MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6
SHA3-384 hash:	e4d062afa982130fa78dbb910b8b702d083457f81fc6bbcefec2c4606b666b53b64c6fdf8ba86627b9ff77473e71870e
SHA1 hash:	4f8757ded4f917e62f9cccc659134078391f4ff1
MD5 hash:	18c8885325698aafe73bffb4000f91f3
humanhash:	crazy-salami-social-vermont
File name:	Shipping documents CI&PL orde.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	797'696 bytes
First seen:	2022-09-19 16:35:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Z/DJAI92FgmzikGW+yXQyRF5fwNr7dO1mzts4ZD9IEIDri:Za9LikGWNyN/pJblbID
Threatray	4'203 similar samples on MalwareBazaar
TLSH	T16A05C028677AC907C86AA534C9C2F2711EF85DC1835FC24F48D87D67F23A39D69823A5
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	8a1332e8aacc4db2 (8 x Formbook, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipping documents CI&PL orde.exe

Verdict:

Malicious activity

Analysis date:

2022-09-19 16:40:29 UTC

Tags:

trojan evasion snake keylogger

Link:

https://app.any.run/tasks/c92e0ce0-28b9-49c6-91be-83cc44688acf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/311408/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.29675.UNOFFICIAL

Sanesecurity.Rogue.0hr.20220919-1136.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63289a9e865ed83c0118a7d9/reports/cc357289-5e2e-4f2c-94f9-c0fdea6036a9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d562a46-eb6c-45c4-bd2b-b30062dca7fe

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073110

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-09-19 08:38:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 40 (45.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5omv665enzo6ymez7o6o4xoofsqwbx3lqi36p26a2stl2gtbl3da._file

Verdict:

malicious

SnakeKeylogger

237298bcda2ee288f62c23a292d0d29d7ad606f87966c4ade3e2ef1228fe8c76

SnakeKeylogger

2a9cd913906e0f913fbf49f3eb0539baa49e83a46e578750b1da290e1662a21c

SnakeKeylogger

7611436d20a223084b2e2b1f7d2ee7a60d9b029ab0377d9670e427e33d366e10

SnakeKeylogger

7d302f9d3565d5968f1500d01a8e6ea2b8440a318858a24a6abbe24fbf5c2214

SnakeKeylogger

a0bafce415317d58c1a59d6a176b23a07213e080dedd628611fdd423bf825096

SnakeKeylogger

c271dfd86bd75855555cfddd1be5944d760355820f7f0f88389e504630821206

SnakeKeylogger

+ 4'193 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220919-t39emacfan/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

0120953b5ed6a7cc6431bbf718c86d984ab1646cf5886a1f9f87cf9377a71e91

MD5 hash:

93089026d26fc3b71d48799657cb93ea

SHA1 hash:

cc2bde7d050df1b9bdec9c0f8bfffcd7f6b3cea5

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/219138e0-50fb-4833-a316-9b051bef0abf/

Parent samples :

eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6
75f6b5d75163f57877978d241e43df174b6d18bc4c3288a34787433461a063ca

SH256 hash:

70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307

MD5 hash:

d5b0f8aff064b3e828421b48efccd312

SHA1 hash:

724f4bc7ab4e08c45562748b739c8f7496a5ad8f

Link:

https://www.unpac.me/results/219138e0-50fb-4833-a316-9b051bef0abf/

SH256 hash:

651eb4f89f43819a2f47af19fe53c2b11bf9dceb45ae5628bf433b208ebbf1ab

MD5 hash:

405b936c56f673f5422451e4835e7d80

SHA1 hash:

66e8df3b8cc29df756b30e55047a2ecc5f495ef7

Link:

https://www.unpac.me/results/219138e0-50fb-4833-a316-9b051bef0abf/

SH256 hash:

44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc

MD5 hash:

d012ba9057bf67c7f29871326f2af919

SHA1 hash:

1d5b8b512b37f0e1900496b578117082929654c7

Link:

https://www.unpac.me/results/219138e0-50fb-4833-a316-9b051bef0abf/

SH256 hash:

5e747b02e0d1fd3b63b054580930f557b6a1d27c5163ef0434d0cce2d89353d7

MD5 hash:

6adba22f272d068ecd8f37f0c6c2c7be

SHA1 hash:

1903bdf2cacceb0992b4608bfd29bfd166f14114

Link:

https://www.unpac.me/results/219138e0-50fb-4833-a316-9b051bef0abf/

SH256 hash:

eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6

MD5 hash:

18c8885325698aafe73bffb4000f91f3

SHA1 hash:

4f8757ded4f917e62f9cccc659134078391f4ff1

Link:

https://www.unpac.me/results/219138e0-50fb-4833-a316-9b051bef0abf/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eb995f7ba46e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe eb995f7ba46e5dec3099fbbcee5dce2ca160df6b8237e7ebc0d4a6bd1a615ec6

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/311408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample