MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9fd701684bc7797ae242b2fe3cab647e13cde3a42b3bdc0132fecbb6d6c32d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	e9fd701684bc7797ae242b2fe3cab647e13cde3a42b3bdc0132fecbb6d6c32d1
SHA3-384 hash:	1dc00b41660847718da3aae77eb6908c8f2755d338bb8fc1f50c134c1255880621a05a5caab6c1044847f46a66e5e083
SHA1 hash:	fde1703032fe38bdfcf89118160abfad99b39cd8
MD5 hash:	feeb51525cf18dbeeb4bd18e198be6df
humanhash:	oxygen-green-quebec-michigan
File name:	payment copy.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'006'592 bytes
First seen:	2022-10-12 07:26:39 UTC
Last seen:	2022-10-12 08:39:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:tDgMrUsh6t/x3iGO0ZL8dxlRxZws2kZgPO8SgLRAQSQy4Ak:lG/kqL8l7Ws2kZ6O8XAtQy4A
Threatray	5'949 similar samples on MalwareBazaar
TLSH	T11D255A7E29964907D8147135C887D1F32AFBAD50A062D2CB6AD72F1FBC452BF950338A
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9aa298d4d4b8a29a (18 x SnakeKeylogger, 10 x Formbook, 5 x Loki)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/319226/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.62687136.25439.9609.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63466c485cada2cbc6ebb3a5/reports/8256e3bb-1ba2-496f-be8c-ff574c494e50/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/863402f8-39c4-4a25-b1ec-fe9a4c8e22f6

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1088604

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e9fd701684bc7797ae242b2fe3cab647e13cde3a42b3bdc0132fecbb6d6c32d1/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-11 09:20:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 42 (47.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5h6xafuexr3zplrefmx6hsvwi7qtzxr2ikz33qatf7wlw3lmgliq._file

Verdict:

malicious

SnakeKeylogger

1f5f9b2d9867afa54498f1b84493d49d0ee68f42ef0aa55e9f4ca21aabf898c3

SnakeKeylogger

2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f

SnakeKeylogger

4952a1b507d5779ad9e44e2976af3b6f890fb7d9f1bb685bea255300a70cf1bf

SnakeKeylogger

5e5878e7c89a666a6f6c0f3ad414a7c3d47c85d8bab613343b531ef552127ee8

SnakeKeylogger

c61fef7fcacfba05be6a0c2527cdde790b4a57dde45b53168fb6c415fcf2b174

SnakeKeylogger

cda24e3d3a8ba88a8d2d0dab710a930bc5ca13c1c3083971a0714fb318f8f5c8

SnakeKeylogger

f21713f098ba22b69b0303da4fe32dda9e1290f2d5986b9ff18cdd7de6f5d0ca

SnakeKeylogger

+ 5'939 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/221012-h94l6scghq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9a859b7b-d8d4-4cb0-a891-af1bbd2aec82

Unpacked files

SH256 hash:

161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62

MD5 hash:

b460e7cd67e88a80f0b65f65d28b1c4c

SHA1 hash:

fef017687483cf2b5b9d5f8061b6f0645fdcf779

Link:

https://www.unpac.me/results/32e25f69-8132-40fc-8523-2b38dbb4f8c4/

SH256 hash:

af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110

MD5 hash:

f696dc0e00cb8f70799ac3fcaa5f9f6a

SHA1 hash:

cde2283de5b89639ea52f6388feef8f77efc63ce

Link:

https://www.unpac.me/results/32e25f69-8132-40fc-8523-2b38dbb4f8c4/

SH256 hash:

26f67228e4e7f2d60b01fbaf3b505a23d4772fd849fef5d115f8ae56f15feea2

MD5 hash:

a6daa96cffbaf0481ba5555f1d6e52ef

SHA1 hash:

83f2c10e5472789140d9efb7086c76e8d139dcf6

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/32e25f69-8132-40fc-8523-2b38dbb4f8c4/

Parent samples :

e9fd701684bc7797ae242b2fe3cab647e13cde3a42b3bdc0132fecbb6d6c32d1
7ef57837d1427b3146d85b511aff1f671a9d89462e62e76589e15ef8e5fb1761
c313499926025e87ff778f2f690e29c3082563c26272eeb8fd69f9933950f5f2
c167c9bd0ff7b9f65eba7773da161da2358991a916bd2e0aeb783ee7b063dcac
3fb6b6ec95d77b019270dbeef926ae86dd51c2828a2a9d97751447b5f9b1075b
997cb0a84a067a20e85ad918d2a6399a4e25daa6b49b61a961493c044009e751
8ef5abf806b4399370b4c8a1ea4f0b87e995754b4594d751ba2648c55b71ad25
d3884bc7ac4cec7f711e22e58c7010ade8ea78c996e222d37fa3258228cb9d44

SH256 hash:

442923f115667f714cb5e0e33424d68db1e75c0c37340fb0445fe3008cf34909

MD5 hash:

16377d778aa60a528b9e949ac6d4c780

SHA1 hash:

1f38c38fce830f073e7994c9d6215a6bc9d67686

Link:

https://www.unpac.me/results/32e25f69-8132-40fc-8523-2b38dbb4f8c4/

SH256 hash:

6651e8543723ac65766b1accede4a448f4f070316515ab17947a480976f5d782

MD5 hash:

d85f2010cf61cfee70ceb0e6ec6f0e69

SHA1 hash:

1965b251f40ca9d1a4a7284656bea27da60e4653

Link:

https://www.unpac.me/results/32e25f69-8132-40fc-8523-2b38dbb4f8c4/

SH256 hash:

e9fd701684bc7797ae242b2fe3cab647e13cde3a42b3bdc0132fecbb6d6c32d1

MD5 hash:

feeb51525cf18dbeeb4bd18e198be6df

SHA1 hash:

fde1703032fe38bdfcf89118160abfad99b39cd8

Link:

https://www.unpac.me/results/32e25f69-8132-40fc-8523-2b38dbb4f8c4/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e9fd701684bc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/e9fd701684bc7797ae242b2fe3cab647e13cde3a42b3bdc0132fecbb6d6c32d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/319226/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample