MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12
SHA3-384 hash: b1930218a46bc1c79d23d1fcc9986c3d35689b9dee6992498179c61842e40b8639832e275a67ab0c6edc83b43a9f34ea
SHA1 hash: 2c36e323268892dc7f9987fb5200ee1fb2336df0
MD5 hash: fb6436801517f4cb1748ba4bf9df2df4
humanhash: ten-hot-blue-nineteen
File name:fb6436801517f4cb1748ba4bf9df2df4.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:555'008 bytes
First seen:2023-09-23 07:24:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:5tHparD6dh85k4Y5hLZwi3qjnb7svMufuul8ZxeizmFzx:h4Dqh5LPwi3YnsUufuLnRmH
Threatray 215 similar samples on MalwareBazaar
TLSH T159C4126871E49762F8B9CBFB252092C187B1E2770903F3691CD4B0AC36637B45A46EC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fb6436801517f4cb1748ba4bf9df2df4.exe
Verdict:
Malicious activity
Analysis date:
2023-09-23 07:27:28 UTC
Tags:
evasion snake
Link:
https://app.any.run/tasks/2fc2ca3a-741b-451c-a162-84f63a40cbd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450692/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25483.32571.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/650e92d01edabd99829ef666/reports/595cd0ed-f381-4694-9ed6-cf24ce7fa723/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/83b61086-e26c-4ce6-95fc-d03ca163de86
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1313199
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1313199 Sample: 4Wg6isoQm2.exe Startdate: 23/09/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 8 other signatures 2->53 7 4Wg6isoQm2.exe 7 2->7         started        11 dSirXQFPjw.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\dSirXQFPjw.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmpC8.tmp, XML 7->37 dropped 55 May check the online IP address of the machine 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 4Wg6isoQm2.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 23 dSirXQFPjw.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 39 checkip.dyndns.org 13->39 41 checkip.dyndns.com 132.226.247.73, 80 UTMEMUS United States 13->41 45 2 other IPs or domains 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        43 checkip.dyndns.org 23->43 67 Tries to steal Mail credentials (via file / registry access) 23->67 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-22 16:05:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dsc6cztwnltkilev5dibg2lul6t6ijqlg2ppundrso7d2conmja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c1f623ad12b2a7c372522670e109fc16c58d135179cd2dd4036723f961f412c
SnakeKeylogger
3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d
SnakeKeylogger
4f4a8ff83672c8134227742b12e228e512d32e3c3dabb8e96bdc6b28628d3d26
SnakeKeylogger
9103e2815438759a349705607f3be586c2129551e74cd2a875a04faab7ac43a9
SnakeKeylogger
98c140b482c040e7e9bfb991d7b817ff64bb416f9c7d1089246382b04a0276df
SnakeKeylogger
b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524
SnakeKeylogger
b6c31cf2b2b77c5f11e59dee5af4b8873dc3f6c0898984d4b060b133f454c302
SnakeKeylogger
c0e472a9146a7975b5908ee8974d49f83426627cb074189268959a432cb61ea7
SnakeKeylogger
+ 205 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230923-h8ypjafg28/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6316392918:AAHcjKTVDupG6SMH3LkXAeVBgHKlqsAcmRU/sendMessage?chat_id=6445748530
Unpacked files
SH256 hash:
d4d5678b670977ae70f3797f601836b21e98bbbc875de0509943abd243c046c3
MD5 hash:
d39bd0c2eafcdca7ec6d692631d52ae0
SHA1 hash:
c0f1f6d03116044e3ca7ff8f5425f14b7dd0ac8c
Link:
https://www.unpac.me/results/8f66f691-c516-4fdf-9a75-bfaea33a8b22/
SH256 hash:
7c381aa21265e230ee872afa0d7374024ca82f17030a6dda5514ab21d9cf0b4b
MD5 hash:
00beaf0b10d9ea32a8857efbdaa9cf55
SHA1 hash:
4c0e6ce8bf3afe2db364d5fcbe83c41e44d58a52
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8f66f691-c516-4fdf-9a75-bfaea33a8b22/
Parent samples :
d7e0001b5c8e59c77d4f4cc467847498f7754d6417e7dbd592989ef73d90c5e6
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12
SH256 hash:
1bf3f75b0d7498fafda4dba829629e18cc9b4dfb0d8a00b6a614cb5718c22d8f
MD5 hash:
6d6798482c6967a73345504a90d724a4
SHA1 hash:
2e7dd7edd98d6b54fce193ccb31003f8e04ebd48
Link:
https://www.unpac.me/results/8f66f691-c516-4fdf-9a75-bfaea33a8b22/
SH256 hash:
631c38cf652447128f262e600cc8783bdcb6d36f77e1d86b37f9fad749f6e997
MD5 hash:
c22c5bef73b2740fc1ccdf0e5a1cb7ea
SHA1 hash:
216ae0a5f45a184d3f62175703183277d93b87b6
Link:
https://www.unpac.me/results/8f66f691-c516-4fdf-9a75-bfaea33a8b22/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/8f66f691-c516-4fdf-9a75-bfaea33a8b22/
SH256 hash:
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12
MD5 hash:
fb6436801517f4cb1748ba4bf9df2df4
SHA1 hash:
2c36e323268892dc7f9987fb5200ee1fb2336df0
Link:
https://www.unpac.me/results/8f66f691-c516-4fdf-9a75-bfaea33a8b22/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8e42f0b33b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/450692/
  
URLhaus
https://urlhaus.abuse.ch/url/2713296/
  
Delivery method
Distributed via web download

Comments