MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
SHA3-384 hash: 45bcac380f2dd9cba8ffb9b6c92176ab4ffc2e90cbd030d508451ad574c188c29ffae13a67434352b03416e3842fb933
SHA1 hash: 89a3362a92e60662754251e08566e7bef0629a21
MD5 hash: 588d3c0d6f86bdb1d426bac5d37bcaf7
humanhash: carolina-six-robin-freddie
File name:MSDS.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:773'120 bytes
First seen:2023-03-28 13:33:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'612 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:uUdKdJVZz5dbQgG5K88k5eiFLOKJGiSpKqZIZw/q5oY9NVPQnls7bmavKYX7:uUCVZ9e5K255L1ypKqZe/5oY9NVPglgP
Threatray 210 similar samples on MalwareBazaar
TLSH T167F41209F2945111E76A47B918E08808C77EB6D25752FF4ADE5C74C72EF93C04A2FA8B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MSDS.exe
Verdict:
Malicious activity
Analysis date:
2023-03-28 13:34:17 UTC
Tags:
snake
Link:
https://app.any.run/tasks/3eb230ec-055e-4fba-aeb0-c7d0087792a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378176/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/6422eccb9c109cf74b305474/reports/a499229f-0526-4704-a6ef-1cbd5631cf6a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e609ef7-33c1-4aa0-943c-af7cff3699e8
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203664
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836584 Sample: MSDS.exe Startdate: 28/03/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 MSDS.exe 7 2->7         started        11 cVyeVrkupE.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\cVyeVrkupE.exe, PE32 7->33 dropped 35 C:\Users\...\cVyeVrkupE.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp3D5F.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\Local\...\MSDS.exe.log, ASCII 7->39 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 MSDS.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 cVyeVrkupE.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 cVyeVrkupE.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 132.226.8.169, 49705, 80 UTMEMUS United States 13->41 43 checkip.dyndns.org 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        45 158.101.44.242, 49707, 80 ORACLE-BMC-31898US United States 21->45 47 checkip.dyndns.org 21->47 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 09:36:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45kjialfjxw4fiqgjtfk7ayby5j4o2ypohzarqgydhzkk2vysspq._file
Verdict:
malicious
Similar samples:
0447c43cc9d78ef162784c4ae1ce6baa8289f9c159ec6baf735072a93bb51a88
SnakeKeylogger
11b8ec17c90add99a6e717e3f90640dcbfef63c3b4185c872caea70841bd74f2
SnakeKeylogger
31f26627d71b58fe5accc2077b600f8b7f25a8cdc75b4a538207c170d6275590
SnakeKeylogger
8382a6ee4216faec05fbd17a082a85a05c4878ba1dbc440744439a5011eea035
SnakeKeylogger
bd3704c36cc99d990c773ae12328f7938e7a5bf230e18501f2f8b869532b28d5
SnakeKeylogger
c5881aae0402696993a36546d2fa1e44d6fb53c0b8528ea23cbb1c12e0e7c9b1
SnakeKeylogger
d7f939548251900b0227703cb9825c0923b4cd0c2feccf155409d07f6bb7676c
SnakeKeylogger
e004337426d90bd966b01fc36d2252d4b9f05dacede72ce8514540d604cf0663
SnakeKeylogger
+ 200 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230328-qt3zpsbc68/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
MD5 hash:
aca804d5d77bd73228eaa44a95402330
SHA1 hash:
fab4900d6af18796b65e1ab8f5ca4da5c933185b
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/cbb6473e-8189-4a83-ad16-539c451dd786/
Parent samples :
854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f
SH256 hash:
b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb
MD5 hash:
3c6f8b2e78f5ebf58c4f170b30c04607
SHA1 hash:
c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765
Link:
https://www.unpac.me/results/cbb6473e-8189-4a83-ad16-539c451dd786/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/cbb6473e-8189-4a83-ad16-539c451dd786/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
f49d09225577eb62977209412ea24beec53662dc662f06b50c8989bd7010d794
MD5 hash:
726dcad20e133929a1b0a5f1e49e6550
SHA1 hash:
2ce477f1dc801c5053d620850f07d27a839e912a
Link:
https://www.unpac.me/results/cbb6473e-8189-4a83-ad16-539c451dd786/
SH256 hash:
2faf4238eb923b5e2c754b22c8eb1bb24234199835a754cb233221440e6139ec
MD5 hash:
ab015253db43f2b4ad38b6e8c14d0584
SHA1 hash:
28875f8d749391e975cf3e3a40d07ab9c6de25a4
Link:
https://www.unpac.me/results/cbb6473e-8189-4a83-ad16-539c451dd786/
SH256 hash:
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
MD5 hash:
588d3c0d6f86bdb1d426bac5d37bcaf7
SHA1 hash:
89a3362a92e60662754251e08566e7bef0629a21
Link:
https://www.unpac.me/results/cbb6473e-8189-4a83-ad16-539c451dd786/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7549401654d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/378176/

Comments