MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe
SHA3-384 hash: 64529f143d6b38fc5e8e2292f536f34ddfb73bfa574ce5824411516d4499a7c385af4dc4b068652f1cd47267d37304e4
SHA1 hash: 760f59844a791e9c17a558e172425ed64ea5d9b2
MD5 hash: 19224b2118f1930a9d5968ff3801ccce
humanhash: asparagus-red-network-green
File name:19224b2118f1930a9d5968ff3801ccce.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:726'016 bytes
First seen:2022-05-22 11:57:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0A/k2iNq2iNsUYdSBPxB9GhvS0sBm3eYL405OaCqJKYEYkvNuxcv9fYqAVSk+mc+:B/k1I1W43aa0p3eq4yTjOnNMcv9fY
Threatray 3'856 similar samples on MalwareBazaar
TLSH T172F4CF9CF65178EED42B8E7A99741C20AF61B6235B2FC11B5053225A493C3D38A17EF3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
19224b2118f1930a9d5968ff3801ccce.exe
Verdict:
Malicious activity
Analysis date:
2022-05-22 12:00:29 UTC
Tags:
snake evasion trojan
Link:
https://app.any.run/tasks/82c742f6-16d0-43e7-8db7-b54a568a78f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273404/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/628a2587054dcf0ecadd5e6b/reports/bbb3f659-3c50-4ce2-a45d-6f5f483c8461/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be61b3bb-f247-4f84-b789-9a6e2e1752c3
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999307
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-21 22:05:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
14fcb8a4565e90550de5237fccbf8b283c970055ba9b11e206fdf7329c3ad51d
SnakeKeylogger
1e0e310e145e9a874e9bf8cadc3dc90a33e40bd61297f57c1ad94ea9190e6238
SnakeKeylogger
1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f
SnakeKeylogger
7ef607e49827ba8f471acbb7ce3aac758ea14683f6da97e6546e16e08b38e450
SnakeKeylogger
96929d91624ef88554c7850bc57c8cfd2bb093fb8cdaad5f8865c1001c5a5d0d
SnakeKeylogger
97d6ca695325d19dba9161f676434dce87ad47769cb1f5618adc7c5122cf6d1c
SnakeKeylogger
a91c01cd252a97e5807ee969f0a645c1e9c4328fa8c83a562ab536d00a26f3b8
SnakeKeylogger
dffe45189680dbc7d56ae5aa90861f798b109efc8cae5a693c0e521b08d2184a
SnakeKeylogger
+ 3'846 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220522-n456pshhf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
378c2cd986a090931f4fd4df0136b421dd7b1ba19b723048861f5c235751dbc8
MD5 hash:
fc3ac978af9d34b92b22122ac103ace0
SHA1 hash:
f4a2e42eda15213a62184276391c66ef162b2de6
Link:
https://www.unpac.me/results/70d10ea3-8cec-49ad-aa1e-a819808b3392/
SH256 hash:
0a311af3f05a91d9176321e1ed9ff32383b4ca2368485d557bf98b504d9908de
MD5 hash:
d22912e9262661b7194bc375a6768959
SHA1 hash:
e99f4fd9720b4c25c25617e7f3aa43e5d9e6a462
Link:
https://www.unpac.me/results/70d10ea3-8cec-49ad-aa1e-a819808b3392/
SH256 hash:
fdd898ccdfad06cc6bed22d09f7d50c66156f17c2eafddecead054e4bd2b1851
MD5 hash:
fb1eb3370bed6971c9e1155eab42be8a
SHA1 hash:
c0600e6a6e73be11635cf88ad6e1348870e53b33
Link:
https://www.unpac.me/results/70d10ea3-8cec-49ad-aa1e-a819808b3392/
SH256 hash:
f039cedc12c9a8de63383f04a3fd70027985044e952b55ff48490916a51ee4a0
MD5 hash:
48c60788b68954adee8369b0b314b473
SHA1 hash:
13144c166fe599997371cdee361d080c2fab1312
Link:
https://www.unpac.me/results/70d10ea3-8cec-49ad-aa1e-a819808b3392/
SH256 hash:
e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe
MD5 hash:
19224b2118f1930a9d5968ff3801ccce
SHA1 hash:
760f59844a791e9c17a558e172425ed64ea5d9b2
Link:
https://www.unpac.me/results/70d10ea3-8cec-49ad-aa1e-a819808b3392/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe e2113d1238c6af86ae328bd4292d9fe031ae1a4b142686e392434160619da4fe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2199536/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273404/

Comments