MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73
SHA3-384 hash:	a4dc9260586ab16a2f2fa5fdf8824c34bcb078649fade51a76a70ea2392fa40ccd572148328dd6852b9bbb93515c229e
SHA1 hash:	3e86b3c1e375ba54d3e57267c2249842d420d936
MD5 hash:	2cb1cd1d282ae2a7e6b604026bfcb371
humanhash:	crazy-avocado-xray-sixteen
File name:	Swift copy.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'012'224 bytes
First seen:	2022-09-29 09:34:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:Nx1l1J//bs6IyGO41DIXKC/e2MQDE12r8m8TUX16:v1J//46IbO4ivDkwr8TUX1
Threatray	5'291 similar samples on MalwareBazaar
TLSH	T14125F13686EA4F0BD158F57D80D0C2B5B7E8DD11E763C297AFC6AC1FB887691A610321
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/314667/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/633566cbc9e2f34354312440/reports/e80690f0-c019-4c8b-afaa-cc7897475891/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6b9be66-adbf-4bac-b7f3-6ce2828e2fcd

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1080318

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-28 19:54:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=675wjwoxcmieqtnbztkxzg2ikumwdu3asebtjfvkehqykei6ljzq._file

Verdict:

malicious

SnakeKeylogger

50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0

SnakeKeylogger

6069a9d373b71c1217c3415634dfadeed9cfa0baa4949d640fe515d92b5a8a27

SnakeKeylogger

658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0

SnakeKeylogger

7319a8d431cd1a967b517cd21b9aa7c0f86b1716e7e2492dd2e831a65406c460

SnakeKeylogger

7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5

SnakeKeylogger

a7f4f456189098240111b09c4a1564fa8d253bcbdec92f8696826717a88c9b56

SnakeKeylogger

f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01

SnakeKeylogger

f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d

SnakeKeylogger

+ 5'281 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220929-lkcc6sacg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Gathering data

Unpacked files

SH256 hash:

92b19371213c00a3555a2de8fac4e35a1ae59b9542f4d898e6fb6a542d72b70a

MD5 hash:

44462bbb72ac38395f4a8cc3b0ebe37c

SHA1 hash:

f07ee51d3ae3ddc891feabb0d9430be5a1c7407e

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/801a5392-f190-4678-9050-4e44547cf5df/

Parent samples :

d814971a8063856b595d17139a71755f921c2f40cb047022184c244d2b0fa52f
f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73
274033ca1c52818cea2b3d08f1af035fe7b9205acea7d360f6f2955f511760e6
bc54750c4093359b19b8c4a698448757d2cd5b7b057d67304c676e3f6c58a9be
75bcb01c0ff496a6db0b158ae97e03840b29161d5c8f396c19ff92e46859810a
9559b033b86a453e358c4d4aa01dc753e302832d0f42e86ddf6a9f39ef3b92c9
4efde8646629538aa3d423e120a7b69dccec759f6d1761ad5b6ddae09b0fe04c

SH256 hash:

7d6ab3dd72e7fb7478af783a2d3b6c0a97ae54900285604c165c2841b5b6bea8

MD5 hash:

3e7fc9ba8a6a96f9e144d9f48af1e0d2

SHA1 hash:

7a1df6b9ccdd90f3a0c005e26c9061b227c18f26

Link:

https://www.unpac.me/results/801a5392-f190-4678-9050-4e44547cf5df/

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/801a5392-f190-4678-9050-4e44547cf5df/

SH256 hash:

3bbe952b37ebd8124d54aad2b8344ac75c8546cb7bc13de4aa2ab8923e17a0b7

MD5 hash:

28c168b5b2599791058fc63ddba91986

SHA1 hash:

67d568fb37785334fab28a2a3ca68656c18117d1

Link:

https://www.unpac.me/results/801a5392-f190-4678-9050-4e44547cf5df/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/801a5392-f190-4678-9050-4e44547cf5df/

SH256 hash:

f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73

MD5 hash:

2cb1cd1d282ae2a7e6b604026bfcb371

SHA1 hash:

3e86b3c1e375ba54d3e57267c2249842d420d936

Link:

https://www.unpac.me/results/801a5392-f190-4678-9050-4e44547cf5df/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f7fb64d9d713/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe f7fb64d9d71310484da1ccd57c9b48551961d36091033496aa21e185111e5a73

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/314667/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample