MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 12 File information Comments

SHA256 hash:	e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
SHA3-384 hash:	87e6299bbfb895c3b7e275c807b2e1b76bf261cdb025afa2b3a8e5e264d43d78bb8905590564abc616271d75e19fde7c
SHA1 hash:	40fc577fddeff678703b4673daa55dbfe657e670
MD5 hash:	3e2bf9d409ebc43f74591d151aa64d38
humanhash:	orange-may-lima-six
File name:	Packing List.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	769'024 bytes
First seen:	2023-03-28 06:13:20 UTC
Last seen:	2023-03-28 13:13:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:HjKdJVZz5dcKMk5pgPXJ3IclZZekLRafUWIN51YBplnQaacr2rKEKdmBhQFENrCo:HIVZ9qKP5iXRllVRafra5GLNQ7mEK9FA
Threatray	130 similar samples on MalwareBazaar
TLSH	T15CF41159F2A56222C73987FC28A08844C37DA1E69306EA48FE4C60D75EF57D40E2F65F
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Packing List.exe

Verdict:

Malicious activity

Analysis date:

2023-03-28 06:14:08 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/344539d5-0dd8-4a70-9580-bd082dab0966

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378058/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

75%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/642285b19c109cf74b303ac7/reports/55fc10eb-63e4-4282-9a5f-a9dad101df39/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa74a7b0-ba16-4797-acdf-725f31a6da6b

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1203163

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-28 01:37:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=43du7i2jsasziiyshxsnzjfgwgjesknmos2oab4moawkf3afpavq._file

Verdict:

malicious

SnakeKeylogger

0bc4886cebbde3d4a932203fa8596540269e0c92bb20cf2f8250f063c43798b8

SnakeKeylogger

11b8ec17c90add99a6e717e3f90640dcbfef63c3b4185c872caea70841bd74f2

SnakeKeylogger

3b9b37912769526d5ca753f309018434f6d56410b88695472cdf6e948b9645f6

SnakeKeylogger

44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220

SnakeKeylogger

84df116f1326ab65e4c91ec9c243e4e2b819c19dc2e47f1e10878a52f96c4c41

SnakeKeylogger

d0a101d03dba528a94c83f78c965018dee7fbc198ebfa5c251ad788672b7a127

SnakeKeylogger

eebe1c81da57309a99fa8cf1a8ef2ef90af6072182ad6b8dd3ceb8a31500bd0c

SnakeKeylogger

fbca5195cab9ea8df36b6123fd0e23f2e1ca97cd0b61d6d40ecee6611f31c8ff

SnakeKeylogger

+ 120 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230328-gzbyqsba9s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805

MD5 hash:

aca804d5d77bd73228eaa44a95402330

SHA1 hash:

fab4900d6af18796b65e1ab8f5ca4da5c933185b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/790d91a7-689a-43f8-9c23-5ec132e30115/

Parent samples :

854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f

SH256 hash:

f048d0efbb4625dd251240195d783400939ad0bd1bbaa6e367922e79668ad64b

MD5 hash:

b340181143a6f9d40082609023481eef

SHA1 hash:

f2c6e9771886083b6a18b5bd167053c5824d5f39

Link:

https://www.unpac.me/results/790d91a7-689a-43f8-9c23-5ec132e30115/

SH256 hash:

b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb

MD5 hash:

3c6f8b2e78f5ebf58c4f170b30c04607

SHA1 hash:

c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765

Link:

https://www.unpac.me/results/790d91a7-689a-43f8-9c23-5ec132e30115/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/790d91a7-689a-43f8-9c23-5ec132e30115/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

704bdc37172c5ee628f76b1704b68936c076bd4751df8edec8fbdfbddbc606fd

MD5 hash:

ab214479740b3df9312fe66accf2f729

SHA1 hash:

1230405d481bfb770cffa60b4ec5bd1111f8c85c

Link:

https://www.unpac.me/results/790d91a7-689a-43f8-9c23-5ec132e30115/

SH256 hash:

e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b

MD5 hash:

3e2bf9d409ebc43f74591d151aa64d38

SHA1 hash:

40fc577fddeff678703b4673daa55dbfe657e670

Link:

https://www.unpac.me/results/790d91a7-689a-43f8-9c23-5ec132e30115/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e6c74fa34990/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	XWorm_Hunter Create hunting rule
Author:	Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/378058/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample