MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6
SHA3-384 hash: bf39e43338789e9b37f943c725e2e0ce308f77bf6872d1c83d3639de104f585989b83d2366738e8f7c45b22d2bc4933f
SHA1 hash: 32b24d9e7227516f58ee1928872af6f6a3dd98b4
MD5 hash: 2ba38d110d7f63bef0ec0dc14bd71f9a
humanhash: robert-stream-magazine-michigan
File name:Qz8jD8IBXlSH0Gp.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:698'368 bytes
First seen:2023-09-29 08:49:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:J80WWObWINS+bX4QJNmzgSi7e/HxqQSRsrY0yTT2Vqsy3kxi4bTlmS:V4bNSaIoNOgSiqoQSRsrvyTaG3YTlm
Threatray 5'346 similar samples on MalwareBazaar
TLSH T1ECE4F1A1F2A888AAE45942B5882DD8100E73685F60B1C66E35CF767D5FF33831553F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 79e4e4ccccc4ccc0 (16 x AgentTesla, 3 x njrat, 3 x GuLoader)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65168fba32ffdb7a7a18a355/reports/d9719164-c9de-4405-adc0-3c21ddefd0f2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8a90fcc-fe87-4f69-90cd-85044f5146cf
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316281
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 07:17:34 UTC
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rftbabnuwnk774j5te4vseydq2rbgzczpp7gbe3yhpunsqvipla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dd0c3082323a331ad2d5d36f5f7f3ac11826772077df7462da3229525d97862
SnakeKeylogger
33f030952825d10fe2cef3f27e618ba98ec6c6db56052c1c1ddf813a17b17db8
SnakeKeylogger
347a49b7e5d032c2585811ec299182ec24139fd12d967aea4749e44cf0c6dc9a
SnakeKeylogger
8d83ade2f457cb68c65f876f70cc24ae233b080d8b6cdfeea7bf47c2d658b956
SnakeKeylogger
90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515
SnakeKeylogger
b352240fa38b300daa9836619208b96eb7461b795f8e6242d85157703c978dc6
SnakeKeylogger
eeef52701956cc860771ef368589e3590a1e55a172910fb7b02950a5f9a06a9e
SnakeKeylogger
+ 5'336 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230929-krl1hsgh5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6672846419:AAFSAihbjn4BiXgm0YY8G7ozGP9JeR3fpi4/sendMessage?chat_id=6469857895
Unpacked files
SH256 hash:
9c9b421b05d212d1115edbda2b840764557e173cb43e7056aa1b90e4ad550778
MD5 hash:
8637a9ebbb851dabe737396ca69fc551
SHA1 hash:
f310830d4d0983a159ffefb399c455e3ea645a70
Link:
https://www.unpac.me/results/f18b548e-3d89-46ae-adab-c63fee367613/
SH256 hash:
8166edc6402990e60b92312dd5e6347d8579bfff3958e37bed5cebc316705c5b
MD5 hash:
5cad89fc586f13bd55a4788c995ec3d9
SHA1 hash:
e767585176f1a7ca61ca7a8b732f791a4f883c45
Link:
https://www.unpac.me/results/f18b548e-3d89-46ae-adab-c63fee367613/
SH256 hash:
7586cad649300438434035d8d00a0d4c7b0455b77c56b0335b7816ef1c528187
MD5 hash:
4308186b2d36d3c1bcfec00bcdb9d59e
SHA1 hash:
89dde3640c65876e9b4752131e0f4b1dd8d41bf2
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/f18b548e-3d89-46ae-adab-c63fee367613/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/f18b548e-3d89-46ae-adab-c63fee367613/
SH256 hash:
fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6
MD5 hash:
2ba38d110d7f63bef0ec0dc14bd71f9a
SHA1 hash:
32b24d9e7227516f58ee1928872af6f6a3dd98b4
Link:
https://www.unpac.me/results/f18b548e-3d89-46ae-adab-c63fee367613/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc4b30802da5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe fc4b30802da59aafff89ecc9cac8981c35109b22cbdff3049bc1df46ca1543d6

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments