MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2
SHA3-384 hash:	d587d3513dc3febd3d39fbbbef348ec40cce11c0df7951155a081d7b2b5c61e39cb7f09b3be96b541fd124d514df341d
SHA1 hash:	69856cc4072183bc57e89566f12f5e861e8cf107
MD5 hash:	53c9c38d1ac853987477c01531914297
humanhash:	oxygen-dakota-oscar-missouri
File name:	53c9c38d1ac853987477c01531914297.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	671'232 bytes
First seen:	2022-11-29 07:19:07 UTC
Last seen:	2022-11-29 08:33:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:rOvCM7xRNsXD6iYiXNGJd0llr3AA3rAHMd/OGOeHU8d5SmRTL538Hnpe:sCM7xzWNGWwA37WCUQrRTL5MHnpe
Threatray	9'979 similar samples on MalwareBazaar
TLSH	T144E4F1BEF5EB8F13C7941576C0D2AA2003F695838537E7573A9013D94E627E48C4ABCA
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

53c9c38d1ac853987477c01531914297.exe

Verdict:

Malicious activity

Analysis date:

2022-11-29 07:21:00 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/5af5247e-286f-44ff-9d53-bf546361c4a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/339660/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.18095.5892.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker packed

Link:

https://www.filescan.io/uploads/6385b2a400c584752ee266ec/reports/17502ae1-1c4f-4b84-8227-8f811540c95c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9860259e-85b2-475b-93b2-949035663b90

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1123110

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2022-11-29 07:20:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 40 (47.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ido7j5obp7elgl74mhvz5fgfpr5qbhkgndxo7wyjig4q65s6lra._file

Verdict:

malicious

SnakeKeylogger

2f6e6357881973427aa992355125e2a7be58586613136a7fa4a84a49dd28dc93

SnakeKeylogger

41130c6ae73f211bab65e86f956f2c11ea1455089d21b5f18316353e5e370437

SnakeKeylogger

c498b83c2623ae4b95259430d63e9ef264941ffa0bfb7a7005f3db8244a69707

SnakeKeylogger

cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa

SnakeKeylogger

edbc2a3471d87508b3e4b9174ab90a6a04529a2cef9373e3e1b4f3d97fb3afaf

SnakeKeylogger

eee60f047d393679542dcc545a824cc4946da2ab2c836944ace74ba5044c1696

SnakeKeylogger

+ 9'969 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221129-h5425sge47/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

31971b4b3e148fcbf9d46cde09b61586d69c49bffab0b5e9d310e4b33cbac109

MD5 hash:

f52d444e73adca43894107dc048a9493

SHA1 hash:

f99753d07ad99c1ca8132fd4a05dffeefdecd1f7

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

Parent samples :

4fc184671e57d103f1d4d2522d561c4e36d0eb1b221c4f05e5e77e044fbc3570
1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a
7e2ff70acafb2544bc87b72e69b8b6796f9ad66a9d57177453d193f2ddb174b0
fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2
6a9d3a6f928c5a2a9ab9abe269027f3b987045fbb30803dd431ae2f56d5f859c
d08aee2638f316b2037d19ad89b2b23e9f12446a5d57b66330482ffb1a0e5be8
54bf780d0d0ac62c5f8542cc4b960152e90ffee21b3a99ab1a9ef06bf6e822d6
971e1093a54debf9b5fbdf5b68d7f59073f98737174f2acb7633c71ec545f554
e65c8404e4199df1515eba17f546cf27c15c2391bc40189ea2636869e9811f6f
085046ececcff959420164dc9ff1f78b7d05abf01d4fe00e35933cf98a0698e5
4c355f38322d2cf4c55c34d6d938a91a71bf90d3263d50548fc51f315cb279a4
bfbe89a923b76a0f6ef973b02eeeef58477da68a752a40a3875047f11c83a68f
4c5a48d3ae028c27963e1af00e3a03450a84960eeb5049a836e2628962525506

SH256 hash:

6cc82c89739278dc1d65d75f004ccae5f8a5e738174d488b3decf462c362592d

MD5 hash:

421743450ef7d8031aedb372a9c5dc9f

SHA1 hash:

c4918c9f67a70057ee223ccd393586fe8f504679

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

SH256 hash:

295afe683b7224d68ecc4fe7e505738706c025e143c1b77e2c50a975a71c8b98

MD5 hash:

6ce7e292c4b775ac916e98d9e1eb92e4

SHA1 hash:

b3889d70cee51eb90c3f1598c98cc4ea62b2860e

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

SH256 hash:

6a7ea91e29d16c5d25056e77e162f9f368b4ba999cf9d9558b75e0a5ace52778

MD5 hash:

bc20e2bb86ed87b8c554d14787f77667

SHA1 hash:

75813e351cef97f6d9262a9d0b0d332a0387c4b2

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

SH256 hash:

fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2

MD5 hash:

53c9c38d1ac853987477c01531914297

SHA1 hash:

69856cc4072183bc57e89566f12f5e861e8cf107

Link:

https://www.unpac.me/results/6278fb2e-0089-4d4f-aa56-44fef957b544/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fa06efa7ae0b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2286568/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/339660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample