MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8
SHA3-384 hash: 1ad5476b42c4b708a4fa54af13ffc68ae4ed60540919adbf59d8dd0a08c72a75d697e1b538e633970f5f236e4e6d7d57
SHA1 hash: f008aba5a83a167663be86bcb0230232c74029f7
MD5 hash: 0c416e462853425ce474820d82ed8212
humanhash: low-wyoming-tennis-shade
File name:0c416e462853425ce474820d82ed8212
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'075'712 bytes
First seen:2023-03-09 13:55:33 UTC
Last seen:2023-03-09 15:36:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:EuOZ6wGkB+e9uf8mS8mONRMbeze6aKQoW7y0nkO:P39Y6aKQmmkO
Threatray 4'684 similar samples on MalwareBazaar
TLSH T183355992E8991D5FEA17CB3A5333581D21671D25F23DACE52C78F1A62AF26830721C37
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
factura.xls
Verdict:
Malicious activity
Analysis date:
2023-03-09 13:07:33 UTC
Tags:
opendir exploit cve-2017-11882 loader snake keylogger trojan evasion
Link:
https://app.any.run/tasks/f357d112-1d63-4649-8bab-3e57b85398da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373011/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.144.18890.31667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6409e573ed3d336980450c35/reports/c32afc79-0416-46e6-8693-3cb812bfac79/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffedf7cb-e575-43d6-91fa-ec13d5f8dafb
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190581
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823465 Sample: FOO4YzWwgD.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 FOO4YzWwgD.exe 7 2->7         started        11 nijiOvNtapSp.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\nijiOvNtapSp.exe, PE32 7->35 dropped 37 C:\Users\...\nijiOvNtapSp.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpADC0.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...\FOO4YzWwgD.exe.log, ASCII 7->41 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 FOO4YzWwgD.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        25 2 other processes 7->25 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 21 nijiOvNtapSp.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 193.122.6.168, 49713, 49721, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 checkip.dyndns.org 21->47 49 192.168.2.1 unknown unknown 21->49 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal ftp login credentials 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 13:59:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5a6fwsu7x6zcstxlrpujypmhdljpec3xnp4vss6qwdwnfcfni74a._file
Verdict:
malicious
Similar samples:
1fd1e0ff7b9e6bc7b9014cbdfa12b15459011086a2398185e5b51ca92bf8a8e5
SnakeKeylogger
4a63d124fccf3d47730bf3b1b9d1befadb2b225b3b38fdacaa135f0800548c6c
SnakeKeylogger
4f8dc84952cc5e606fb05b608f35a150e5fa629c380db2cb2cb7a5aee1f322b6
SnakeKeylogger
77864a5c81d11e61e24fa26853404d5e75a8780cd476cd6a0c7e525128a589ad
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
SnakeKeylogger
8d77e4bcebfa77845ac1775d6ea0dbb44c8e874bffac615c334ef984b9b71ace
SnakeKeylogger
b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
SnakeKeylogger
d592465fda14fe34f19703d3222ce71ac81592f87911b908e5c12cf68cf258ac
SnakeKeylogger
e8e100895fa60d667eb81cc2fb660ac12dd998f8f20aa6d7e0ea942854dc831f
SnakeKeylogger
+ 4'674 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230309-q8ntbsbf3s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e998b42a57a072fa60c0dc00e506b8e489e59e6893a432dc41e5bfb2c506d903
MD5 hash:
998678c8581ee26f4377ab247e88e910
SHA1 hash:
f1d211d88f9b381d6edec4d33f95a5fa352f8ae0
Link:
https://www.unpac.me/results/86a0765b-0c0d-4225-bccf-edf28f5ff0b9/
SH256 hash:
3f27f00b220f5374e839f6d4dd6cae231eb32efa669219ae193919b4f9384c75
MD5 hash:
63dcd8430f2d1be0715b16ac70c68018
SHA1 hash:
a39caa36b4e9ff68c6b4d9d4c3bf34c637ed4038
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/86a0765b-0c0d-4225-bccf-edf28f5ff0b9/
Parent samples :
ffe2eeba3c307df2994455331d6c7f19cffdcda1feeceb9ac50d519685f53c48
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
96b8969e22bf1183fcc6ba3778115801dd2e6ab5d05c46d7e9b03fc95558aa43
777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8
313ad26ae426d1f3293c2d78ed3fde9093661e90dc876246e8703f0a20522a21
27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1
SH256 hash:
57c9f486be687ebc08a756e5fd750fc63f3f3b8892b46508589ecfd2b69c9eca
MD5 hash:
cd7051e0594ee4d89521baffc7693b41
SHA1 hash:
9b7ee6f1bc68f29807b96c7487b12c751cff427b
Link:
https://www.unpac.me/results/86a0765b-0c0d-4225-bccf-edf28f5ff0b9/
SH256 hash:
1eb79832194a9efe7df00e227f0565a3b2d301ac2cd5f5c165a0ecc459a28490
MD5 hash:
66c99b3a5caf4719bd08cdeaa28b7f97
SHA1 hash:
5db0cc576a48f8a5a0142ae62ba4fdc3e47dbc5e
Link:
https://www.unpac.me/results/86a0765b-0c0d-4225-bccf-edf28f5ff0b9/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/86a0765b-0c0d-4225-bccf-edf28f5ff0b9/
SH256 hash:
e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8
MD5 hash:
0c416e462853425ce474820d82ed8212
SHA1 hash:
f008aba5a83a167663be86bcb0230232c74029f7
Link:
https://www.unpac.me/results/86a0765b-0c0d-4225-bccf-edf28f5ff0b9/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e83c5b4a9fbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2564169/
Cape
Cape
https://www.capesandbox.com/analysis/373011/

Comments


Avatar
zbet commented on 2023-03-09 13:55:41 UTC

url : hxxp://198.46.174.164/599/vbc.exe