MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f
SHA3-384 hash: 67b487b4ec5544b68ebaa3392881e22a62c6fb82841d97f76b40daf5aa820888960458f5137c9ebe041f5a2075f01a84
SHA1 hash: d59ceb67e97260cca03d79e2518579dd5bf6800f
MD5 hash: b7f5675f9028e865e955ca4218e2719e
humanhash: king-mango-lion-floor
File name:Remittance Advice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'174'016 bytes
First seen:2023-02-22 15:50:52 UTC
Last seen:2023-02-22 17:34:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:kxEg6zlIik//BjreN9Sbc1jVMWE5vXWEI9f+QF1L4HCtcu:kOzSjqNgw15qWf+
Threatray 4'542 similar samples on MalwareBazaar
TLSH T17945AD4BB7B09436F89E41BC153856CF5E31B252714DE2265F3B39849E8ADFBB1C8212
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance Advice.exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 15:52:48 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/413d1caf-74c6-483b-b558-919f949a018c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369097/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f639e8a6ba2f75a97a14a4/reports/f1c5f1f2-23f3-4fe7-8df3-2bcea9f6e6bf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d18fc454-ee70-42b3-982d-9d266b387c22
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180741
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 15:51:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5a4rjg36dke4d6pfa4okulgizo3lzgtv2trk6brby3pvde6n4gpq._file
Verdict:
malicious
Similar samples:
0d1b2fea0d5ddb060f0354f282e7fcce69fc48b55e94195f01b1ed374cf4329e
SnakeKeylogger
1a6dcb18b2d3627d35e18aab269ababa8d2af33be25a23bfb44a4b6144816ea8
SnakeKeylogger
4f8dc84952cc5e606fb05b608f35a150e5fa629c380db2cb2cb7a5aee1f322b6
SnakeKeylogger
53e78ca9d4a478e74ccf5473c7a2d954629c5a1839948514f557c8c360bc49c0
SnakeKeylogger
a200aa32fbe6af2935fe45423e0fe5c53b44cd4012a29426fbccbd947c319749
SnakeKeylogger
c27e38d55a4d9ada7e23e4829c034c36b9e735d26f53de44f70c6f5786736144
SnakeKeylogger
d943f08a35dc06253557151dbff927a9eb4c26f425d328cf612cb7e5211c3822
SnakeKeylogger
dcff2f1adb183112521e7b484dc2fff1bf98316fcc38f4c06eb0e39c416fa3dc
SnakeKeylogger
f714d656ddfec2829d90068335ee63f14ac58e91b450598ebe20e0973f77e0b3
SnakeKeylogger
f7dc2d6bc60e4be7901e3c70558612f8838f7270c3616ef95c144f57df909cc9
SnakeKeylogger
+ 4'532 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230222-tagh5scd56/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e
MD5 hash:
301d49f143b4559eebb04d6604c9c806
SHA1 hash:
8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3
Link:
https://www.unpac.me/results/2873a29a-47c8-47e7-b8b0-c87d9cd674a0/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/2873a29a-47c8-47e7-b8b0-c87d9cd674a0/
SH256 hash:
ffd8ccc2d8acfa24d764c2adc4ca2ecf8a1aec17946946ad857a36312d98b017
MD5 hash:
7e803c8c7e834d12a7d98c9b5ec4b656
SHA1 hash:
4c31dff929f172ad3b188c7554af217e66fac71c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2873a29a-47c8-47e7-b8b0-c87d9cd674a0/
Parent samples :
a7ab29ab4ac8baeaf3291f50e904bc5456ab09db6cc356775dff05c24e5a577a
1496337508d5142592b403ec491e9fa12736f0b1102789d85dd4791c87b39128
e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f
0b9962178789a82a2aef61faaa84d32e88688c3e7d5ab1f6b130bce11ea2fef6
SH256 hash:
5701c1af74a75ae4589961a3e1814d27409823838527102de4f8dc10ef6b4460
MD5 hash:
226f305797689bf22e0bad6958304dd2
SHA1 hash:
3bb5b0326e9fce6dc316bea30635aba1aebaf001
Link:
https://www.unpac.me/results/2873a29a-47c8-47e7-b8b0-c87d9cd674a0/
SH256 hash:
01061d0599467fc9afdf32c4e43e3bb78acf2d67df3c671816db5db67eedeb71
MD5 hash:
b4de28a16ddfcca3b5f4c06568a0264c
SHA1 hash:
3ad5d3581de98aa63b8c29ef93aae57032cc074c
Link:
https://www.unpac.me/results/2873a29a-47c8-47e7-b8b0-c87d9cd674a0/
SH256 hash:
e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f
MD5 hash:
b7f5675f9028e865e955ca4218e2719e
SHA1 hash:
d59ceb67e97260cca03d79e2518579dd5bf6800f
Link:
https://www.unpac.me/results/2873a29a-47c8-47e7-b8b0-c87d9cd674a0/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e839149b7e1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e839149b7e1a89c1f9e5071caa2cc8cbb6bc9a75d4e2af0621c6df5193cde19f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369097/

Comments