MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f
SHA3-384 hash: 758158089e00efe6a823bfe6c85a00ccb35c64ed757458e694785a4d5b5e3f1cefcc3ffa0c67677422f5282a8ba1cd7b
SHA1 hash: a094f73f5e64b418d77272e248396d6408281ca8
MD5 hash: fbd56ce2ba130bde239b233150038bbf
humanhash: fourteen-georgia-four-eighteen
File name:Documents.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:851'456 bytes
First seen:2023-04-05 09:14:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:WrC5DaoD0xYcfMy894bCzHbGb937bkNA:WoDf0xrMy89Dj4nk+
Threatray 5'064 similar samples on MalwareBazaar
TLSH T100054DD1F150C89AED6B06F2AD2B653024E7BE9D54A4810C559EBB1B36F3342209FE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Documents.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 09:17:24 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/c4ce7cc4-1022-4f42-a8bf-0d8b0e2d8cbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380204/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642d3c175df5c94ab9b8775a/reports/02739485-64f1-41c4-872d-b54619df5394/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85b22fc6-9280-4cf7-a765-4dafe9b25d37
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208672
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 08:20:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ko2ncxn27p4hszsjoojdqxazz26zn5lyaudwgxkhficf4txs6hq._file
Verdict:
malicious
Similar samples:
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
SnakeKeylogger
08e04faa04ed269f7378476ccf3296ef3ed403817ca6ec26277a4d4fe82bce3e
SnakeKeylogger
37060f2c77a3ef9365f60835a9a3c2e7f524095952a18bb805c6acbbd6388cd6
SnakeKeylogger
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
SnakeKeylogger
606157eb85fa1f90ad5b6def0cbddc1445298156aecb9da21bcc925e6cd7638c
SnakeKeylogger
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
SnakeKeylogger
d3277817e3f5dd9265d3797ceb8db5316f75c7f708f9ba2186d8380c7a6530c1
SnakeKeylogger
+ 5'054 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230405-k7wjwseg7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5587666659:AAG8NrrXJQs__dhk8nLJBFOspz2my8OVpX0/sendMessage?chat_id=5569775004
Unpacked files
SH256 hash:
53909b2ff1306cc864e21af234117199c923257be1106bf4696935cb3b7caeb5
MD5 hash:
86cbe5a9477f6ba2a850bafd353a9f4d
SHA1 hash:
e742b2a00f30f9405046762c2dbadf8e0ce71ad8
Link:
https://www.unpac.me/results/72209bea-5f55-4f58-a15c-002ed76a29b2/
SH256 hash:
2542bc5edff4adbc532b07ffd5f16a8eb7bc21fc937e0a0c67c01d9eb18d843a
MD5 hash:
ed25081e7e1056d49c6313e2bcd4068e
SHA1 hash:
b4bbce9aa3c28e41038c46bd33c2636fba70a012
Link:
https://www.unpac.me/results/72209bea-5f55-4f58-a15c-002ed76a29b2/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/72209bea-5f55-4f58-a15c-002ed76a29b2/
SH256 hash:
ae09f69ae1f8064255a4cc374070d4a882a3abba00639ee1c206eed3f2982e98
MD5 hash:
c75f4fc5f57dcfda371b334c7baa78b0
SHA1 hash:
608bea0ef153549552916b3089ac2b7334b07464
Link:
https://www.unpac.me/results/72209bea-5f55-4f58-a15c-002ed76a29b2/
SH256 hash:
0e18ed7365a1a2e0abaca27cdfdb86e35444a9132bd41eed7558ae45c6c6059a
MD5 hash:
3e64a0a320256419f9794f0ab3b24f75
SHA1 hash:
5cebe2b22d795c8ca3728160d21879409a7601a2
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/72209bea-5f55-4f58-a15c-002ed76a29b2/
Parent samples :
462999c3c88e038ecd00d8fad28c660839f9b23361fca8a5cb77aabf879bea7b
9dd7852b0af223e044c70870dc6691bf2fa26a35b738952c7f2c6a8049070d1e
1cf6ec5af4e2cf0c7bad29f2735a2db25584b153969866a74bcc323cf59a7875
1a6dcb18b2d3627d35e18aab269ababa8d2af33be25a23bfb44a4b6144816ea8
39b1f0062671054c08424c70f2251c9c1c1f43bb87f12a95a44ad3b531d2c496
d58efa16d4f119f37dc1a75b3d3b69ad93df86cc7b02280b8ea43b75e3b8d221
0402cab546c95cffedc2ab80f50749e33d027d4d25f35baa18158a88540f541b
671f0f796fe0e636ed14bda08bb4d3b5cafbe9d5b9ca1dddf929bf9fb9e3a372
fcb1853719821211d0a89b9e70cbf499eceab8d2138116b14553c61a74aae6d1
44e90dc0d1ece69f2d0c57a54984110927e97a3491ed20047963467f4edbdf1c
fde971f3c35d3955e58bbad12e7f55ec37a1655afed1af842d4eb5d32a6b4cc4
372d9f066620aa4050d10aabe89417d5d028c3fe0de5bc62bee864b1f2b18dfd
77d6ae2c1312c08d5498931b983dc91a60721f86170ace8d47f9e3e33cc6bae6
606157eb85fa1f90ad5b6def0cbddc1445298156aecb9da21bcc925e6cd7638c
67ecf11b3c85785797d599090dec86ec79cc4ce94095ad4a2cec53e15b48dc81
81ae9bcfd9a7d0e3673540a364cb8b232d857c29a84619d174a8c879d44f3604
a1b484e08d3161fa1d4f9a90c36c4e50e5c8515a3613b9d3d35bba4101e55e87
f315d7d883a82ce0b007f7f2b899047b781fa2cb5b05952e146ab679c8c64717
088c2f0914786aef4076d2c680c5d0c817696ada1f2f5a31b9e8250680f796bd
278e5ea9416fabd8821c86c7b242b9ced4a5345b79852177e2895acd5b560257
4c0851b9e5781595ccbbb892a8dcb6b6904974d412dac559de97a687fbb2a64d
29f24efe9e0ff0f013a992cabb6dd15dd0923a5541807d1e4fc541c6e1b02592
5ad97cec0cfff89e5357fe1635cc6418784ae83359f3aa2e2031c66c7ba8a1f8
41a4802d7592d29970a041b399fa9c91caac9c393a0e9353c59ca946e7ff557e
4ab665d75bc525a7bb5cffb01c28943b70fb3d4c7aceaf8a9a1bdbf1f0c7277a
e7f3e64f094d2952506148c2b0d6062a73999fb26a2eac49e6698515e3c2156e
1c97bae25b133e2b28133eb17889f3f2f063faf1003f9d575d67d16414e9a6e9
e004337426d90bd966b01fc36d2252d4b9f05dacede72ce8514540d604cf0663
0f7627d3a7392b1d6636f0c7bf6f242e0b860d45798f9eca18c2fbd815e55ebb
a3f7da2fad4025f5f0f1bd3ba1e05dc454598a98a8890aca72ed747f604203cc
559b97a856fca272b7f5891100f1317d5f4846d12e86d113c8334c9861e4b026
33a8bb74d0ef4be5a6f3845bf87f406a2b9757535a09d65e34d1c73a4b133429
af6fb4c1ccf63b051ee34879d049105a0cc2226cb6f0f03c2d1efa7a67c62a16
3a121896e1f2a3dda1daf2a56fce467abaf3bcd8f7d6ca38399e0cb1152b6f35
0a55d4ec929122952ccf0962347a5a5672a0051bcb31ead7f2c0d7df516eee6d
f0e160fc8c0dacffdd789b3a91933fd9c3d629077d25e29a4f69217220689374
da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f
aec9db4b3d08cfbfb3731dd3ad74d19678393c35ce00655ad99ee7a2e8f0d447
05814abad81a4628904e7990185a87d6e6c55069a129f2e8cd7c2b238ce07620
ede7c3298192739d0c3188ca21b1377bffae0d2a5e7f3ce88ac10f2da8858483
d74b7b3c23e3280b35cd8c6730912b8d04412c0ed4dbc13d06182a44f38e4a69
fc3bac1e4d1fa4b617f23b4a794b011730d95c2e48d5ce2a08db522312ee0a3d
bce664433cf5bc9dd22b054ddb25edd926ba0b6124c2f5d0f99dcdcef356a715
b397cca1a04a9edb50e12c5f730cb660dff805000e6576455218dfd73a85e7f2
4a1a8fa3ff7b0bf9c376592e6335c82e99536853c0d274bce1a8443335a2cdde
eafd56c92c7688c8d00725285da67ada75e227750b9a6f5ecf6d2c0d90e8dc1e
e7ebcd95f56f4c089d56ba8519b2ef3abe3d765abbf56a9959071fe6914f16da
eb70269bb8ef78bb7c44342ed5efac0d76df99207bf45e9f9739aad5b9cf9563
06491cd2952c4f625d71050ecd36d6256cf3111de0dacd18c81aedefd8035f9e
58dda17dafc74dd89d83c27483ef35cd298a205d543bb7d1e8305d231705277b
6a6d963003f74acd86334cb97012a2bc05c2bcb0b5800f0e306b0d00287f3da8
deb8ca5cdf19882a664ed3a5e4c362ee3c2b727b0923e3d229c3a20a2b7913e5
6d79b5cb1aa503cef77ef725f7cb1980e312be3271b4e0fde0bf012c6c54becb
8b3a7d6b4cb16bcc532547df7d2940c353484cf475800be7947e66f970d1d8e4
5e120295dbb1df0ffae200b49202256cc03f6f5414addf758a4c1b11d683774d
2c5adf7282d07a8b6ac4d17affd622243faa4ada4929423654823934cfdc69bd
c70b193a2cfb726c02359b7acd2fc0d5c59986b9f24058e1f3bb37767fa944e4
SH256 hash:
da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f
MD5 hash:
fbd56ce2ba130bde239b233150038bbf
SHA1 hash:
a094f73f5e64b418d77272e248396d6408281ca8
Link:
https://www.unpac.me/results/72209bea-5f55-4f58-a15c-002ed76a29b2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da9da68aedd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380204/

Comments