MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a
SHA3-384 hash:	e0ad4f8cad2d91ba3ca4d5a5f94780e47f6558e9452fb7b85a95c2754efa176c8411c6fec16ef5c4e46acb59c335123f
SHA1 hash:	4a33c16be65b2f7ef26313424d8dcc93a2fce93c
MD5 hash:	b6012c3be3fd0ff438a0361f9c78990d
humanhash:	william-harry-fanta-georgia
File name:	Shipping Documents.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	625'152 bytes
First seen:	2023-04-28 04:29:36 UTC
Last seen:	2023-05-01 08:52:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:FwS84ULb0GP6t4WieeS3qigw+5gJmiiAUw:uZ4ULbhP6yH+Yw/viAU
Threatray	497 similar samples on MalwareBazaar
TLSH	T170D4043C09BDE23B91B8D6A58FE1842BF750D5AB3115AEE6ACD347518316E1234C723E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipping Documents.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-04-28 04:34:33 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/34e95dfb-c645-4f05-93f7-05d18791e181

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/385297/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/644b4d18d7f41b9c67313f3f/reports/8e0c7c8a-74a5-4f63-9787-1cee47107bae/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f8f85941-27f9-4b44-87bd-dd579b407451

Result

Threat name:

Snake Keylogger, StormKitty

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1222602

Signature

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a/

Threat name:

Win32.Trojan.Barys

Status:

Malicious

First seen:

2023-04-27 10:49:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 22 (63.64%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7j6zgoda4niaukhglh6n6yqlq554hxpsbofzttfn7utbegkjfvfa._file

Verdict:

malicious

SnakeKeylogger

351c0e2125e4a520bbe97ba66e4596f6a95fe1f52e2fafb7baef5cc0034aeb19

SnakeKeylogger

36092694a2b80c584ba98d16b112b3202847072d164cdf8fdaab5c7fe2d3680c

SnakeKeylogger

3a4a199fb9796ce914f2b483e367190289a0a7586650b22cda8e7ba631cb11c6

SnakeKeylogger

423ddc341c1073c5bef83b2ef6b61a3ba96532a47566127b3006a25da4b0212a

SnakeKeylogger

86dcc7e6f6823b793907989be56679cbd0e40cf78353601b001548311be0434b

SnakeKeylogger

9e9271e281e82549c613d3aba4a0603536a63c960bf42c16302f6b7668de0d78

SnakeKeylogger

ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca

SnakeKeylogger

bce664433cf5bc9dd22b054ddb25edd926ba0b6124c2f5d0f99dcdcef356a715

SnakeKeylogger

e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b

SnakeKeylogger

+ 487 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:snakekeylogger family:stormkitty collection keylogger spyware stealer

Link:

https://tria.ge/reports/230428-e7l3kadg2z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077

Unpacked files

SH256 hash:

58d2780bac07a53fa9ef0099c386ad23c2c5b83df99e18bbcca9895f829ef5d8

MD5 hash:

3a6ac846fbf56df68c3cb61cd18c7623

SHA1 hash:

e5b7f4e47b357f330b33330663ff5739a02d442f

Link:

https://www.unpac.me/results/688dbd95-2303-46a0-8148-027a51e59943/

SH256 hash:

535452e10ea17dfbbab651d02f2dccdaaaa3221ba37d748185460adec5c53262

MD5 hash:

b2aff05102fc2742f39e70c6846b8c88

SHA1 hash:

80784b6c6f1cbc25990bc8b9eb8ff759e0986619

Link:

https://www.unpac.me/results/688dbd95-2303-46a0-8148-027a51e59943/

SH256 hash:

b7a96333a6c25856272fe11630d560a2657e17adfe291f3fd0a0124d5b7cfaaf

MD5 hash:

be431dba0ba422997a0e3d2cb30e7f8a

SHA1 hash:

4de5a3f0c52abdf440d80bf6d5faa3f0220209fc

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/688dbd95-2303-46a0-8148-027a51e59943/

Parent samples :

ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc
b7a96333a6c25856272fe11630d560a2657e17adfe291f3fd0a0124d5b7cfaaf
21777e7d8c275e5e9fc22a08172bfd5b9872340f46523df83bf2dd7a4b611dd2
ae5276221d11792a6242379a4111aa92c79256724b593408e8a02b585279b94e
a44320330ed902d953b355c6f795742ff5f0c0f0548ded9cb2e5edfd7e255502
fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a
de567e5c1f4968bfb083ffcb111e1d0613780a47c58767af65fbd90c27507b4b

SH256 hash:

e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688

MD5 hash:

920a2854e9c183ad2ef7d5543c296d38

SHA1 hash:

2c20da753bdf6f1a46261e2c132dd42f75c94229

Link:

https://www.unpac.me/results/688dbd95-2303-46a0-8148-027a51e59943/

SH256 hash:

a5b9cab738464b1043b96b0ed55d1302efb3fbaa31b29a2e49f875799ee062d6

MD5 hash:

7f20157b4187f45d4e46e3838201cd9e

SHA1 hash:

1af9490ab875ce2dc598bfff91c3375ff46da4b9

Link:

https://www.unpac.me/results/688dbd95-2303-46a0-8148-027a51e59943/

SH256 hash:

fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a

MD5 hash:

b6012c3be3fd0ff438a0361f9c78990d

SHA1 hash:

4a33c16be65b2f7ef26313424d8dcc93a2fce93c

Link:

https://www.unpac.me/results/688dbd95-2303-46a0-8148-027a51e59943/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fa7d933860e3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/385297/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample