MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026
SHA3-384 hash:	8e4069913d34e21293f4a3b782e15674344b6e33059add43a76a5e815eb78c405bded7360be85618687b1dc0f8cca5d3
SHA1 hash:	a1fa795b7f358176dee67fc0f8cb8416742b8d8a
MD5 hash:	e1d7bb065d0af85e5053a1109b8ee034
humanhash:	music-march-comet-foxtrot
File name:	ti̇cari̇ fatura0852023.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	529'920 bytes
First seen:	2023-05-08 08:23:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:8wQ/6u4T/uDZ1D425kqtSCwqEXm3FvAdTJ:89T4T/W1c2WqUX23FvA
Threatray	834 similar samples on MalwareBazaar
TLSH	T178B40190F1FACAA3D91E8AF45A2874500372759391C1D3D84E25A7492BEAF0CDF4C9DB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	b1b1b17964989c06 (31 x SnakeKeylogger, 4 x AgentTesla, 3 x XWorm)
Reporter	abuse_ch
Tags:	exe geo PRT SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/387437/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/6458b1a61c5e6717120731d2/reports/7cfecda6-ce0f-4151-9143-240e21b322cb/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/625c1d3e-af85-4fb5-b8bf-43d02620c0db

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1228162

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-05-08 06:04:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=36y6jn33z22kuuoknz7xs6c7k46n7koqi67tq4lzezzqxz7ykata._file

Verdict:

malicious

SnakeKeylogger

2535b5bde8fbe58fcddfbf7acf196a1290159e707c87929a1ae94bc7970e1c5c

SnakeKeylogger

45ecfd36d97932c3c4fb1548684eaa696d4288cb373d95bae9010e057291611b

SnakeKeylogger

70eddfd85da24eeaffddfdd6326c749326f098b597ce9c8eb79b3e69242a7801

SnakeKeylogger

c3f3e5052e6a603098bfe0838f32ac8f3c09710817af3ae0e96384dc013b007b

SnakeKeylogger

c9cd4f96ee3af2513298b62ff2f1c877364fb537fa3d70ef5268db133a4b9b85

SnakeKeylogger

d82034c5d5633ff4f38939fd15a82c3612886742e8bedf4060fdb2129c09aacb

SnakeKeylogger

dc5d1afb2584bade5caff58e4e153c22ec7a52cdbac6c1b56d289b0621c98b10

SnakeKeylogger

e4a9cb185c46bf812bf29890c14a2f20f6dbddfc1e34abe5e15af668077b33f6

SnakeKeylogger

eb70269bb8ef78bb7c44342ed5efac0d76df99207bf45e9f9739aad5b9cf9563

SnakeKeylogger

+ 824 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230508-kaqblsbd9s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Unpacked files

SH256 hash:

0e2c6a0150213e94e2d9d69cac03e4f8eec007af186398a1854de926d375f3a5

MD5 hash:

b6336bfc95f471ec92a8bfd527d1c343

SHA1 hash:

c62a2a2bacdaf45fb047ced4798d144e3edf0c21

Link:

https://www.unpac.me/results/940b9b28-33e5-4da9-bfba-9a5b2a499392/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/940b9b28-33e5-4da9-bfba-9a5b2a499392/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

1f2011a9aaddeabe29de7d0328810f96d7a68a268579bc255685996b51a563be

MD5 hash:

355e009646d7921dd56aca4f92fb1aca

SHA1 hash:

786144d784e953310ab6c6368163edc8d85cbcbc

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/940b9b28-33e5-4da9-bfba-9a5b2a499392/

Parent samples :

dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026
f8361cfd071c7c258b148d194ab3abdea0f5f68c2d0d98f0275c3b335b83d469
5e4c7dbe10041091473bcd0422108ffea38eeaf6e5a9e1e51df947297b62df3e
27981353e3464d563e3395e623e4a3207f4f9bb968a4e207bc8e6cac2971af98
aa64eab74660609d37759f40828c4d4e486c47fb8d9613c60f39d11465aa05a8
3483bcc8e4d439c0883bd94044e95f23c4b674c0472af8e695594e00bbbf9dbf

SH256 hash:

5c82d0ed13baab8aa2395e775c0390137e8dc15766f45e6e4ae0247efd9a4620

MD5 hash:

d58e4372740bc9d532c01b27688f9eb5

SHA1 hash:

48539ec340975ff302542c10a1455519ab1d4deb

Link:

https://www.unpac.me/results/940b9b28-33e5-4da9-bfba-9a5b2a499392/

SH256 hash:

7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3

MD5 hash:

48f25f70764858909ab7fa96721f9d01

SHA1 hash:

1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd

Link:

https://www.unpac.me/results/940b9b28-33e5-4da9-bfba-9a5b2a499392/

SH256 hash:

dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026

MD5 hash:

e1d7bb065d0af85e5053a1109b8ee034

SHA1 hash:

a1fa795b7f358176dee67fc0f8cb8416742b8d8a

Link:

https://www.unpac.me/results/940b9b28-33e5-4da9-bfba-9a5b2a499392/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dfb1e4b77bce/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe dfb1e4b77bceb4aa51ca6e7f79785f573cdfa9d047bf38717926730be7f85026

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/387437/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample