MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef
SHA3-384 hash:	fe8496d9c2635bf7d7d3773320b6cbf888c30d101f7b2e5e2f885197c86c1fc4236ce61bf488c370da4d35634e224ce1
SHA1 hash:	49ce409357a3ca9c7f0f9a15c28b6d211b44d95c
MD5 hash:	a0c4193888a9f251b8d95db660d43c7c
humanhash:	alpha-saturn-coffee-oranges
File name:	doc2022.10.24.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	766'976 bytes
First seen:	2022-10-24 11:19:12 UTC
Last seen:	2022-10-24 12:15:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:7pSpfynup9bfUThRcq/6JsdafbcGeqjr0xTSqC:lqQGKsq3CbcGTrATm
Threatray	7'054 similar samples on MalwareBazaar
TLSH	T1A4F46B39275E4F0BC0E9CE34B4B0D6B007A6AD7BA96E8BC6C6D06CF775422E4594D183
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

doc2022.10.24.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-10-24 11:20:29 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/4cf3ee36-7610-4866-88b6-9d8bdd310d1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/323350/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.21914.12101.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f571bb96-2e81-44b5-bfbd-91ad7ce5afdd

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096448

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2022-10-24 12:20:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4chnn5xyjfdl3vpd2cmqqazqqqpp5dhijtbaalkrby6345g6h7xq._file

Verdict:

malicious

SnakeKeylogger

0f1b9c97ca2d11237543964ee3fd39734c0e9cc2371aed7dd49deb4409c839d2

SnakeKeylogger

2262bf3bc3250b4bcefab73d88c2fd44b2d2fe02e4350f42e1f9bcfcab98a867

SnakeKeylogger

321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6

SnakeKeylogger

3fd707dbbf7a289a8cc02b0e3ae49cda05d20836991d0fc19723ecb42d4bcf76

SnakeKeylogger

79626acc1a4ebd2993c5f10522687e95bff00496a54d7ce8377be9d1cf92e901

SnakeKeylogger

9079a00cf539b8f9adfa046a9cf1f7c1c80fb370fb89d0a27f0fac1b0646c4c3

SnakeKeylogger

a0baf98ce28c1245d78159191bd0fafaf80c8c6b76b5e80b43bea8874af910a9

SnakeKeylogger

a55d4c3a6ff031ca6502aef0e7c59374721f9ffed5856124e583b3e433fdfb16

SnakeKeylogger

de0b6160f294319b2882dbeea5e4b7e9e1ebee17c14d8af1c964b8bfc09db1ae

SnakeKeylogger

+ 7'044 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221024-nfec3sgchn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5582701255:AAG6EwFmBC6AWDB7ijWIdb3jOpyBEYRlBgU/sendMessage?chat_id=1856108848

Unpacked files

SH256 hash:

24a849337eaf8de06b8ffda394abf2665a7bfc44673da7c927f377999540071f

MD5 hash:

9ea873b1ca716a8cd3932b46eac21c6b

SHA1 hash:

cdeac949804113d8824253183ebae70fa00cf8c9

Link:

https://www.unpac.me/results/57ac23c1-b3eb-4316-857c-7e0fdcb25f36/

SH256 hash:

3ba16a92b2b40d38c6e5e30f882a4c60b3838611868d990b7d986eb4018c17cb

MD5 hash:

16d6f358cc62b12dc869da8a59b03eda

SHA1 hash:

5eaf3662fbd4193086df2ba7233e9652542be8a3

Link:

https://www.unpac.me/results/57ac23c1-b3eb-4316-857c-7e0fdcb25f36/

SH256 hash:

48dce2631822613e7ceb0ff9100ea0584132cdad07a32467a8c5df90c76b87f2

MD5 hash:

156e9142d2df0ef51b311e0443b50e9a

SHA1 hash:

4f542b57a462526b16f3d9d857b28f792c24ae78

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/57ac23c1-b3eb-4316-857c-7e0fdcb25f36/

Parent samples :

6b010af0223bd5f11bfc896701e2151a2feee5e48127367f2f760d5110af4857
2eb68d9acd4f3bf8816e682b1c87234e909cd8f1d53bc4d6df8a0acb74daea52
ae5aa180e80601126d73c2da070cd4fc5d041d4cbd66566d01569fd1ad33738b
beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab
fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f
e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef
50109664df17c305d63866d276484eff9131d9fb4bbb091275f07d940e7435b5
8e88b06d2325abd6c323cac3064f6ca4f81e4fee843b04efc255a3105f82e507
4a7c732e04071421b16fceefad0a2a2c046d8d59b2ece54f50f89645b4eac10d
081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/57ac23c1-b3eb-4316-857c-7e0fdcb25f36/

SH256 hash:

5d67c41d99bb3621cf7c941850467425873e489903bcfa12e7d1d96bfbf9ac7a

MD5 hash:

85759c7474574c90a18c1eaff213d457

SHA1 hash:

26867b440c30805e51bd74d8275fe996b5e2cf1e

Link:

https://www.unpac.me/results/57ac23c1-b3eb-4316-857c-7e0fdcb25f36/

SH256 hash:

e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef

MD5 hash:

a0c4193888a9f251b8d95db660d43c7c

SHA1 hash:

49ce409357a3ca9c7f0f9a15c28b6d211b44d95c

Link:

https://www.unpac.me/results/57ac23c1-b3eb-4316-857c-7e0fdcb25f36/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef

(this sample)

Dropped by

snakekeylogger

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/323350/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample