MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa54a0e38ed90dc2ff10c8275a595a90b594864c1bcaeb9f3e9ff6d6e02ade28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa54a0e38ed90dc2ff10c8275a595a90b594864c1bcaeb9f3e9ff6d6e02ade28
SHA3-384 hash: 736a0e19d7108a5728c0451f369cc83c1e530c1037b83751c43f79958304bcdb57d319c5a3290aecafbb1c849c41b720
SHA1 hash: 2ee0f0d74bbff243abf3d595ff7cdc451cd62dd7
MD5 hash: 3b7660047fee00a854f352ef0aeb882e
humanhash: lake-sixteen-foxtrot-rugby
File name:wMxu1qFNTYjHMC0.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:727'552 bytes
First seen:2022-02-19 11:07:53 UTC
Last seen:2022-02-21 13:50:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'649 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:45VkoKxYA6sk11wTG+7L2Abnyv2SjgmZ/MiDELcKhclH4DgQ2kmutHfjc:7Tk16TG+7DbqTUmZgtcpWgQlZ7c
Threatray 1'142 similar samples on MalwareBazaar
TLSH T1D9F49E6631FF1056D3A2EBF20FE4FCBF8A6AF173121E753930815B5A87229409A42775
Reporter cocaman
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242656/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.57439.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6210cf95875593a3ccebe1e8/reports/ecc5ab47-f223-4999-8805-6bfeaabd65ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46b305d2-334f-49b1-87fd-d42b04ffbcc6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942597
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 575075 Sample: wMxu1qFNTYjHMC0.exe Startdate: 19/02/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 9 other signatures 2->45 7 wMxu1qFNTYjHMC0.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\...\bUevpYSlXDKS.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp\tmp8B4.tmp, XML 7->29 dropped 31 C:\Users\user\...\wMxu1qFNTYjHMC0.exe.log, ASCII 7->31 dropped 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->47 49 May check the online IP address of the machine 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 2 other signatures 7->53 11 wMxu1qFNTYjHMC0.exe 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 33 checkip.dyndns.org 11->33 35 checkip.dyndns.com 132.226.247.73, 49746, 80 UTMEMUS United States 11->35 37 freegeoip.app 188.114.96.7, 443, 49747 CLOUDFLARENETUS European Union 11->37 55 Tries to steal Mail credentials (via file / registry access) 11->55 57 Tries to harvest and steal ftp login credentials 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa54a0e38ed90dc2ff10c8275a595a90b594864c1bcaeb9f3e9ff6d6e02ade28/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-02-19 11:08:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03b444ef6ba1e309b9879f3f0bc76cebe529452fb02bf28268660a6a9ca895af
SnakeKeylogger
421cc18ce6b5bbcc3af9e2ee1a9e51856569e01a3e5b48f4737d5dabfafa18d8
SnakeKeylogger
459b8985e3f69d8f12e88f2343c03240801555e6d331cd00c992bbc1a32ef7a3
SnakeKeylogger
510fc8ddf4ef05deb48ee47645b7df2c5f577179a80f84fbe091ba1ad5589f52
SnakeKeylogger
76b94f42e56a83c28cd00b144aa984bf341d44a3f9a4fd6976404411789871a9
SnakeKeylogger
86f53f940d688545a1d2b96f1ee89653e406e9f3f150f415c944968090210b07
SnakeKeylogger
a2c7d9292c12cdc454cfbfd6dfbee89dae1a347795f0df591250e0db18e43468
SnakeKeylogger
b9003a62421e0cd7b4a43562ed01cbf55c57e068e8ed6e0c61d6cfc458d62762
SnakeKeylogger
+ 1'132 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/220219-m8jylabdfl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
247bf6b1dbc9d001d5e6ebdd57a8e26c2e2dffc7732e89d17855ec0a617f18b4
MD5 hash:
b938ddbbce0a17bb2f6c3872cdf5abba
SHA1 hash:
c3ac02470680a1a76b6f1fc692ae84130ebea79a
Link:
https://www.unpac.me/results/2ae175ee-2220-4e96-8b0d-6040a44a0b23/
SH256 hash:
2485269a549e18ff8ece021a9906faa47703007568d15217ab324583dda747ec
MD5 hash:
51049d4f03365a7b933e953e595da2a7
SHA1 hash:
b9907d1e53f84c1c0a8da4c6ad5855ed992a133a
Link:
https://www.unpac.me/results/2ae175ee-2220-4e96-8b0d-6040a44a0b23/
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/2ae175ee-2220-4e96-8b0d-6040a44a0b23/
SH256 hash:
f71225a17b8fda5c2856db42efb2450121df7dd2443d7a3df3cb4d2187e7aef7
MD5 hash:
f62937a85e66c4921e6c027cd4b56ecc
SHA1 hash:
532c3b5b0f0a778647415c49fdf0999c7ebcdc0e
Link:
https://www.unpac.me/results/2ae175ee-2220-4e96-8b0d-6040a44a0b23/
SH256 hash:
fa54a0e38ed90dc2ff10c8275a595a90b594864c1bcaeb9f3e9ff6d6e02ade28
MD5 hash:
3b7660047fee00a854f352ef0aeb882e
SHA1 hash:
2ee0f0d74bbff243abf3d595ff7cdc451cd62dd7
Link:
https://www.unpac.me/results/2ae175ee-2220-4e96-8b0d-6040a44a0b23/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fa54a0e38ed9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa54a0e38ed90dc2ff10c8275a595a90b594864c1bcaeb9f3e9ff6d6e02ade28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip d0953cf55d31eff83f85cbd935cc0571bcecb77a4ad5c6b3d6012cb5a88aefa2

SnakeKeylogger

Executable exe fa54a0e38ed90dc2ff10c8275a595a90b594864c1bcaeb9f3e9ff6d6e02ade28

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d0953cf55d31eff83f85cbd935cc0571bcecb77a4ad5c6b3d6012cb5a88aefa2
Cape
Cape
https://www.capesandbox.com/analysis/242656/

Comments