MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc
SHA3-384 hash: 2ea2573ce3bf99623d5b946c9a7da83b02cf9e1eaefb8c4c0b512fa08e79d4d59fee641eba46bfbbff27060dc9e4eef3
SHA1 hash: 7936f640ef3eb03b4dd6defe8b008ea43bea6c41
MD5 hash: 3fc540a01a963f4c56a06a9f23544ab6
humanhash: helium-twelve-hamper-violet
File name:dc734646737376-tf048493883929.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:886'272 bytes
First seen:2023-01-16 12:14:44 UTC
Last seen:2023-01-16 15:28:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:TILepD6b3ewHdqozEYq3O6kLBKOtWBwCOgPD:TILNb/3uHkLBKOtGPD
Threatray 10'613 similar samples on MalwareBazaar
TLSH T1E8159DE1029DC7D5E8F60E380628391467A99897C37DA17E7ED714BB84F674F40B83A2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
173
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc734646737376-tf048493883929.exe
Verdict:
Malicious activity
Analysis date:
2023-01-16 12:18:04 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/a07652d9-31e7-4db8-96a9-f822d6d9a120

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353400/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1772.18308.20584.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c53fc7e56ca96f6d4fd7e3/reports/fac3130a-3630-44b9-aba0-b8ea4f6ab057/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Private Blackberry Internal
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee6ebfd5-53df-45b1-b6ab-6a37f6f6bb7e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152346
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 10:11:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xjevqzxqy2gpigkcosdepa6f5p7fhmudbq56wuqa5aloqzihdoa._file
Verdict:
malicious
Similar samples:
13bb6c74c0a1a9f7563616be31fb58ce7cf9beaee0430254f7210a56146cf2f3
SnakeKeylogger
59903dbe12d0e5cd2961b4ff5bd3301d7467fdb4c95ef23036bf0b1e7c42f8be
SnakeKeylogger
86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64
SnakeKeylogger
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
SnakeKeylogger
a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56
SnakeKeylogger
+ 10'603 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230116-pew26saf3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
78ef1285a49d5135a18acf79237216217388249148d654aa87466e4913a2a473
MD5 hash:
b884774bed8c259dc61c2bb9100ebc90
SHA1 hash:
b6043c4169e99f8afa7cd89f8f8084e1eeaee4cd
Link:
https://www.unpac.me/results/5a4e4496-fe7b-4647-9194-a5eed2209b21/
SH256 hash:
7070404b1c0aa59991b41751c827d39152daa6e72a4d2e504d279b1fae01dc43
MD5 hash:
991214f771b573edee489f1d10a7dab6
SHA1 hash:
726b5d5e700afc36daa3b2472c8b7d7c06e991a1
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/5a4e4496-fe7b-4647-9194-a5eed2209b21/
Parent samples :
e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc
5b093312b8bda2bf674e1723d607a73270d9748ae3d710089a4a9e8782e7cb80
51a2538d373cfad000a1373dd37efeca4e7581d9c89ee62375ccd24f133daaa3
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/5a4e4496-fe7b-4647-9194-a5eed2209b21/
SH256 hash:
757739990721ae75b7c63ef4c321863de6c3e5149467f097cd27699b2d99891b
MD5 hash:
24d8652cab672b700bbe07208e6cd548
SHA1 hash:
0b932ef5cc34ab318d682556d0209cf43f7a494a
Link:
https://www.unpac.me/results/5a4e4496-fe7b-4647-9194-a5eed2209b21/
SH256 hash:
2ad0882eca51e8d55f0a8bf92ff0ade555eabbd16a7984a0c1df53baf34bba78
MD5 hash:
17d4b7b6ea3cf80d3efe0ec9c8181db3
SHA1 hash:
094e673687a63c7ee55aa217d022d04824cc38af
Link:
https://www.unpac.me/results/5a4e4496-fe7b-4647-9194-a5eed2209b21/
SH256 hash:
e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc
MD5 hash:
3fc540a01a963f4c56a06a9f23544ab6
SHA1 hash:
7936f640ef3eb03b4dd6defe8b008ea43bea6c41
Link:
https://www.unpac.me/results/5a4e4496-fe7b-4647-9194-a5eed2209b21/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5d24ac33786/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe e5d24ac337863467a0ca13a4323c1e2f5ff29d941861df5a900740b7432838dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/353400/

Comments