MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77
SHA3-384 hash: d40a2be343c64a4113363eebb1798394a841dd25d2640d47c7e07f99545acd52dc405fd3e03e984bf77295a7fc456e62
SHA1 hash: 938d67d1bd3ba551431b4ddcef76c26e2ee8a3c4
MD5 hash: 62f600955de5a395c176dd662f340f03
humanhash: lima-moon-pluto-network
File name:Old Pending Change Order #36889400341 Date 28112022.PDF!.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:953'856 bytes
First seen:2023-03-01 16:51:21 UTC
Last seen:2023-03-02 02:47:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:oVzu2xzIJhW3hW046MG/Y5IKE4U9+3TizIxo3x:oVzPWyRWJ1WkIlN91zIY
Threatray 4'600 similar samples on MalwareBazaar
TLSH T182158CC677BCD122F8E7A1720A1511C93A39B5877212F53B9B37BB619601BFF7A88500
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 3044b271f0e8e0ba (14 x SnakeKeylogger, 13 x AgentTesla, 4 x Formbook)
Reporter cocaman
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Old Pending Change Order #36889400341 Date 28112022.PDF!.exe
Verdict:
Malicious activity
Analysis date:
2023-03-01 16:54:46 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/f1a73a03-38b0-408d-b765-269cdfb989dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370836/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1862.19418.4697.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ff82b566e79c93ba0d5bd3/reports/6728fa0e-25fd-4bbf-95cf-133f597728b5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1c7916d-0d98-4c53-aa5d-d2bc65e60f2c
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185044
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 13:21:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jdmybwug5wjba3ctfyzyd5uxxdf5dw7zh5dm7invi7hzu7ghz3q._file
Verdict:
malicious
Similar samples:
0d1b2fea0d5ddb060f0354f282e7fcce69fc48b55e94195f01b1ed374cf4329e
SnakeKeylogger
1a6dcb18b2d3627d35e18aab269ababa8d2af33be25a23bfb44a4b6144816ea8
SnakeKeylogger
4f8dc84952cc5e606fb05b608f35a150e5fa629c380db2cb2cb7a5aee1f322b6
SnakeKeylogger
53e78ca9d4a478e74ccf5473c7a2d954629c5a1839948514f557c8c360bc49c0
SnakeKeylogger
a200aa32fbe6af2935fe45423e0fe5c53b44cd4012a29426fbccbd947c319749
SnakeKeylogger
c27e38d55a4d9ada7e23e4829c034c36b9e735d26f53de44f70c6f5786736144
SnakeKeylogger
d943f08a35dc06253557151dbff927a9eb4c26f425d328cf612cb7e5211c3822
SnakeKeylogger
dcff2f1adb183112521e7b484dc2fff1bf98316fcc38f4c06eb0e39c416fa3dc
SnakeKeylogger
f714d656ddfec2829d90068335ee63f14ac58e91b450598ebe20e0973f77e0b3
SnakeKeylogger
f7dc2d6bc60e4be7901e3c70558612f8838f7270c3616ef95c144f57df909cc9
SnakeKeylogger
+ 4'590 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230301-vdd3vshb47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5611396317:AAGsgxx4hwlHZa8kVodTZpCQipWRFwFvBO0/sendMessage?chat_id=5237953097
Unpacked files
SH256 hash:
51051ad610fe85ca676a41cd40e38d950f94c4375987cf261ed438c8065bb718
MD5 hash:
90557ca39b7a088461ef6f12895a4b0a
SHA1 hash:
ec28daae459d1a83edeb938ab6d1f603330ad0d6
Link:
https://www.unpac.me/results/313e6e99-c520-4d96-bf26-87d1e5f717b4/
SH256 hash:
d8ec03c34a5f3bd93effeafc2e078ade5df75d468dae5208937c69be4fecfe7f
MD5 hash:
cd4b7952d18e1459bae379e5da7f6afb
SHA1 hash:
e09367a20c19427dae20b53cbe761d1b21272c36
Link:
https://www.unpac.me/results/313e6e99-c520-4d96-bf26-87d1e5f717b4/
SH256 hash:
58c714875d774b05c97f16f01f5050cc5723b5bc05912f402b6c6ac497af6594
MD5 hash:
52566104d25cd65ddf84c6289c620834
SHA1 hash:
dd615f66fe46ee850cf30c39fe598f298e34f35f
Link:
https://www.unpac.me/results/313e6e99-c520-4d96-bf26-87d1e5f717b4/
SH256 hash:
4b285c20ab0272c7b0cc6ba731951a0e82a9453bf4081f895bb6c7ec58c02c1b
MD5 hash:
dee6be8e9ccf642e017ababa2be45c28
SHA1 hash:
d6e427b2f8a49e55248e8f94ee2cab88d00b6a05
Link:
https://www.unpac.me/results/313e6e99-c520-4d96-bf26-87d1e5f717b4/
SH256 hash:
37fa7974e1b10166f60ebbf0d14522f31605caf825529d5dad0ff61b9c1a5798
MD5 hash:
c0f22544c7658e0075cd60d13ab50e08
SHA1 hash:
63a10ca1c29cb78112f6eb2f9ce0687e6a73ce23
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/313e6e99-c520-4d96-bf26-87d1e5f717b4/
Parent samples :
9cef746651b3dc0dc351663360dc8b614e4bd4d82b44ed13a212e988d2f3c072
97a21cdbe71ff0d84c423b4bc9a373a1de90c94ec7af9adc97a6d3812fdf2dfd
f635e3920cddccde1c4981c0a4a79332c108c1249ad34421dc54d9c30a94d1a7
f6acf4d217145bc4c53e7e9b17046134b2afc502ba7ef0b7cd96d165b1602c3e
465ae47eaddb30a5c73bc629399fa34845f1ba18a8fc9e5a55765064b2910b37
ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77
SH256 hash:
ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77
MD5 hash:
62f600955de5a395c176dd662f340f03
SHA1 hash:
938d67d1bd3ba551431b4ddcef76c26e2ee8a3c4
Link:
https://www.unpac.me/results/313e6e99-c520-4d96-bf26-87d1e5f717b4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea46cc06d437/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar f0ca7878465e4cf64ad99aba019aa16e2aa08bade1fcb84cae7a3dc767abb3fb

SnakeKeylogger

Executable exe ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f0ca7878465e4cf64ad99aba019aa16e2aa08bade1fcb84cae7a3dc767abb3fb
Cape
Cape
https://www.capesandbox.com/analysis/370836/
  
Dropped by
MD5 40b75eb5a09c0326abff9751a706d322

Comments