MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa7378e0cfb14dd80a72c29d787d670725bcaed8eb0040e983f03b89282ff73e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa7378e0cfb14dd80a72c29d787d670725bcaed8eb0040e983f03b89282ff73e
SHA3-384 hash: 3a178c6442a9d2a9b293b4e1ba4fd0ffe7b1737d78065912dc049cacf811226c0221219091bc615a909308ea4d1cc9b1
SHA1 hash: ec9a9d1c8906950c0d3eae63a2e08acd289b0dfa
MD5 hash: 6480a9c55cee2aca22ed89e351066d6e
humanhash: wyoming-fanta-pasta-avocado
File name:SecuriteInfo.com.Heur.MSIL.Bladabindi.1.22234.2024
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:8'704 bytes
First seen:2022-12-16 14:33:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 96:ufU1+dsKPzBcCP1XOeOVtlgBDihPj2Qxx59GHVnXaJCrw+xBskMrb38xdY8zNt:ufU1+dpDpOlsiPbxx5o1KJE16ox+G
Threatray 3'236 similar samples on MalwareBazaar
TLSH T18C022B26679D5B77E9AF4B339DA323401328E3520E5BC75F2BC4150FDE07B484A93A64
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.22234.2024
Verdict:
Malicious activity
Analysis date:
2022-12-16 14:36:24 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/7e873357-6c63-4ed8-b174-73cbc63bb4c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347018/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.22234.2024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/639c81dd73102ebf5216ad63/reports/d76f4dfe-2c44-42c9-a695-87b323c8ac49/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/04808a0c-46f4-4453-b7ce-630c0bd1c931
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135788
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768515 Sample: SecuriteInfo.com.Heur.MSIL.... Startdate: 16/12/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 9 other signatures 2->54 7 SecuriteInfo.com.Heur.MSIL.Bladabindi.1.22234.2024.exe 16 7 2->7         started        12 Slyuh.exe 14 3 2->12         started        14 Slyuh.exe 2 2->14         started        process3 dnsIp4 40 185.246.220.210, 49697, 49700, 49701 LVLT-10753US Germany 7->40 28 C:\Users\user\AppData\Roaming\...\Slyuh.exe, PE32 7->28 dropped 30 C:\Users\user\...\Slyuh.exe:Zone.Identifier, ASCII 7->30 dropped 32 SecuriteInfo.com.H....22234.2024.exe.log, ASCII 7->32 dropped 56 May check the online IP address of the machine 7->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->58 60 Encrypted powershell cmdline option found 7->60 16 SecuriteInfo.com.Heur.MSIL.Bladabindi.1.22234.2024.exe 2 7->16         started        20 powershell.exe 16 7->20         started        62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 22 powershell.exe 12->22         started        file5 signatures6 process7 dnsIp8 34 checkip.dyndns.com 132.226.247.73, 49699, 80 UTMEMUS United States 16->34 36 checkip.dyndns.org 16->36 38 192.168.2.1 unknown unknown 16->38 42 Tries to steal Mail credentials (via file / registry access) 16->42 44 Tries to harvest and steal ftp login credentials 16->44 46 Tries to harvest and steal browser information (history, passwords, etc) 16->46 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa7378e0cfb14dd80a72c29d787d670725bcaed8eb0040e983f03b89282ff73e/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 12:49:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
10 of 39 (25.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jzxrygpwfg5qctsykoxq7lha4s3zlwy5maeb2md6a5yskbp647a._file
Verdict:
malicious
Similar samples:
2271dd64f293714d67e83203208ad1a9bfaa4ac31dd9c0b252645b0a3d3bfb94
SnakeKeylogger
2876a4b04f3d5d2803ae93fb9d3a827f2edbabf44e4327ac4dfa7b71a55b81ef
SnakeKeylogger
55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
SnakeKeylogger
60758b6b4ebbaa83e0db9c18686dd093961be3c87a30b14cc924ac0aa0f5c71c
SnakeKeylogger
81bf53fbfc3cac4f4e2a4d35692127d7a5f32d8b2c06fc44e30775c4ac0be8af
SnakeKeylogger
8805ca28e94bbac20828bd1fec5430481f724766240363c56d67041301021b08
SnakeKeylogger
a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e
SnakeKeylogger
b13700f6b5654760b7462c832b65592d6cccd3498f4094293fff020fb2b40970
SnakeKeylogger
d8d80ddc56f35bf9c2fd12a13dafb73f1768b7f36ad4c1bc3436dbfbfb0a6d9d
SnakeKeylogger
f3832b6368e6ae655c164c0acef137ae37e68dc8ed83ad1e452fdaad147bd122
SnakeKeylogger
+ 3'226 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/221216-rxhzdaeh43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f3bd257b-2bc8-4425-9107-891672a1f71e
Unpacked files
SH256 hash:
fa7378e0cfb14dd80a72c29d787d670725bcaed8eb0040e983f03b89282ff73e
MD5 hash:
6480a9c55cee2aca22ed89e351066d6e
SHA1 hash:
ec9a9d1c8906950c0d3eae63a2e08acd289b0dfa
Link:
https://www.unpac.me/results/4511ceee-9bb9-419f-8b7a-46e373e4526f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fa7378e0cfb14dd80a72c29d787d670725bcaed8eb0040e983f03b89282ff73e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/347018/

Comments