MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbbf63c96c1191c51153692cf20280ce57df9e9d538cc323158985e2f751666c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	dbbf63c96c1191c51153692cf20280ce57df9e9d538cc323158985e2f751666c
SHA3-384 hash:	f43ecd500a8e0bb565cbbb5f3ce2813b1862b9335db4e3ec945f5d9437a3fb1c9fdb4f82631647c5d8062615e0d2b5e2
SHA1 hash:	99c9f5e40f514624cbc6be4297057af8e4c24326
MD5 hash:	c5efdadaad80c1deb5c54861e1124ef8
humanhash:	uniform-river-purple-grey
File name:	payment swift copy.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	473'088 bytes
First seen:	2022-04-06 14:56:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:M83YJ+kM0IkUtm11okr2q3tQQ2kEIJzUItF:BYJrlIQIkr2q3tDvEIlJt
Threatray	2'675 similar samples on MalwareBazaar
TLSH	T183A41258B7BBC526C2AD977390D20A1503759603E427C79E2FCD62DF0B127E68912BE3
File icon (PE):
dhash icon	f8e4f239d9b8f8e0 (21 x SnakeKeylogger, 20 x AgentTesla, 11 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/261321/

Detection(s):

SecuriteInfo.com.BackDoor.RatNET.2.25777.6366.UNOFFICIAL

Win.Dropper.LokiBot-9943279-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/624daa55aa7e43c6a6c2ff3b/reports/c87d4055-f96c-4ad6-846c-03ba507a25c9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f336a5a1-e08d-4834-bae5-6f4b2cb8f731

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/971817

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/dbbf63c96c1191c51153692cf20280ce57df9e9d538cc323158985e2f751666c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-06 14:57:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3o7whslmcgi4kektnewpeauazzl57hu5kogmgiyvrgc6f52rmzwa._file

Verdict:

malicious

SnakeKeylogger

7913494fc1737788b9ce2ddeff7790032f9e896cc91c0f370dd3fc2748c64591

SnakeKeylogger

79fa9b8c5e79a3ef68b2cf1bb134bde625c65ff0a3e27593cfa0cc2860b11194

SnakeKeylogger

7ecbcb1aa9fb53281db81c5297498d8953d2a470dfa1ade910350a75cb42b947

SnakeKeylogger

87bc3ff4a40f736436d5929afebdff84d6009967d3b1b3b4e8e4417706e12db0

SnakeKeylogger

9063f6b4b4021db3c623e82b3834036c5ad99e56563bdb06ad26374de8e843ba

SnakeKeylogger

9ffd6a720ade1fbfce01fd4d2a22c1a87f036717e3ef5ca02f58f3ccb31a20c3

SnakeKeylogger

cb17dbe8ccea9008ff815274c4288c3af751f475b67605d9117aadaf0d333997

SnakeKeylogger

d259384b3d9c4876d789031f4402f60f13db250484de111654158939a06769ad

SnakeKeylogger

+ 2'665 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220406-sbmk4seah6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5296956227:AAHRE_BNS8cIqwqTFYjyCDmIf-8gsw9yDfM/sendMessage?chat_id=5177315692

Unpacked files

SH256 hash:

7e2ba9e23fbd7738607ccf0bd0a3fd3e9abeb0844cb9edb40dada51f6cd1bb43

MD5 hash:

a2e0004f11a5aac09285ae14ea9e38d0

SHA1 hash:

ecd0e786de6645554cbbb36f137425a21cf7a674

Link:

https://www.unpac.me/results/6b77ba16-3aaf-4838-be29-f140604c28b2/

SH256 hash:

99b74b3bbff5148de20be2c89bd63510568822b8bea6404935aa98749f7c5e8c

MD5 hash:

98d9b41dd1ab30bd6c6b764040478c31

SHA1 hash:

bf9962aadd20cf939916a16f7950729135024369

Link:

https://www.unpac.me/results/6b77ba16-3aaf-4838-be29-f140604c28b2/

SH256 hash:

fe58122a2dc9f6b7c57eb945796affbcaa214b940cc31ea78bb3a93ec99b78bd

MD5 hash:

d4be86e94d2483566e3b788be1cf4658

SHA1 hash:

9e859c78492536bbcb13ce9a1efdebf5b73a6316

Link:

https://www.unpac.me/results/6b77ba16-3aaf-4838-be29-f140604c28b2/

SH256 hash:

1008ec0355fdd50fa463fc2966ca24aa8d231ef1ab9781377533cdfe203d1b86

MD5 hash:

c0d74a8b4a4c4ac89c441b093caed73e

SHA1 hash:

1fce67218d91026138f03172a0f28adb4f137151

Link:

https://www.unpac.me/results/6b77ba16-3aaf-4838-be29-f140604c28b2/

SH256 hash:

dbbf63c96c1191c51153692cf20280ce57df9e9d538cc323158985e2f751666c

MD5 hash:

c5efdadaad80c1deb5c54861e1124ef8

SHA1 hash:

99c9f5e40f514624cbc6be4297057af8e4c24326

Link:

https://www.unpac.me/results/6b77ba16-3aaf-4838-be29-f140604c28b2/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dbbf63c96c11/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/dbbf63c96c1191c51153692cf20280ce57df9e9d538cc323158985e2f751666c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/261321/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample