MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf
SHA3-384 hash:	c4c69a09e5e9236384a31446267cb345bd348d2d193f238df889e92bcb2b3c2228d986d3d47b3402378c1549fe835223
SHA1 hash:	fde61811f7ae53f9fa59e17fb5c2c6143a48b282
MD5 hash:	db92e74aee2f64a0b40a64c1a014e257
humanhash:	kentucky-washington-triple-ten
File name:	SecuriteInfo.com.Win32.PWSX-gen.20639.13549
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	556'544 bytes
First seen:	2022-12-05 09:40:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:APuYd+V6b1momPZefI1NRtBLHVjxxFv+O+ZTWB2/XAbJK7:APuYd+V6bIomxiIhHVjHh+w2/AbJK7
Threatray	9'413 similar samples on MalwareBazaar
TLSH	T120C4121E7684D127CD65EA71F0BAA15503F1BCA2AE22E32DB44331EF0A72B9D4B10757
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ecf0c68ac2c298f2 (60 x SnakeKeylogger, 14 x Formbook, 6 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.20639.13549

Verdict:

Malicious activity

Analysis date:

2022-12-05 15:44:03 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/3158a9a5-d444-4590-9c43-3efee95d5542

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/342856/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.20639.13549.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638dbcb10c6473d167197eec/reports/2b7a33f5-f6ea-4de7-a14c-9c71925468e1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd873aed-a898-411d-9942-469632fd23a2

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1127909

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-05 07:37:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6kisxt37xr7uxtrv6zxhqvf7agbv45fb2xyjkwk6wwou3tlus7hq._file

Verdict:

malicious

SnakeKeylogger

09a476b31272d7aa3ba1e7f0a5ed54dda6834819fb360de18cd883fdb177686d

SnakeKeylogger

5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01

SnakeKeylogger

6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723

SnakeKeylogger

bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c

SnakeKeylogger

e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30

SnakeKeylogger

e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f

SnakeKeylogger

f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913

SnakeKeylogger

+ 9'403 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221205-lnrx2afh97/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5409930542:AAFxwqGbFuHLkEcoI_Wd5LmyaZ64bak9as0/sendMessage?chat_id=5492983899

Unpacked files

SH256 hash:

6897514151c61188eef196109020bba0b5f53de689144928aea20ab97b9b8a03

MD5 hash:

5e6ecdca36b1e9559d3eb987a8d73f1c

SHA1 hash:

a3a86faa8bf46eebdf0e78a87f93edbd92a4d161

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/d4be9302-314e-4f64-97c7-d0f31000bef1/

Parent samples :

ce49fe316e00aef70cce1d5430382613692b59d306b9b6253e88ac5c94732b0d
35aeecd77643fc7df90432db30ef248cfba29a9cc98a2c164b3bb4d233974734
f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf
726fe602b1d9ea227e0835f11d9180d9a7911d52fa5e7fe7dda2700eb38c659e
aa1ae5f4ed9446576dbd7af18510705811dd7ce85bd06bc0ed988d65e855b963
dec5bbf9420596e7e4b387c6331b6009817af7803e20f717ffb55dc313e60645
482f061d6359be2ae8cd7c5ff63fe997ef1dc42d1a286237db8729097647c507
16c366cb47a4b606f2b20a1a1ccb4a8e408c758afbae9b51922667abf9c2b92f
84cc129521b39e0182631b253637efda5e6305b8c484ab76f3a4184e81bbd812
73d18d7b6bd92fa3e85db713d39f932c483c0317607b93a2b31845d4e703a6a2
f20fc83d3adb7cf9f5dbaa5efab44527e0657d88529bc621ec489e37593d510c
64879bdaf4add0db2f52b2cfc4c579b15fa5263601aed7c3aeeb926f0dba1acf

SH256 hash:

922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50

MD5 hash:

1ecb63625d636b0b8f8ebdece9fa80c3

SHA1 hash:

5623d5ad21fc63893011bae7e4709c51219fcc1c

Link:

https://www.unpac.me/results/d4be9302-314e-4f64-97c7-d0f31000bef1/

SH256 hash:

2c0ccc15ea80c1700d6d38bc3e1ac8a8685da224c62b117c75a1ec0124207cc3

MD5 hash:

fb3b7bc7c9cf67697934c9c3f92e5b03

SHA1 hash:

3c66e67f4df0e4f9ca481a870cd2df2ceebf3e77

Link:

https://www.unpac.me/results/d4be9302-314e-4f64-97c7-d0f31000bef1/

SH256 hash:

e590464e3694efe9ed922706ff0cfe121df327846c913c95fec408f7e3c4e573

MD5 hash:

acfadfe4ad122256dbff9f1497336467

SHA1 hash:

17374e8c73ccd68c11a4157195d62f34809bfcfb

Link:

https://www.unpac.me/results/d4be9302-314e-4f64-97c7-d0f31000bef1/

SH256 hash:

a000e28f51f40830d58c277f38b69a9621cd261df82876289ea6e3080ff76928

MD5 hash:

9dbcdd52743d0ccf5ac7223d758a3fc7

SHA1 hash:

01ab24d6591d5d866d179951c39be031ed951508

Link:

https://www.unpac.me/results/d4be9302-314e-4f64-97c7-d0f31000bef1/

SH256 hash:

f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf

MD5 hash:

db92e74aee2f64a0b40a64c1a014e257

SHA1 hash:

fde61811f7ae53f9fa59e17fb5c2c6143a48b282

Link:

https://www.unpac.me/results/d4be9302-314e-4f64-97c7-d0f31000bef1/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f2912bcf7fbc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/f2912bcf7fbc7f4bce35f66e7854bf01835e74a1d5f095595eb59d4dcd7497cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/342856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample