MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f96aef873c1a5c589426c60c2100185ec588e76fd994c3412eab0634e3d41ebd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f96aef873c1a5c589426c60c2100185ec588e76fd994c3412eab0634e3d41ebd
SHA3-384 hash: fc3bc807d8163ac8859d3e350b5745f99d6cad457b94224c0acc0144946575161165e94cd8723b22e140300ca79b1deb
SHA1 hash: 17274fb3dee0b53df70fd0a83e5066fd528f2909
MD5 hash: 37f2927d7bf852298ca680400d522daf
humanhash: tango-carbon-artist-cat
File name:37f2927d7bf852298ca680400d522daf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:679'936 bytes
First seen:2021-07-12 08:53:00 UTC
Last seen:2021-07-12 09:58:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:gNa07xd7aaFHNgshZ6M1dGN0d33CrxE6zGIMwC7:LOVjFtgstkqGxKqC
Threatray 206 similar samples on MalwareBazaar
TLSH T1E8E46B38AB95C763D27282B0EA7551F0F2256D52F2318D1B46873E4C363EB4269F235E
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
37f2927d7bf852298ca680400d522daf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 08:57:09 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/b3df08c9-b717-4e60-aef9-2a515e73e405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170998/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.800.24862.32103.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff11ad19-2a40-443e-a27b-6888c3a55595
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814693
Signature
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f96aef873c1a5c589426c60c2100185ec588e76fd994c3412eab0634e3d41ebd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-11 00:31:58 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
33c9ae2a724e071b04dffc0489be94315a748d706da64aadbaf32ab316ccf21e
SnakeKeylogger
394b84714c723fe917d65356700c36483a29610251eb06b93fb4a2b0922a68a4
SnakeKeylogger
4802b87ba7e4f7c1815d0c027aab96c0fcd74099ea8fdd236a9909e0ca00faf6
SnakeKeylogger
8e4c2e59aeff7aa83545597af30118fd8a596775ca8e44b058c20355e4810fe8
SnakeKeylogger
9434ff752be66504d76e4404bc8d920748a6ae46a0e20e26c86753e8ff89b8ad
SnakeKeylogger
dda39c591898a0ba4531e89cd697021803df43cbe038570e2a5657f8a3400a02
SnakeKeylogger
ed62eff9a728c54286e8a6ed5b4bae53667496f354118a75a15a050e15a9df30
SnakeKeylogger
+ 196 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210712-bfsn6kwn72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1802838691:AAHG-LDFE4ym6sqdeNCoNwT9JyuuNVsehko/sendMessage?chat_id=1211381524
Unpacked files
SH256 hash:
9d181c63eef038d18f8f4d21898820addf79dc637f29408930fb21dca23949a3
MD5 hash:
5d0f84fcbd153c459390e8d5cd277e6d
SHA1 hash:
fb44e7d5678402532bca39626a2cd6939bbf6d07
Link:
https://www.unpac.me/results/032bb85f-a61c-476f-8dc0-3ab0a8d37f07/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/032bb85f-a61c-476f-8dc0-3ab0a8d37f07/
SH256 hash:
f2bf539ba7668f4108476e85caa62464502309a36ed5d41e5638225d3673561c
MD5 hash:
6696d0786948ccf9f6155aaa0804d022
SHA1 hash:
4d6fb0da1431e3a862a0ce0a3f5aa3d2a919c270
Link:
https://www.unpac.me/results/032bb85f-a61c-476f-8dc0-3ab0a8d37f07/
SH256 hash:
f96aef873c1a5c589426c60c2100185ec588e76fd994c3412eab0634e3d41ebd
MD5 hash:
37f2927d7bf852298ca680400d522daf
SHA1 hash:
17274fb3dee0b53df70fd0a83e5066fd528f2909
Link:
https://www.unpac.me/results/032bb85f-a61c-476f-8dc0-3ab0a8d37f07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/f96aef873c1a5c589426c60c2100185ec588e76fd994c3412eab0634e3d41ebd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe f96aef873c1a5c589426c60c2100185ec588e76fd994c3412eab0634e3d41ebd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1394875/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170998/

Comments