MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a
SHA3-384 hash: 68e57903f61a4ab6577ffcb38b204a2693c22106237afb9e187146e77369f4d94f451eaaff9f23aade69e8d677948943
SHA1 hash: 205d30dcacaa049fae21d1c11f193c8d38637971
MD5 hash: b3bb8df731c0cec62e739c4fd8edd79c
humanhash: triple-west-december-ceiling
File name:Confirmación de recibo de transferencia.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:791'552 bytes
First seen:2023-03-23 14:48:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:L8Q76UZwdEVpNzMR02iuR5uaxkqlSyxn/jDBlxuXiTgUicFw8iRFqtd:L8Q76UZGKy+0LJxrH/jJ6sdicFfiRUt
Threatray 4'736 similar samples on MalwareBazaar
TLSH T15AF4DF00BD3A4933F8D6D7B45160273A03A9BB625061E68A8EFD688E3CDBF6705D454F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ESP exe geo SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirmación de recibo de transferencia.exe
Verdict:
Malicious activity
Analysis date:
2023-03-23 14:59:01 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/f3196a0d-189d-4ae8-9efe-4cfa9934de7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/376866/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Moving a file to the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/641c66e0318b503355a8aef0/reports/3c412775-4ec8-4615-b632-6f095d5e7b51/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3c81772-efc3-40d7-8d3b-cb21c9f329b2
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200658
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 14:49:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qhgzlgu6es5xyfl4dhyemu4xladzbwnqshavb2hxd3zhapsk2na._file
Verdict:
malicious
Similar samples:
13d9c71cc329aa1fa94184cdf410decd035edb7d5e003414b43f491730593ff3
SnakeKeylogger
48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b
SnakeKeylogger
4f44df487a3c894e64c272598c1fb7aa6601879a2073bf5243f82326bcf2b324
SnakeKeylogger
85e3e60e6673809467be19cef0db037aa1980342e69a9c0a2c149c44e0664be5
SnakeKeylogger
915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9
SnakeKeylogger
b495e348fb0e0544e57737f46f9333a711eaca2cd531a5e8065e96bf274d8690
SnakeKeylogger
be97a51ffa2d24ac0f2eba8eb2bc3ed49057c873d16d8c6b893c84b8670c9a1f
SnakeKeylogger
c02af082fec5a80ac247da9294400c04f338c6b45c75b8d70d9c7e07c35e30b2
SnakeKeylogger
+ 4'726 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230323-r61ksaac41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
f0c3a23704f91f61608da600bba2fcb2bc11eea0125e08fcf081f4f19558108f
MD5 hash:
e28f7662dcd134d7a1a2e44f11089caa
SHA1 hash:
d929942f47e924c2f6a8c930eab8121dc5cf4bb0
Link:
https://www.unpac.me/results/4e7ea151-ddd9-4466-aa3a-689ab88a0d5a/
SH256 hash:
f63b21d355c8882bedcb7f7e5bc75f85f199593384667d1833e0327d64426d89
MD5 hash:
2408f312cc1bcac48624505fce69772e
SHA1 hash:
997209ceb0866a9f38ca88274063a4b363c4b749
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/4e7ea151-ddd9-4466-aa3a-689ab88a0d5a/
Parent samples :
48c443ac6d5ba187712c1d8d5ac27d5d23bd4dd718a714c51f3811a751c4346b
f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a
7f83cd291ccbaf7e86cd96fffc54ecdadb4dff972f4ddcb11ca0cdadf9788899
eebe1c81da57309a99fa8cf1a8ef2ef90af6072182ad6b8dd3ceb8a31500bd0c
bc3244dd4f70ddd98c1a2ef63a56fd9dbea3efd25ad7510eb5ff24f178d6f2e7
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/4e7ea151-ddd9-4466-aa3a-689ab88a0d5a/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
cde0d3400cd787fce5d1b95fa52908d64831430cc90dafddbaa79ae0d03bb3d0
MD5 hash:
06a5bc1d3143bcac174d81c5ffc09def
SHA1 hash:
650fb4549fb98ee4c7be5e03bf670241e6339cd0
Link:
https://www.unpac.me/results/4e7ea151-ddd9-4466-aa3a-689ab88a0d5a/
SH256 hash:
9c8ffb9cb173adb2ab9f13a78da1b5b7cbe56af924f5951ef969d7bd6bae099d
MD5 hash:
e83a54df9e6e2375afcea0cd37dbb2ae
SHA1 hash:
1c9da53459512f7209bcfc37d4a8d102bdfab478
Link:
https://www.unpac.me/results/4e7ea151-ddd9-4466-aa3a-689ab88a0d5a/
SH256 hash:
f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a
MD5 hash:
b3bb8df731c0cec62e739c4fd8edd79c
SHA1 hash:
205d30dcacaa049fae21d1c11f193c8d38637971
Link:
https://www.unpac.me/results/4e7ea151-ddd9-4466-aa3a-689ab88a0d5a/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f40e6cacd4f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f40e6cacd4f125dbe0abe0cf82329cbac03c86cd848e0a8747b8f79381f2569a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/376866/

Comments