MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211
SHA3-384 hash: b660d19613c28da736e4011113aa3991f2cac8112bb4061208c32562a5896ae25379d6e7619c5bc48a5dabaccc1ad386
SHA1 hash: 8d90ec17ef1be37fbea6fb17f5b617d67c876e42
MD5 hash: 82411b0c26840fa392a3a767c8be61b7
humanhash: bulldog-ten-whiskey-helium
File name:82411b0c26840fa392a3a767c8be61b7.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:686'080 bytes
First seen:2022-12-19 13:18:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:thKgbX8ZISHNu+ZOgNxFv9wGcACB6SuLS/x2cHss/S+PHc42xtAq:XKoXo7tuCFpv9wfeO/x2cHs6Sq842nAq
Threatray 10'030 similar samples on MalwareBazaar
TLSH T124E41143396D9B5AC39C37B120F593603B62AF312A63EA5E9EC8B2CE1573B414E31517
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
product.doc
Verdict:
Malicious activity
Analysis date:
2022-12-19 13:15:59 UTC
Tags:
loader exploit cve-2017-11882 evasion trojan
Link:
https://app.any.run/tasks/7dfd9499-0c58-40e3-ae02-96472c7f3e71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347987/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP GET request
Forced shutdown of a browser
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5cc54a0-1946-41c4-86c3-3c53512af291
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137192
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-19 13:19:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oik2bqxthbloab3jchrb7aiyj4houasywflus57exw5scii4iiq._file
Verdict:
malicious
Similar samples:
3d239896c2fec074b4bc1867a197eb04511e376ee3175a8bd8edb307b7e886c0
SnakeKeylogger
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
SnakeKeylogger
540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1
SnakeKeylogger
7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd
SnakeKeylogger
81173912b2f23cadd86187b55028a628bf2731e3c4e7645f84cd8e04dd213a88
SnakeKeylogger
87e1e3d0de7af9833d3747fc07c0395759c01c157e07999965b2a90d5cf055f2
SnakeKeylogger
887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7
SnakeKeylogger
951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4
SnakeKeylogger
c53982a042ba3b6bcdb766a0b174e92ac62ae9578ec4a25209c7bfea42a06880
SnakeKeylogger
cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
SnakeKeylogger
+ 10'020 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221219-qkh8yaab4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
6dfdda56a03b26e6520b25b297f2335a0a2342281388da2deb5bf5dafc59d9ca
MD5 hash:
c5c5bb688cae0126c8294ba10e744662
SHA1 hash:
ec95b7b222975e6668ccc8f23b3b75b1d9ad05de
Link:
https://www.unpac.me/results/2f4411c4-a5bc-4e62-963f-882db18dfe22/
SH256 hash:
0035c4ac4b271d41a1689d2ffbb17dd79f92fc579f7671c838807f414528c9fc
MD5 hash:
b518acd515248c8c36d2677a3d54c763
SHA1 hash:
eb0e38ec746a9267a6b33459f8b89411b7288b58
Link:
https://www.unpac.me/results/2f4411c4-a5bc-4e62-963f-882db18dfe22/
SH256 hash:
22a99e2740dcb5fcab542cb6ee33472a01b8f226f76e031e31b9f00ca1b08b8c
MD5 hash:
bb7995fc982c684be3ddc978e7853bca
SHA1 hash:
b5b9064f2f4ca6b8fa9646700d0bb7d0e0acbd55
Link:
https://www.unpac.me/results/2f4411c4-a5bc-4e62-963f-882db18dfe22/
SH256 hash:
64a11ae8390f71fafac5758e604f7dd810bc08599d7409b78ed8dbc0d800889b
MD5 hash:
0bd8a3ac0668bb31b2d27e96463228fd
SHA1 hash:
9003025399b49b45c55101d0ad2431c7dd6c8e19
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2f4411c4-a5bc-4e62-963f-882db18dfe22/
Parent samples :
f735493706e6df4bee0ab2f8a304c506f80b6f7b4791e6a09d530d9e1af603fb
3d239896c2fec074b4bc1867a197eb04511e376ee3175a8bd8edb307b7e886c0
af32a56f9c3d38ba2c045043d331749236cadc2f8b86dc376bee0c1e2299448b
ea92763b97b0f7a697b7432effbd19c93b2acc85e4f09091975f9fb13ecb35c0
8b940b0dd714db5a7b92e84b981b4196e9b82dc927df62f7104f3243bf68d223
2d926d1f0aa50e7de665d8f3fce49c4a8c2594722eb8a18ea887c2b73f8e747c
9a5993fc71df03a856f6f35a0c4cf8cc999094a35e0e0f6402fafb5f115874fa
addc1564d69b115e0cb5ff2264614c98dc51107f042e3ea0d93b99e49cf2e94b
5d5d5ae492ee8eaf1b06e474c7a044b65014cfbae21690333dec4ef6d23b8d56
1085f44fdedeac571eb8572664d2c8bf2a617e15e97e61aff51a02eddb21dbe3
26a58c3284fb3504e297ddb24080073282f540fd323feab7c94d7fa37384d7ee
823aefed18a78888709dff8070ad06f096607adcfd3cdb1717102d9a650375f2
b7595163f008ec501968746ca6773da01af4ef02cd9a8cd2e3a39d54bc9cec3b
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1
951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4
87e1e3d0de7af9833d3747fc07c0395759c01c157e07999965b2a90d5cf055f2
81173912b2f23cadd86187b55028a628bf2731e3c4e7645f84cd8e04dd213a88
2d8a9abf153f4354d4deee8fd33f19ef6f7362e53e465671059bbd1141577700
cf2f199d38249385e795d2adf81b25ef32d481a1ca0621f2dfaa62ba77ed9a52
db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211
341bce781bdedc9663add131ed23418088c7cb74354b14af0ef7a3cdbc97d07e
95c1022fdf982015b2305cdacc92005c5e216a5bbd9311a32bed69ebb6c64dcc
c51b04607b32cc04835bec8ace308c5680e8a0ec1e4c1c59579b76ba74bb9fad
4962183abe0b52877d6810f0fa7807a241108d2d60e0aeee070f8fe49ceb95aa
36c5431ac4e2225c82fe6d34d6a84ff736718e89ad28e52c943b2da5c8ea978f
8c379b68cffa3f8c43d74cc2e6576aa4f212f53f35662b32667f58e61ff8541d
3669f96c22728c600ea409d6a0ebf8f66ee8ca7eaf50a5f1767f2086b7081d76
1092d7ec9366334de4f4a244154a01816d343523764573546eceec51f5e36976
5fcedd535c882efe907010b867761452deaf99e41fab0f1d0cc306f506bee72d
a6f00b73a005bf4649b09871312a4db3719e23f277b61f1e62139055e974adfa
739ded666c4e208978ef5fc2433a7f3da8c222f29279524d09c17c798aac6259
64432f4d06930d1f0233cd77e59e57bbbd878d2a71e4c5850ee2baa315e7bafb
4db11ec2fd47da3b2453479ada853755d43fa81142e235914a424733418b3ea0
c924e8905688ab755ebed9bad8d0a64ec44d3116f53161fb145753ed246e0fa6
d37ebe9ad76c722ecb6bc3b20408f9d8efc1fd2992832cb4711e1d8b433cb962
d1ef2dd93176ae8dca22ea9b653c70b9e6777db7517a019d8bcad7ac85b260f9
18271dbc8d477228a12d9c20ed6d7be7c423f0ee3de9a0118b4bae74072816bf
f530c59ffce92c129896bbe4c2df821ac097d696e2a3f3f99e3bd4aaa5c6ace8
e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
3e53d83d07ffe4f6dcc317d16783b98e9dfe20ee74ce25dcb6fea0fbecf00a95
d14a454d42bccf92a05b2167fd1a8e0b122ea37edded0658c508e674f335643d
6800d39c3c141d9224c067a8fb10ae3915fe0dc79220ba2073cf6e28f98b99a6
c11cb2ff5a5d6629947b8b1d36f406714e485845ea2fc21a2eb313a798504e5b
7b53fa54edcb087bcabe64d2aef69860cf000d1739ff8d561c0bbdca14903186
9ecc5cce9cdf7a5a0e32a29ae99348e95520126499e5f02caed1bd37f5e00fd6
82452545022d3aca5b5453b044f6e1a5c0837dbf340e42b1e75c047b555f9bc4
bb4377a70a07c29eb44330397b6c4a0f0bdc0d557f7014263a5228e800d02ccd
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
ced049b334ce9d4a11a333eb078271f027d2b64fb3d00760e17ba355ad8ae057
30a250bff5f29f7116a7108dcb5b83813ba794c572429366b5f97011a312d0f1
fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/2f4411c4-a5bc-4e62-963f-882db18dfe22/
SH256 hash:
db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211
MD5 hash:
82411b0c26840fa392a3a767c8be61b7
SHA1 hash:
8d90ec17ef1be37fbea6fb17f5b617d67c876e42
Link:
https://www.unpac.me/results/2f4411c4-a5bc-4e62-963f-882db18dfe22/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db90ad061799/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2287200/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/347987/

Comments