MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
SHA3-384 hash: 4727e5ce868d7682c3342c3db2f26f4c2a3f4ee341dbf1e769b237ca7585b5eda2cf8ed8c30dedc5556359a24647d523
SHA1 hash: 4e65be97915b815f8e97fc152c49231aff66bb5a
MD5 hash: e5cbe802fc9905046a3104457551c1a2
humanhash: pluto-quiet-four-oscar
File name:DOC09000900324.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:2'354'176 bytes
First seen:2021-07-06 16:12:40 UTC
Last seen:2021-07-06 17:17:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:AFPdFWS6jieLOmbmjisiGOrogUR18Exbs6Xi28nigNoKUt+ZpjkeCq4GQmeq/5CZ:oFWS6jieLOmbmjisiGOrogUga+
Threatray 106 similar samples on MalwareBazaar
TLSH 48B54C3D49BE2137C1BDD3B98FC8882BF840D66B71517E7998D607A5470AA8376C213E
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOC09000900324.exe
Verdict:
Malicious activity
Analysis date:
2021-07-06 16:14:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8c82636-8201-4823-9918-d05b0354de9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170035/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.904.11813.15525.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c985486f-d97d-4515-bddb-9b687b86fd37
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812425
Signature
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 16:13:12 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zpyth6gzreu23czgepuubiz7jv2bsmftsgocos23qykvh6rqf5q._file
Verdict:
malicious
Similar samples:
12fd71647d0ddc3a5619975288f310047162f1258765d337efaee411c9f7e7f4
SnakeKeylogger
42e71a6e0d1db101fe1fb3f5d8f067aea2fda52b24050dbadea6d8ebdddc4a81
SnakeKeylogger
57bcdee4cc181db0c6671ccdd70a978bc4fa752bd6bfc9557be713539127baee
SnakeKeylogger
7320b115d96ae0e50fe44d8600bd0bd68e2fac3bb4604f8f333f04e247c301bd
SnakeKeylogger
83fef9d67405ca7975e04fc8c66e7d298809f90260d1b287f709a3bae49f502e
SnakeKeylogger
bdbba0c991f70ccddad27da903e5e689a6e762ac23ab78ffea10f389f55045c3
SnakeKeylogger
d09500f30f90dcdf6caac545bff9663876dc3a7de445d618e947ba64a5f4966b
SnakeKeylogger
e0da065f5de30c5ba0f494a5e042fadef310039fef35896a61756d49c6e21611
SnakeKeylogger
e8bc94b0faea9886f1fa39e0e9f609f2f266b3d7d812faad4b2ae9904b170b00
SnakeKeylogger
ebfd8ee6075a687bfe40c156d61d89a2e724505a617fb077b543a11b9c4e6b43
SnakeKeylogger
+ 96 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210706-5zq9ycq6xn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/071066a5-8362-4883-9a42-2cb82a26e849/
SH256 hash:
93cbcb95f97b23640945cc5e984e22b18d5941ef7a9c08723a8024fa245efd93
MD5 hash:
26de1a3b7dc854307b6ecb31030c89b0
SHA1 hash:
d0b0b16865c78c1be564765290db9048029b7dda
Link:
https://www.unpac.me/results/071066a5-8362-4883-9a42-2cb82a26e849/
SH256 hash:
43b21ce34ce621c1a6bb901a56fc06bb4319b347e42e9cdb30fbbb11b8339065
MD5 hash:
784e53fffdf7c0b59cfb18eec57f8e97
SHA1 hash:
71c63ae922a65c179a362dfe0d009a4f5313773d
Link:
https://www.unpac.me/results/071066a5-8362-4883-9a42-2cb82a26e849/
SH256 hash:
f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b
MD5 hash:
e5cbe802fc9905046a3104457551c1a2
SHA1 hash:
4e65be97915b815f8e97fc152c49231aff66bb5a
Link:
https://www.unpac.me/results/071066a5-8362-4883-9a42-2cb82a26e849/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f65f899fc6cc494d6c59311f4a0519fa6ba0c9859c8ce13a5adc30aa9fd1817b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170035/

Comments