MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e08a365b67b9efe1951cd8e903a70baa22da309c80d25c44d5b3bb863318e981. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e08a365b67b9efe1951cd8e903a70baa22da309c80d25c44d5b3bb863318e981
SHA3-384 hash: bf6de145dee00203d39794f133b8207d364add1e59734a78e1ed2a0c3c201f073642752374b13e020b30b4210b8948dc
SHA1 hash: 85a2a7329dc528fa5f726e670d6b7ac1f863fec8
MD5 hash: b182f749dabd81fe722884847c90c7e3
humanhash: sweet-rugby-california-blue
File name:b182f749dabd81fe722884847c90c7e3.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:648'384 bytes
First seen:2022-05-23 06:01:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 12288:POZIZL7VhK0NEZWXhy1CSXer6txl1B6xUf0Pp/rSFqqV/GO9kE3R:POZIZLhNEZB1C+er6jvB6xgK/rSFqqV/
Threatray 11'682 similar samples on MalwareBazaar
TLSH T139D4238521E0820FE8D7A67D5B9F7B1A8FE9858140DCDA4B6B447F1DBC02A816F273D1
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d0d6969696ccd4d6 (26 x SnakeKeylogger, 5 x RemcosRAT, 2 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b182f749dabd81fe722884847c90c7e3.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 06:07:30 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/9f11b4bb-3c61-4dc4-a53c-c6b63d423d18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273516/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19612/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/628b235f0be8a16da4e7354e/reports/4620ba76-de16-497c-9259-df99055f20f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82cf50bc-d55b-419b-a120-b3658b2d6620
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999545
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632042 Sample: SrKI7YtMgm.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 7 SrKI7YtMgm.exe 19 2->7         started        10 vtjxukdaqnalf.exe 2->10         started        13 vtjxukdaqnalf.exe 2->13         started        process3 file4 25 C:\Users\user\AppData\Local\...\yxdcjwn.exe, PE32 7->25 dropped 15 yxdcjwn.exe 1 2 7->15         started        41 Multi AV Scanner detection for dropped file 10->41 19 WerFault.exe 23 9 10->19         started        21 WerFault.exe 2 9 13->21         started        signatures5 process6 file7 27 C:\Users\user\AppData\...\vtjxukdaqnalf.exe, PE32 15->27 dropped 29 Multi AV Scanner detection for dropped file 15->29 31 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->31 23 yxdcjwn.exe 15->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e08a365b67b9efe1951cd8e903a70baa22da309c80d25c44d5b3bb863318e981/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 01:54:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa
SnakeKeylogger
1c783c06aa669b0133618672069fba39409a6eda891e48e172d679ed0c1e8fef
SnakeKeylogger
31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9
SnakeKeylogger
5d0a8a5478876026ee661b50518e44f95308bf20e1e512c3608f97f97aed3384
SnakeKeylogger
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
SnakeKeylogger
73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794
SnakeKeylogger
9b9b8fda0efdc14380cc3da53380812bfe152a4a05de99aa9159f167066f9ff0
SnakeKeylogger
9d64fd569d16bcaaa6d77f50bbb447055c968b65e20ff1cbfbc453cf8ee32b15
SnakeKeylogger
bc43be5068b67c7cc3c27c943ae7cf4b912112d57358b699584b5053a4684ebe
SnakeKeylogger
f75fd5ce522743fe012bdf743efc66e481d72d92b6eb0465621a77a4600ff6b5
SnakeKeylogger
+ 11'672 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/220523-grfxqafbhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e08a365b67b9efe1951cd8e903a70baa22da309c80d25c44d5b3bb863318e981
MD5 hash:
b182f749dabd81fe722884847c90c7e3
SHA1 hash:
85a2a7329dc528fa5f726e670d6b7ac1f863fec8
Link:
https://www.unpac.me/results/7ae5c180-d9e7-4385-95ea-0fc2acbfabeb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e08a365b67b9efe1951cd8e903a70baa22da309c80d25c44d5b3bb863318e981

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273516/

Comments