MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
SHA3-384 hash: 0a844b6b252d597ab6ef98d32d28e02e3aa8cdb104218b7be4545c722cc850616bf204d4bb30719e7bea4f9c067ba198
SHA1 hash: 0c2bfc45c003bcf173ec78b7295e51a22ad3a3be
MD5 hash: 2e7ec791d09a6551d1788f93946bc01d
humanhash: finch-coffee-six-two
File name:2e7ec791d09a6551d1788f93946bc01d.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'175'040 bytes
First seen:2023-03-01 19:05:09 UTC
Last seen:2023-03-01 20:29:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:JUvWShbopAJkP30y/+Jd2fDEj0AUP+27pQ7p2OZGUi7mgOofXS+SoMlP3qq8I4cM:/Ak2vj2I2HUafXS1/Od+aWu
Threatray 4'505 similar samples on MalwareBazaar
TLSH T131457B8132F9C115EDCF323D091C858A7D79B507A162F22AAB7636C6531B7F7B2D8182
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e7ec791d09a6551d1788f93946bc01d.exe
Verdict:
Malicious activity
Analysis date:
2023-03-01 19:36:30 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/79084113-2edb-42a1-9445-5070cce1b2fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370948/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.61127.17907.28932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ffa21d03b144271569b5ba/reports/e7b8f6a5-b274-4b56-802b-44957dfcca0b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec5a23c4-8ea9-4f34-bccb-3281f4b14a7d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185156
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 09:38:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4spusqvpvckkned62th3gmzwmt66mdi3ovqqtwhiwiwnjoypl6wq._file
Verdict:
malicious
Similar samples:
161655d05f38148b9f01c784fe463251a73cc61565af139afca09254cb74e7de
SnakeKeylogger
2d926d1f0aa50e7de665d8f3fce49c4a8c2594722eb8a18ea887c2b73f8e747c
SnakeKeylogger
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
SnakeKeylogger
4db11ec2fd47da3b2453479ada853755d43fa81142e235914a424733418b3ea0
SnakeKeylogger
7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd
SnakeKeylogger
887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7
SnakeKeylogger
8c379b68cffa3f8c43d74cc2e6576aa4f212f53f35662b32667f58e61ff8541d
SnakeKeylogger
93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda
SnakeKeylogger
cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
SnakeKeylogger
+ 4'495 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230301-xr4lsahg53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
dd698e16588231503727fe1609bd888b9e12dd4ecc1e95fcdb9bd0f065c022ec
MD5 hash:
fbd748c2d20caf21024defa1574462f0
SHA1 hash:
d7dd8111633970e33d2a5b24bf14068145767593
Link:
https://www.unpac.me/results/8a698dde-a724-4800-89dc-13f4237906aa/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/8a698dde-a724-4800-89dc-13f4237906aa/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
64a11ae8390f71fafac5758e604f7dd810bc08599d7409b78ed8dbc0d800889b
MD5 hash:
0bd8a3ac0668bb31b2d27e96463228fd
SHA1 hash:
9003025399b49b45c55101d0ad2431c7dd6c8e19
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8a698dde-a724-4800-89dc-13f4237906aa/
Parent samples :
f735493706e6df4bee0ab2f8a304c506f80b6f7b4791e6a09d530d9e1af603fb
3d239896c2fec074b4bc1867a197eb04511e376ee3175a8bd8edb307b7e886c0
af32a56f9c3d38ba2c045043d331749236cadc2f8b86dc376bee0c1e2299448b
ea92763b97b0f7a697b7432effbd19c93b2acc85e4f09091975f9fb13ecb35c0
8b940b0dd714db5a7b92e84b981b4196e9b82dc927df62f7104f3243bf68d223
2d926d1f0aa50e7de665d8f3fce49c4a8c2594722eb8a18ea887c2b73f8e747c
9a5993fc71df03a856f6f35a0c4cf8cc999094a35e0e0f6402fafb5f115874fa
addc1564d69b115e0cb5ff2264614c98dc51107f042e3ea0d93b99e49cf2e94b
5d5d5ae492ee8eaf1b06e474c7a044b65014cfbae21690333dec4ef6d23b8d56
1085f44fdedeac571eb8572664d2c8bf2a617e15e97e61aff51a02eddb21dbe3
26a58c3284fb3504e297ddb24080073282f540fd323feab7c94d7fa37384d7ee
823aefed18a78888709dff8070ad06f096607adcfd3cdb1717102d9a650375f2
b7595163f008ec501968746ca6773da01af4ef02cd9a8cd2e3a39d54bc9cec3b
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1
951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4
87e1e3d0de7af9833d3747fc07c0395759c01c157e07999965b2a90d5cf055f2
81173912b2f23cadd86187b55028a628bf2731e3c4e7645f84cd8e04dd213a88
2d8a9abf153f4354d4deee8fd33f19ef6f7362e53e465671059bbd1141577700
cf2f199d38249385e795d2adf81b25ef32d481a1ca0621f2dfaa62ba77ed9a52
db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211
341bce781bdedc9663add131ed23418088c7cb74354b14af0ef7a3cdbc97d07e
95c1022fdf982015b2305cdacc92005c5e216a5bbd9311a32bed69ebb6c64dcc
c51b04607b32cc04835bec8ace308c5680e8a0ec1e4c1c59579b76ba74bb9fad
4962183abe0b52877d6810f0fa7807a241108d2d60e0aeee070f8fe49ceb95aa
36c5431ac4e2225c82fe6d34d6a84ff736718e89ad28e52c943b2da5c8ea978f
8c379b68cffa3f8c43d74cc2e6576aa4f212f53f35662b32667f58e61ff8541d
3669f96c22728c600ea409d6a0ebf8f66ee8ca7eaf50a5f1767f2086b7081d76
1092d7ec9366334de4f4a244154a01816d343523764573546eceec51f5e36976
5fcedd535c882efe907010b867761452deaf99e41fab0f1d0cc306f506bee72d
a6f00b73a005bf4649b09871312a4db3719e23f277b61f1e62139055e974adfa
739ded666c4e208978ef5fc2433a7f3da8c222f29279524d09c17c798aac6259
64432f4d06930d1f0233cd77e59e57bbbd878d2a71e4c5850ee2baa315e7bafb
4db11ec2fd47da3b2453479ada853755d43fa81142e235914a424733418b3ea0
c924e8905688ab755ebed9bad8d0a64ec44d3116f53161fb145753ed246e0fa6
d37ebe9ad76c722ecb6bc3b20408f9d8efc1fd2992832cb4711e1d8b433cb962
d1ef2dd93176ae8dca22ea9b653c70b9e6777db7517a019d8bcad7ac85b260f9
18271dbc8d477228a12d9c20ed6d7be7c423f0ee3de9a0118b4bae74072816bf
f530c59ffce92c129896bbe4c2df821ac097d696e2a3f3f99e3bd4aaa5c6ace8
e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
3e53d83d07ffe4f6dcc317d16783b98e9dfe20ee74ce25dcb6fea0fbecf00a95
d14a454d42bccf92a05b2167fd1a8e0b122ea37edded0658c508e674f335643d
6800d39c3c141d9224c067a8fb10ae3915fe0dc79220ba2073cf6e28f98b99a6
c11cb2ff5a5d6629947b8b1d36f406714e485845ea2fc21a2eb313a798504e5b
7b53fa54edcb087bcabe64d2aef69860cf000d1739ff8d561c0bbdca14903186
9ecc5cce9cdf7a5a0e32a29ae99348e95520126499e5f02caed1bd37f5e00fd6
82452545022d3aca5b5453b044f6e1a5c0837dbf340e42b1e75c047b555f9bc4
bb4377a70a07c29eb44330397b6c4a0f0bdc0d557f7014263a5228e800d02ccd
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
ced049b334ce9d4a11a333eb078271f027d2b64fb3d00760e17ba355ad8ae057
30a250bff5f29f7116a7108dcb5b83813ba794c572429366b5f97011a312d0f1
fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
SH256 hash:
0b46f135fdb5157a04ffedeb88699fc7eebf49b42598dd0be45dc391b3e49d8d
MD5 hash:
aedc1b4e4659da12b89977c76b814152
SHA1 hash:
497f6b573d6976c38ba40983e558c482b75230d5
Link:
https://www.unpac.me/results/8a698dde-a724-4800-89dc-13f4237906aa/
SH256 hash:
219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38
MD5 hash:
88dd74207f3882979e21e26bf33a0e9c
SHA1 hash:
02a2db1bcbdb700f16c730a45d6ca62f805af8d4
Link:
https://www.unpac.me/results/8a698dde-a724-4800-89dc-13f4237906aa/
SH256 hash:
e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
MD5 hash:
2e7ec791d09a6551d1788f93946bc01d
SHA1 hash:
0c2bfc45c003bcf173ec78b7295e51a22ad3a3be
Link:
https://www.unpac.me/results/8a698dde-a724-4800-89dc-13f4237906aa/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e49f4942afa8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2287200/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/370948/

Comments