MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8dea312a09b6c4d62912126a38778be06eab9e5bc9d33cd3af7ee8938ddbe8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	e8dea312a09b6c4d62912126a38778be06eab9e5bc9d33cd3af7ee8938ddbe8a
SHA3-384 hash:	03d72dff5733fbb64fa101c709e04742534e34afc2efa132306b818aa2ccb1de3741441c730cda50179bec896aa97d1d
SHA1 hash:	f1e9b0036722bd5a0c69a16d1a414db4bfe9a02d
MD5 hash:	ff278e25a17e1470bfbec635797ec8ea
humanhash:	nitrogen-black-kansas-lithium
File name:	Official Purchase Order No. 29823-222.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'346'048 bytes
First seen:	2022-03-28 07:21:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:KL3WwaVhH+JZiSnbu1Av13ryMR9dF0iHnTG+:UHyhebiSnbu1AvFyMR9BHn
Threatray	3'343 similar samples on MalwareBazaar
TLSH	T177556B99325071DEC467C972CDA81CECAA207C665F1FC207A053329E9A7DA97CF146B3
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/258422/

Detection(s):

Win.Dropper.Nanocore-9942595-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

explorer.exe obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/6241621c9253b276b78d11b0/reports/dcf24fbb-e6a8-4513-9958-08f417114dc5/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed8b9678-f9e4-4cdc-bc06-d3212a2c3e94

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/965750

Signature

.NET source code references suspicious native API functions

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/e8dea312a09b6c4d62912126a38778be06eab9e5bc9d33cd3af7ee8938ddbe8a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-28 07:22:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5dpkgevatnwe2yureetkhb3yxydovopfxsothtj267xisog5x2fa._file

Verdict:

malicious

SnakeKeylogger

44b764e014bc56b28a3b803ca10758d94a3f0ad587835c0104a16f7968feb234

SnakeKeylogger

63a3030e7976336af80d4f489128aa9ecbe98173b595a6ea641c3f335e3c7d80

SnakeKeylogger

6c3ad75937b09b9f179f66291ba63694f740794f8f0b6c34c52567dc3319ea43

SnakeKeylogger

8247b8fabf058c2b719647eb01a5dc0f72da5df5730f6152909f12d9cd1aaf50

SnakeKeylogger

beaa8da30a284f81c59e469ebb9cafc1b30a7b4c34aaf5fac58f2755c83106f2

SnakeKeylogger

c42b8a5dc308fe050318dbb5856cc3d8825143b132cc1e02e0799d9e7109fbe0

SnakeKeylogger

c73a8629499a2e95adf6ec545b360f49d607fb8b737ab5a26020d54b37df8b8d

SnakeKeylogger

eb750ca2f4a93f7b8674c77cf2178ec75f3f858abd51c5fc4979d373b8438545

SnakeKeylogger

fa11ff2dfdf24b8e4628ba1e868a27510b4cb3936d1c03dd1d6bb8049cbdefa8

SnakeKeylogger

+ 3'333 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220328-h68fysghc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

c421a76a7e6cb8c978952acae0b113c7ef417ea3af9a5cb123f6255a0cd07155

MD5 hash:

1a45481f8db9508115dcc6a5f354d0b9

SHA1 hash:

cc67857b735be6c0ebf683d3d1a74d26be4bba4d

Link:

https://www.unpac.me/results/6d169bdc-c382-4dc6-9ef1-e8cb52c2426f/

SH256 hash:

daeb3b6c202f22327afa791bea5ed90435e0934a98120955630fdd919b0c60bc

MD5 hash:

11af1b4e699d213d16753557a389d759

SHA1 hash:

9bf88192b3d4352adf1ce7cfdfb5b35da8770cc7

Link:

https://www.unpac.me/results/6d169bdc-c382-4dc6-9ef1-e8cb52c2426f/

SH256 hash:

613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c

MD5 hash:

3096cbaf4b5d40f9c61bf7ce13fde62f

SHA1 hash:

6b3c580e51fd306bfdc2e727ca3bc7805aba4b53

Link:

https://www.unpac.me/results/6d169bdc-c382-4dc6-9ef1-e8cb52c2426f/

SH256 hash:

b0e9c9dfc58decfa955c2ee9d6414b9ea4debbf7ae1676930328073edefdaf33

MD5 hash:

4f52988d2e626bdf5def7b20ef2be9c6

SHA1 hash:

29a839a057e0ef7ac6bed4a5d4c9d1d5a82ff6b6

Link:

https://www.unpac.me/results/6d169bdc-c382-4dc6-9ef1-e8cb52c2426f/

SH256 hash:

e8dea312a09b6c4d62912126a38778be06eab9e5bc9d33cd3af7ee8938ddbe8a

MD5 hash:

ff278e25a17e1470bfbec635797ec8ea

SHA1 hash:

f1e9b0036722bd5a0c69a16d1a414db4bfe9a02d

Link:

https://www.unpac.me/results/6d169bdc-c382-4dc6-9ef1-e8cb52c2426f/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e8dea312a09b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/e8dea312a09b6c4d62912126a38778be06eab9e5bc9d33cd3af7ee8938ddbe8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258422/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample