

026f091a907bd0d371bf3b3b8a0b2cb24f420a0f0cdbfe05b08090e22004f910

MD5 hash:

1c0d8591528eefe4b81be9903c6ea10c

SHA1 hash:

77e974046e38744c5728b362887feed0c47654d1

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/000ac8be-9ce4-4c5e-8339-009d1b97efd7/

Parent samples :

6dd7a0d60f9cc6297ccdf244dd6098befa4ecac2f0ed692a17af712d845e74af
d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d

SH256 hash:

f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1

MD5 hash:

567bbf43aac601560b1def4a872d4089

SHA1 hash:

21dfc6e6ecf39c9c23927c114ca911559ca4593e

Link:

https://www.unpac.me/results/000ac8be-9ce4-4c5e-8339-009d1b97efd7/

SH256 hash:

5fcb2e739c3ab42d1b1bdf34136a414d604b40227c29124b6190abda335e4685

MD5 hash:

0cb39338f54fda7d29cacda81a3fd24f

SHA1 hash:

1d80d6953e1a426207f3238d8171962ccba25370

Link:

https://www.unpac.me/results/000ac8be-9ce4-4c5e-8339-009d1b97efd7/

SH256 hash:

d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d

MD5 hash:

4bc9873d8029befe50ec4a8f1b23dadf

SHA1 hash:

09e58555f77a71b58a04f3687801937faa5f9f0d

Link:

https://www.unpac.me/results/000ac8be-9ce4-4c5e-8339-009d1b97efd7/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d7008c06acb1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Reverse_DOS_header Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects an reversed DOS header

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/381964/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample