MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de3b646bf9b26ce9516ebf5813911bea97e6b41e986ca41a9a51b891ceaa94f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	de3b646bf9b26ce9516ebf5813911bea97e6b41e986ca41a9a51b891ceaa94f4
SHA3-384 hash:	0fbea7c3fe2ce648a2debf445dde8235cdd1bbfc8c31a9c2340b3e47ca23f757aaa4ed8856b57009f6d1271a955d79e3
SHA1 hash:	c043925d526f2556534af53acf7b9128d68ee6f5
MD5 hash:	d6a8135862efb41923eab9176d1bd15f
humanhash:	ceiling-papa-monkey-undress
File name:	d6a8135862efb41923eab9176d1bd15f.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	900'096 bytes
First seen:	2022-01-17 06:40:13 UTC
Last seen:	2022-01-17 08:45:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:L2dkgpvduoXd1sAMWWHX250ktT0znlOVZmh3EnvSZ5DgGzZMVIZxgeCBEPKbxl0Y:Llg/rXdSAzWHqygDW5bZ+iZLVK7
Threatray	2'583 similar samples on MalwareBazaar
TLSH	T184150116C6A5862FDEFA14BCAAD803D49BB94386A347FB05CD1DA0F91CA3BD0D613513
File icon (PE):
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d6a8135862efb41923eab9176d1bd15f.exe

Verdict:

Malicious activity

Analysis date:

2022-01-17 07:21:43 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/c171447d-60f0-4bdb-9e31-df9849267388

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/219704/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.33065.27349.20463.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61e50f800f8c757253c338a8/reports/98552a64-8f0f-409d-af4d-1b04de14a896/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/05dbb9be-1bbc-495a-a3a7-9ef5c4c56283

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921577

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/de3b646bf9b26ce9516ebf5813911bea97e6b41e986ca41a9a51b891ceaa94f4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-16 00:12:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 43 (46.51%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3y5wi27zwjwosulox5mbhei35kl6nna6tbwkigu2kg4jdtvkst2a._file

Verdict:

malicious

SnakeKeylogger

0f841fdd531e6b24d0f60b989781c69c1eb642285ed9442c6c6a00b4b604079c

SnakeKeylogger

28323d3c8fd1339a7d4f0ebad6ff377545e88c15fdca9b2f21cdd7c72c07622e

SnakeKeylogger

6983864fda339a8423140e57363e78cc072d779bdadcf54e812dfb987f524d0b

SnakeKeylogger

86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718

SnakeKeylogger

972385a61cc340b61a7e3101c1854a589ef2a61df0cc31ef680a329c2e68f0e6

SnakeKeylogger

b171e007cd33e3ee25bdce6612e82f13e01678de6d5e5c22f12fb009040c7854

SnakeKeylogger

e4999525a5626a76247a8f02a9e08c0ea35f13f717687b8a966cddb72f8adc6f

SnakeKeylogger

e5435c61a441f9be4c90c2f7fb4645bbb3a3a4cbeb4b8fb7ac48ed6a38adf786

SnakeKeylogger

+ 2'573 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220117-hfr2aaghd9/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

941bdea890327870e6cb6b9255c8e3f6b7c03d2269f6edb973dc540e3d0908b7

MD5 hash:

b8a5a29563a08f521f1610141115137b

SHA1 hash:

d17a7c2323dbe81490da08c123f95f2a61026aed

Link:

https://www.unpac.me/results/e9240129-3edd-46c3-b532-f53d2d3d8ebb/

SH256 hash:

70b2834b27f6046f64d766c949a08f511f520013b2c172fe9b825875cd845ccf

MD5 hash:

2710a86cb1c6ecb52266fc4f4da193ba

SHA1 hash:

48e41d0f68a1bbbd315d11a857cfc749269589f7

Link:

https://www.unpac.me/results/e9240129-3edd-46c3-b532-f53d2d3d8ebb/

SH256 hash:

40d3e7f6bec5b25fe086125140c60853fc97b48fb9621a6627d87c55f0f3cf88

MD5 hash:

de34691aeba83b89c6b53dd5ff7e9c52

SHA1 hash:

05ac6c16a62c0f1012083687e6e08aa2b3bfd855

Link:

https://www.unpac.me/results/e9240129-3edd-46c3-b532-f53d2d3d8ebb/

SH256 hash:

de3b646bf9b26ce9516ebf5813911bea97e6b41e986ca41a9a51b891ceaa94f4

MD5 hash:

d6a8135862efb41923eab9176d1bd15f

SHA1 hash:

c043925d526f2556534af53acf7b9128d68ee6f5

Link:

https://www.unpac.me/results/e9240129-3edd-46c3-b532-f53d2d3d8ebb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de3b646bf9b26ce9516ebf5813911bea97e6b41e986ca41a9a51b891ceaa94f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219704/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample