MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
SHA3-384 hash: 95bee146bb111cefbb1919dcc223950ed846f8e34088839e6b2236b04c03098838e48cebebcd9a4230703d67297466d6
SHA1 hash: b1cb88190b0053eedda47b8f0311e5acdee04673
MD5 hash: bbd50d837a594c0e33c1581e4e4734d9
humanhash: dakota-violet-low-sodium
File name:bbd50d837a594c0e33c1581e4e4734d9.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:634'368 bytes
First seen:2023-04-18 11:33:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:0r8dWkAVUsnGpIyhvRghNXeMtWTBIeA0ckVQkXPYh8sIbJ:t0TVUgMNEXDtWrYGPYBIF
Threatray 5'140 similar samples on MalwareBazaar
TLSH T1F9D4E019B065DCA2D59C36F60400A5D9DA217DE23872C53D2BF67A8EAFBE317DC4008E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 804d8ee071068c20 (1 x AgentTesla, 1 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbd50d837a594c0e33c1581e4e4734d9.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 11:39:07 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/437b11f6-5738-4fbc-a6e1-0e7ca5db5149

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382996/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e802e48716a65fb204c44/reports/ec21de34-af95-49d9-abc2-31507665cb8d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05c911d7-b075-46b1-ac3e-411af1a3db73
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215885
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ztycxxdjt3dawjp3o6nzdqywrqlnxfpns73jphjyxl5jrct4siq._file
Verdict:
malicious
Similar samples:
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
SnakeKeylogger
4db11ec2fd47da3b2453479ada853755d43fa81142e235914a424733418b3ea0
SnakeKeylogger
540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1
SnakeKeylogger
7b53fa54edcb087bcabe64d2aef69860cf000d1739ff8d561c0bbdca14903186
SnakeKeylogger
7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd
SnakeKeylogger
887a72c6d2185c86606b4b80560d5f22fd8c87b261c392bf460c39df861e07b7
SnakeKeylogger
93abd2e39dd7184a4935abc7752bb2c0ae6ab466c267b45ae8d6e618483cdeda
SnakeKeylogger
951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4
SnakeKeylogger
cc83749270a1efd6c7ebeb1e3c077a426ec98f3b25e14e268dc18b17409abba9
SnakeKeylogger
+ 5'130 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230418-npgjssbb25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/f9f123c8-ed50-4887-82a1-52db8f7637a8/
SH256 hash:
dfcaacc81f27b57596688a560fd20130a5b6fa4926176557ab047309b534cf5a
MD5 hash:
7f7daf81919735cc43850f76a30feb73
SHA1 hash:
e4f2b3958e659ae85d8ed777c3cc2afc3cd01c74
Link:
https://www.unpac.me/results/f9f123c8-ed50-4887-82a1-52db8f7637a8/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/f9f123c8-ed50-4887-82a1-52db8f7637a8/
SH256 hash:
64a11ae8390f71fafac5758e604f7dd810bc08599d7409b78ed8dbc0d800889b
MD5 hash:
0bd8a3ac0668bb31b2d27e96463228fd
SHA1 hash:
9003025399b49b45c55101d0ad2431c7dd6c8e19
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/f9f123c8-ed50-4887-82a1-52db8f7637a8/
Parent samples :
f735493706e6df4bee0ab2f8a304c506f80b6f7b4791e6a09d530d9e1af603fb
3d239896c2fec074b4bc1867a197eb04511e376ee3175a8bd8edb307b7e886c0
af32a56f9c3d38ba2c045043d331749236cadc2f8b86dc376bee0c1e2299448b
ea92763b97b0f7a697b7432effbd19c93b2acc85e4f09091975f9fb13ecb35c0
8b940b0dd714db5a7b92e84b981b4196e9b82dc927df62f7104f3243bf68d223
2d926d1f0aa50e7de665d8f3fce49c4a8c2594722eb8a18ea887c2b73f8e747c
9a5993fc71df03a856f6f35a0c4cf8cc999094a35e0e0f6402fafb5f115874fa
addc1564d69b115e0cb5ff2264614c98dc51107f042e3ea0d93b99e49cf2e94b
5d5d5ae492ee8eaf1b06e474c7a044b65014cfbae21690333dec4ef6d23b8d56
1085f44fdedeac571eb8572664d2c8bf2a617e15e97e61aff51a02eddb21dbe3
26a58c3284fb3504e297ddb24080073282f540fd323feab7c94d7fa37384d7ee
823aefed18a78888709dff8070ad06f096607adcfd3cdb1717102d9a650375f2
b7595163f008ec501968746ca6773da01af4ef02cd9a8cd2e3a39d54bc9cec3b
43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f
540f95521963827363fc5781d0f0dc9d8323c6c18e5d4e8deb26a4b26c49aca1
951a1a7ce315e65a05cdbdd7f104e1e38b0f0195fc811d6771588532db45a7c4
87e1e3d0de7af9833d3747fc07c0395759c01c157e07999965b2a90d5cf055f2
81173912b2f23cadd86187b55028a628bf2731e3c4e7645f84cd8e04dd213a88
2d8a9abf153f4354d4deee8fd33f19ef6f7362e53e465671059bbd1141577700
cf2f199d38249385e795d2adf81b25ef32d481a1ca0621f2dfaa62ba77ed9a52
db90ad061799c2b7003b488f10fc08c278775012c58aba4bbf25edd90908e211
341bce781bdedc9663add131ed23418088c7cb74354b14af0ef7a3cdbc97d07e
95c1022fdf982015b2305cdacc92005c5e216a5bbd9311a32bed69ebb6c64dcc
c51b04607b32cc04835bec8ace308c5680e8a0ec1e4c1c59579b76ba74bb9fad
4962183abe0b52877d6810f0fa7807a241108d2d60e0aeee070f8fe49ceb95aa
36c5431ac4e2225c82fe6d34d6a84ff736718e89ad28e52c943b2da5c8ea978f
8c379b68cffa3f8c43d74cc2e6576aa4f212f53f35662b32667f58e61ff8541d
3669f96c22728c600ea409d6a0ebf8f66ee8ca7eaf50a5f1767f2086b7081d76
1092d7ec9366334de4f4a244154a01816d343523764573546eceec51f5e36976
5fcedd535c882efe907010b867761452deaf99e41fab0f1d0cc306f506bee72d
a6f00b73a005bf4649b09871312a4db3719e23f277b61f1e62139055e974adfa
739ded666c4e208978ef5fc2433a7f3da8c222f29279524d09c17c798aac6259
64432f4d06930d1f0233cd77e59e57bbbd878d2a71e4c5850ee2baa315e7bafb
4db11ec2fd47da3b2453479ada853755d43fa81142e235914a424733418b3ea0
c924e8905688ab755ebed9bad8d0a64ec44d3116f53161fb145753ed246e0fa6
d37ebe9ad76c722ecb6bc3b20408f9d8efc1fd2992832cb4711e1d8b433cb962
d1ef2dd93176ae8dca22ea9b653c70b9e6777db7517a019d8bcad7ac85b260f9
18271dbc8d477228a12d9c20ed6d7be7c423f0ee3de9a0118b4bae74072816bf
f530c59ffce92c129896bbe4c2df821ac097d696e2a3f3f99e3bd4aaa5c6ace8
e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
3e53d83d07ffe4f6dcc317d16783b98e9dfe20ee74ce25dcb6fea0fbecf00a95
d14a454d42bccf92a05b2167fd1a8e0b122ea37edded0658c508e674f335643d
6800d39c3c141d9224c067a8fb10ae3915fe0dc79220ba2073cf6e28f98b99a6
c11cb2ff5a5d6629947b8b1d36f406714e485845ea2fc21a2eb313a798504e5b
7b53fa54edcb087bcabe64d2aef69860cf000d1739ff8d561c0bbdca14903186
9ecc5cce9cdf7a5a0e32a29ae99348e95520126499e5f02caed1bd37f5e00fd6
82452545022d3aca5b5453b044f6e1a5c0837dbf340e42b1e75c047b555f9bc4
bb4377a70a07c29eb44330397b6c4a0f0bdc0d557f7014263a5228e800d02ccd
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
ced049b334ce9d4a11a333eb078271f027d2b64fb3d00760e17ba355ad8ae057
30a250bff5f29f7116a7108dcb5b83813ba794c572429366b5f97011a312d0f1
fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
SH256 hash:
2659893fe9cac0d56374802cb04253fe92c971db75fb1183f24fe1afc969fe7a
MD5 hash:
9d048c78cfa08c42d4b1b9344b9a5aac
SHA1 hash:
6e890195170c1cea81c52943fc0fabd87509eddf
Link:
https://www.unpac.me/results/f9f123c8-ed50-4887-82a1-52db8f7637a8/
SH256 hash:
fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
MD5 hash:
bbd50d837a594c0e33c1581e4e4734d9
SHA1 hash:
b1cb88190b0053eedda47b8f0311e5acdee04673
Link:
https://www.unpac.me/results/f9f123c8-ed50-4887-82a1-52db8f7637a8/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe67815ee34c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2287200/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382996/

Comments