MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72
SHA3-384 hash: 530836d560362d402249e7541a83741cddf56daaf93bd69b0a4f82e7370a2ea046d6098d3f5f1a3ce04259268b2de010
SHA1 hash: 9152cf80e72375aefc1678742afb528cf39b5280
MD5 hash: bead9ea9cf02af795142c35f5017a9e3
humanhash: august-football-moon-autumn
File name:NEW P04564.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'315'840 bytes
First seen:2022-09-27 09:56:18 UTC
Last seen:2022-10-07 00:22:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sqvafw2iNGqg5D9ZFJIfh7v7bCB4ukNEFfTElTCsNfL7AKUXnhu/Np:sqyo1Rg5D3IVvCBG+Ff4CsNjEKAkX
Threatray 5'069 similar samples on MalwareBazaar
TLSH T181559E91A1908D9BE86F05F1AC6AE53021D7AD5CA4A4C10D5ADABF1F75F3312209FF0E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/313902/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6332c8f40569d591125fb765/reports/95d892fc-e8bf-498d-a8df-2ce13cb40297/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32e2875d-57f1-4cd2-9ff9-ebaaa89b7644
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078210
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 09:57:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6q2b4boop6kpgwjhogrfrbhrzouwlusw2l4dtsa3yzlzdqtkz5za._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
0a6d0d3564e7e3a9cd3c0f186f8f5ab59c70551af31ca1dbcbc5245062ac3cce
SnakeKeylogger
5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01
SnakeKeylogger
6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723
SnakeKeylogger
bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c
SnakeKeylogger
e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30
SnakeKeylogger
e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f
SnakeKeylogger
f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913
SnakeKeylogger
+ 5'059 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220927-lyx7ssecck/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5688807535:AAG1DGE6pZTsXCmSWLJMEc1Gjb9GWweDx4E/sendMessage?chat_id=5567956038
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58d29524-1863-4ced-b6a2-7e36ace52d80
Unpacked files
SH256 hash:
fb0afd017d21ca9e969c964bbedb5972e0154b0f442737c1f232921e8066fc4e
MD5 hash:
9b1fc2660597c9d151f04d392ace32c1
SHA1 hash:
e92d57eef65e89bfcbba7c0e1d06edf06687d183
Link:
https://www.unpac.me/results/fe85b880-601e-4175-b6aa-30c4c311fc7a/
SH256 hash:
02b6112792925ada8dd7e8314aad6dc3b3c4acdf5c9be7203bdb03c0168c4abc
MD5 hash:
4c8db81dad97b54148394d56d88c4662
SHA1 hash:
9541c3fa387488268d06d42f433ca0c824ce0143
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/fe85b880-601e-4175-b6aa-30c4c311fc7a/
Parent samples :
e73eb6dfdf2a41140a1e318786fc665ca34da069b76e9e4f6631be4fea3e4641
d410fd3f95b3fa5d5ce9b3b406393ef5d2e803eae2638fec0de719c0b506dbf7
81394c80e5f78ba8d564790577cff6c5372f64282f8147457e5b13b5358c149b
f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72
5a818191a4aa931ebdf594da986e37e8cbe0428b225a2c5f9bec9efcc46a83b3
47dd6760fbf13ed84621e2e974ee6decb76356716c4e6657b077b67e5b8b89cb
7768c1da766d45e917871231c3b6ad5d890cb5d363e805ea58b8a8c96d206d20
02b6112792925ada8dd7e8314aad6dc3b3c4acdf5c9be7203bdb03c0168c4abc
532237e55d32b01247c9c1f8713aef65b614353573c162a256902f83e02c9b84
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/fe85b880-601e-4175-b6aa-30c4c311fc7a/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/fe85b880-601e-4175-b6aa-30c4c311fc7a/
SH256 hash:
117c7bd222888e205629a6eab9f9259adc6e2945d50acd5984e552acd4bafd35
MD5 hash:
5dde641dd5fee3f2c65cdc7d023452a3
SHA1 hash:
17eca91830076b6a7a77fa1d8e5c98b612dc844d
Link:
https://www.unpac.me/results/fe85b880-601e-4175-b6aa-30c4c311fc7a/
SH256 hash:
f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72
MD5 hash:
bead9ea9cf02af795142c35f5017a9e3
SHA1 hash:
9152cf80e72375aefc1678742afb528cf39b5280
Link:
https://www.unpac.me/results/fe85b880-601e-4175-b6aa-30c4c311fc7a/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4341e05ce7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f4341e05ce7f94f3592771a25884f1cba965d256d2f839c81bc65791c26acf72

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/313902/

Comments