MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash: d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a
SHA3-384 hash: a4a60a84114a2c12607fdd1f532cc41f6d538731904b14baa5b79a1c956d83eae822fa0c106153e2f3a897b6feee6136
SHA1 hash: 893ae234d351c762ab388a7337c625e4b213da6e
MD5 hash: 64468b2ab541687572ce6b435b41f2bd
humanhash: india-triple-avocado-colorado
File name:RFQ Document.exe
Download: download sample
Signature SnakeKeylogger
File size:344'837 bytes
First seen:2021-09-28 05:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (241 x Formbook, 141 x AgentTesla, 104 x SnakeKeylogger)
ssdeep 6144:P8LxBkKFd08vwYfiEqj9LEW4AKkYMFO1UT489rSAZwghFmxGmf7qvce:BKFdLi1j9LEYKkNO1648JDwghFkFkce
Threatray 1'139 similar samples on MalwareBazaar
TLSH T16A74129312D0CAEFFDA01470963BE235F6E39F5841AB0A0B27E0BFBA95716834717146
File icon (PE):PE icon
dhash icon 2f3e0e0c03130a07 (3 x SnakeKeylogger)
Reporter @abuse_ch
Tags:exe SnakeKeylogger

Intelligence


File Origin
# of uploads :
1
# of downloads :
73
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
RFQ Document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 05:50:48 UTC
Tags:
evasion trojan snakekeylogger keylogger

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching a service
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Malware family:
Snake Keylogger
Verdict:
Malicious
Result
Threat name:
Snake Keylogger
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Androm
Status:
Malicious
First seen:
2021-09-28 05:49:06 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Result
Malware family:
snakekeylogger
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1926537393:AAHGSUhtLeQU8qms_2blDH9qpvo-fEuwi9E/sendMessage?chat_id=1664748411
Unpacked files
SH256 hash:
d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a
MD5 hash:
64468b2ab541687572ce6b435b41f2bd
SHA1 hash:
893ae234d351c762ab388a7337c625e4b213da6e
Malware family:
Phoenix
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Author:lsepaolo

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments