MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a224c514f49ca2f17c6aee38fdf8d61516ff9f68dd3d335b3e5850c6b5a8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	f2a224c514f49ca2f17c6aee38fdf8d61516ff9f68dd3d335b3e5850c6b5a8e1
SHA3-384 hash:	9c3302c12524b76ab3017b7561e595e11f0f496c6e8d072d0dec78de1a96a20cac5c93686efce093e54e2b111f03bf72
SHA1 hash:	eb3289c5d981c7bdb1166eb647115ba0536f8b07
MD5 hash:	5e3492467638f1b58b450d6cd316744c
humanhash:	kansas-twelve-table-grey
File name:	DHL AWB#68625.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	360'160 bytes
First seen:	2022-01-20 08:12:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:pEVtrtLF33kzUJ/qUd53rUWDLcAMcCi5RKJcHLIdBxhT8TZkPEizPeAD3W7OwgK1:W3RsUJC853goMhiiJgIBRZz5DmlgMs0
Threatray	2'463 similar samples on MalwareBazaar
TLSH	T1B67401147BFA2B5DD9FE87F4B170011057B9395A2622C34D0D4E60DE29B6FC28692B3B
Reporter	abuse_ch
Tags:	DHL exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/220971/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61e919960f8c757253cfbaac/reports/61734279-4aaa-4b0d-9cca-23361c737887/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1759284e-f4d9-4fcb-b309-260a86758bb1

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/924128

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Double Extension

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/f2a224c514f49ca2f17c6aee38fdf8d61516ff9f68dd3d335b3e5850c6b5a8e1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-20 08:13:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6krcjriu6sokf4l4nlxdr7py2ykrn747ndot2m23hzmfbrvvvdqq._file

Verdict:

malicious

SnakeKeylogger

2ce55f36ec8460c1273af1411d76c3af53a3861974d66b6a168218e6af7431e4

SnakeKeylogger

30857f5b12915a6e6e21114e1176ae694d7463cb0477d7c68071a63e477284f0

SnakeKeylogger

4723f6050ea2f6739fd08f6111162abdee81e2e3ba8f5b2efad90158b54b8d87

SnakeKeylogger

60cf45262b59092f3dff9c5fa83a6a3e7d8008ad0e19c3469099e0978426d329

SnakeKeylogger

662acd5406b7e5f3f107aad8b7a06a10eaf14747b82db5a04a1958f64284cf44

SnakeKeylogger

ead300a07127a8d18e23a62fa409488c7c3b7133b2e022cc9eb3be204b52cba8

SnakeKeylogger

ecb446bcf4b7c55ebefe6dd61f7c01300df2df1257001c8440957ff9f211b086

SnakeKeylogger

f0499807bd42438f56254b0af8d2e7672d36d58b97c1480852df6b6f8f527233

SnakeKeylogger

f0f9213cad90bc44e22ce602a1fe2c2c76975d5f6617be7091692f4af10637b4

SnakeKeylogger

+ 2'453 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/220120-j4e73ahaa7/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Sets service image path in registry

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

534271eb2b9d8c79e33e069f53df226ab50109fab3e2979d2fa4e1e54daf2775

MD5 hash:

bd543908ae3c3cb8815aa2ac20bff8ce

SHA1 hash:

c5f6d1862acdf08a22c1db71501ddf02f66eb2e7

Link:

https://www.unpac.me/results/5f083fcb-4d10-427b-abf5-82d4b55bcd15/

SH256 hash:

c826a0facddc97d4e7be462c3a336df3149fde0345698688d46a4dd58bb177d4

MD5 hash:

6f23654a896d8a56175d30cd1738a93d

SHA1 hash:

1465ab490564845555a7ba8b154de80ce88c6f9c

Link:

https://www.unpac.me/results/5f083fcb-4d10-427b-abf5-82d4b55bcd15/

SH256 hash:

bd3c4594efdf08772d98e2ce72136c55c8ea93fd18b21784922865c54f94ad5d

MD5 hash:

d22867b59515212958ca3a48c62c6360

SHA1 hash:

0d86e2b8a85b7217492d908b0484a58ffe5f180f

Link:

https://www.unpac.me/results/5f083fcb-4d10-427b-abf5-82d4b55bcd15/

SH256 hash:

f2a224c514f49ca2f17c6aee38fdf8d61516ff9f68dd3d335b3e5850c6b5a8e1

MD5 hash:

5e3492467638f1b58b450d6cd316744c

SHA1 hash:

eb3289c5d981c7bdb1166eb647115ba0536f8b07

Link:

https://www.unpac.me/results/5f083fcb-4d10-427b-abf5-82d4b55bcd15/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2a224c514f49ca2f17c6aee38fdf8d61516ff9f68dd3d335b3e5850c6b5a8e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/220971/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample