MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da89b1114795737b1d898d93e0b504b900a51d352fe5c18d46946e4b6b64f686. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	da89b1114795737b1d898d93e0b504b900a51d352fe5c18d46946e4b6b64f686
SHA3-384 hash:	4afd58c02ad1671c9ec920ce0aad63579308edb324cd6938714137850a46dcd5fd1c36a3fa1652e01e3c68ac1f2ca02d
SHA1 hash:	5605d26240dd38d80c374d95141c219cc398eee7
MD5 hash:	b0be1110416b69d81be348d1afde476a
humanhash:	cold-illinois-asparagus-mexico
File name:	Purchase Order No. GN-205603-004.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	429'056 bytes
First seen:	2021-10-05 12:29:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:UnFcbCrMorCnhdQ+3HwOcc0W36Ru53d6nvAiQ70IirrsPnKPhYZzkHwLnz8HDEW:QwWocc0WqRuEvAiQ7irQy+ZkgzIDEW
Threatray	1'215 similar samples on MalwareBazaar
TLSH	T17C94BF9433AFAF45ED388FF4152C919153B96C3B5169D76A0ED1B0EE2D22BB00E90B53
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/195021/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615c4556e3d213d202b77f7f/reports/3a0cbac8-8eb4-4a8c-8826-44f2b63e3b2d/overview

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6cc260fd-af4b-4a02-9249-ff08bb98a2a9

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/864767

Signature

.NET source code references suspicious native API functions

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da89b1114795737b1d898d93e0b504b900a51d352fe5c18d46946e4b6b64f686/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-05 09:34:47 UTC

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ke3cekhsvzxwhmjrwj6bniexeakkhjvf7s4ddkgsrxew23e62da._file

Verdict:

malicious

SnakeKeylogger

2757283204541417f05f64637d4313b9580b47a867ca14bc0728665ef043fff8

SnakeKeylogger

28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f

SnakeKeylogger

3c2d13bed08fb1f1161870188f6e3bd192ff27f6d7d4ec51e81ba984cbab90e8

SnakeKeylogger

470f6539b8ee00569951c0d37d02afe1b7dab5c57e3a9279ea3a18d399e47e82

SnakeKeylogger

558c85e2b7da5f09f5207380878f37bec4b3437b8717fd3215f1d37a9894d8d6

SnakeKeylogger

629e9ec1106e34b10209da91c1394d15c7c0ed2a5f71553c7d00a4836bd91c03

SnakeKeylogger

7a9c56075abcdbf871f11581ec725fb7794fefc3cb7087bacf1d48a3aabb035a

SnakeKeylogger

8613eb4859c1db523505c3814aa707ec65928adef641985045eb68e479c4dfeb

SnakeKeylogger

f260c80e685986ac80122c63fcc494891baf4d688668da8f7fa11e38d7f8d1b8

SnakeKeylogger

+ 1'205 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/211005-pphyasaafm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

3914b28a69e649ad5b15d6d7ac19c3f0cd80e1458269766bfffa3f9cf5713c98

MD5 hash:

85561d9b524f1c079fcf16c058f9d184

SHA1 hash:

ca4e98f4bc62929cbe75ac6042832d54469d5aa1

Link:

https://www.unpac.me/results/5225b708-ed88-42bf-afea-204453d6d433/

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/5225b708-ed88-42bf-afea-204453d6d433/

SH256 hash:

f9cdc94440766f0afca53d08732725e5eb5be0414337f930abba67ac0a2fd207

MD5 hash:

68274d19e239b6a653c4fb43b0ef7887

SHA1 hash:

00684f7690b39c87792ec0ecc0230351e74e59ec

Link:

https://www.unpac.me/results/5225b708-ed88-42bf-afea-204453d6d433/

SH256 hash:

da89b1114795737b1d898d93e0b504b900a51d352fe5c18d46946e4b6b64f686

MD5 hash:

b0be1110416b69d81be348d1afde476a

SHA1 hash:

5605d26240dd38d80c374d95141c219cc398eee7

Link:

https://www.unpac.me/results/5225b708-ed88-42bf-afea-204453d6d433/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/da89b1114795/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/da89b1114795737b1d898d93e0b504b900a51d352fe5c18d46946e4b6b64f686

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195021/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample