MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc
SHA3-384 hash:	6851b09a6c7c728561fbfab681ee4294d3d18a847968ef6a9441a1be1193fab27752e4d869fa32f697c76d79f4494fc0
SHA1 hash:	1ecf53302a84cef68272b8841a2e02da510c6330
MD5 hash:	a758f4b623ffce5221cd823e80fb2e9f
humanhash:	quiet-quebec-cold-oranges
File name:	a758f4b623ffce5221cd823e80fb2e9f.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	131'072 bytes
First seen:	2023-01-23 18:25:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	3072:NYbcQrB/lALWhA8aMb8hzp+7wBVUwFbY:dQ118MbM7UEb
Threatray	5'293 similar samples on MalwareBazaar
TLSH	T14AD33B1D67F89800E1FF997305B15262C776B842193ACE1D1AC2F5592B7DB908E0BFA3
TrID	59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.6% (.SCR) Windows screen saver (13097/50/3) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a758f4b623ffce5221cd823e80fb2e9f.exe

Verdict:

Malicious activity

Analysis date:

2023-01-23 18:28:18 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/133b83c7-e25e-4734-b2f9-f1f2ad7b268d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/356004/

Detection(s):

Win.Malware.Snake-9953539-0

Win.Packed.Msilperseus-9956591-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm cmd.exe evasive hacktool packed snake stealer stealer

Link:

https://www.filescan.io/uploads/63ced13a89bd67c10fd98541/reports/9166f7bc-6050-48d5-a574-4ec1c2c774a9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/efed461a-7414-4531-ba67-04771dc98b2b

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1157505

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

404keylogger

Link:

https://mwdb.cert.pl/sample/fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc/

Threat name:

ByteCode-MSIL.Infostealer.Mintluks

Status:

Malicious

First seen:

2023-01-20 14:46:05 UTC

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7uhltvwiccuvuyeijzz47zz5owdesokn7oxexdgfoopzilkhxxga._file

Verdict:

malicious

SnakeKeylogger

2d926d1f0aa50e7de665d8f3fce49c4a8c2594722eb8a18ea887c2b73f8e747c

SnakeKeylogger

43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f

SnakeKeylogger

540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1

SnakeKeylogger

7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd

SnakeKeylogger

887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7

SnakeKeylogger

8c379b68cffa3f8c43d74cc2e6576aa4f212f53f35662b32667f58e61ff8541d

SnakeKeylogger

951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4

SnakeKeylogger

cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9

SnakeKeylogger

+ 5'283 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230123-w26y8agb7v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc

MD5 hash:

a758f4b623ffce5221cd823e80fb2e9f

SHA1 hash:

1ecf53302a84cef68272b8841a2e02da510c6330

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/392344be-d35a-47e3-b103-a4801bfd3c3b/

Parent samples :

4c7059dcdffb85c6a3cad9b231e71307befedaf71c007e708d17d2190114d23a
622cc8e52c54af2da4ff1c114f71c6949b3d0f900c83931a9141bc7f91937166
c311d7bb48a8076e141608660d414516d535948c93ff903969208adc8bd09c4b
2ee3a3b3bb2755d3dbd5a438bd7bd731201a16996a8aa249d50675e13a96131d
dab37a069356983008d299beaf6dd2dd5d8eae3f71c92410de37e64014942b7c
dd39b4b8ed5092bfd590f6a175d78a59ffebbafeee05b47d909b9321ac336d46
77a8dd63bb9b99da6daa8291b894e4a1dc05d8476abd943d728798760fb1422b
fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd0eb9d6c810/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/fd0eb9d6c810a95a60884e73cfe73d758649394dfbae4b8cc5739f942d47bdcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/356004/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample