MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b
SHA3-384 hash:	a98fa0f6c2504c6bf2cfadb2cc1b903bba19e88c86b218a920cf4738f96f37a0816eb7b0f28ef679c9f7ca1c4146121d
SHA1 hash:	9d7c33fdded3f99d263b5a5ede1ad223b1f8a88f
MD5 hash:	27a873a35fac60f06f35762aae49fbb9
humanhash:	harry-twelve-sad-lithium
File name:	Pending invoice.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	654'336 bytes
First seen:	2023-03-30 06:40:36 UTC
Last seen:	2023-04-05 00:17:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:0iFagIJ1BpTkP8nQwUnzEC47J722AxAJYC6lk4+pLDkpJmnyvqwVUFYRyq27IM:0RBNk4szE9g24POdkpQyywVUF4fN
TLSH	T12CD46C7C1AFCC556E039D7758BB44C30E7EDB4177A36CE1E79EA00890A26A41768336E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e8b2aa696cd4e892 (5 x AgentTesla, 2 x Formbook, 1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pending invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-03-30 06:47:37 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/86083a67-e364-46c9-95e4-f5b1580e11d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/378672/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

floxif packed threat virus

Link:

https://www.filescan.io/uploads/64252f04688c0e6397b3a2a0/reports/fe80e956-651c-4430-b96e-5873af3d814c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7bc3e3b9-5189-4765-a530-ca3648958632

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1204872

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2023-03-30 06:41:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5k3frxbtpadm7hkydwsmwrgp32qkp3i5tjiapbepv2vawysp5u5q._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230330-hfr2aabc54/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot6201063260:AAFNunaDOhtoeTfrWIWz56huyZbdHssBU3s/sendMessage?chat_id=5932819427

Unpacked files

SH256 hash:

ad62c7e4c25c71b6b9dae31711cd8e6cdfde6b18afcd7c415d705ca073f74b10

MD5 hash:

0b52edb9900fa55df0f9f24c667f863f

SHA1 hash:

bf4d063e1260d4c0a95ad173d7f4785c7ef98dbe

Link:

https://www.unpac.me/results/b72d0ae2-60bf-482b-89d6-d74ba03c9f29/

SH256 hash:

94e55544403b1dd8461dbc405f231625c8f8fc4114bb8477a988dfd89731b070

MD5 hash:

4483a53c8760130b940b5a8bcecb71e7

SHA1 hash:

9d3ebdc71bdb539add9325f4211dc4dad48cc21d

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/b72d0ae2-60bf-482b-89d6-d74ba03c9f29/

Parent samples :

eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b
eb9b75de38d85a10701424dccef23e23ed5fe323b52871cde5b4054f4dc6c087
4018954cd403dd6290586606332d069967bb4bad1302bf071475d94423aaaa1e
5027d53a0f057968982a4c2610a105ce2fe89d9e2de1ffc70177c750be3a8385
d7f55b222b8d9a235401bc900230aff5b37da8cc7e9431459da35b380c5c55bf
203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e
87405f169e42b52d9561d79b89f6898cc735f0edc26905baecf21673244455ad
e09602a4f8e956bcadcefd160458c0e669d176a1915edb9715e7d7aee549efed

SH256 hash:

ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d

MD5 hash:

27f5124bf8f451bca8d8a15c73c4f521

SHA1 hash:

5fd557e109b8fd1c3b362b64f0ba9f1600c07211

Link:

https://www.unpac.me/results/b72d0ae2-60bf-482b-89d6-d74ba03c9f29/

SH256 hash:

eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b

MD5 hash:

27a873a35fac60f06f35762aae49fbb9

SHA1 hash:

9d7c33fdded3f99d263b5a5ede1ad223b1f8a88f

Link:

https://www.unpac.me/results/b72d0ae2-60bf-482b-89d6-d74ba03c9f29/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eab658dc3378/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.