MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 12 File information Comments

SHA256 hash:	1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990
SHA3-384 hash:	5af2ff2208dcc90d3e32134c250761e76faea3610b3f5f3ac3f18b5c4753caddee40cd7a83371ff8734fc32bb736f661
SHA1 hash:	55d97abeb438e0c4aec352523f10ec3c9d773a8c
MD5 hash:	d20ba9548abd76ba228729949f845e59
humanhash:	twelve-colorado-violet-arizona
File name:	PO_287104.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	971'776 bytes
First seen:	2024-05-02 06:04:48 UTC
Last seen:	2024-05-02 06:26:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:U1P60g/mCJJLRfimNQUWiUwoZ3VZ5K7nKhFSFlSP:U1PBgeCfRRNVT0nY7nO0l
Threatray	169 similar samples on MalwareBazaar
TLSH	T12B256DD1F1508CDAED6B09F2AD2BA53014A37E9D98A4410C569DBB1B76F3342209FE1F
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990.exe

Verdict:

Malicious activity

Analysis date:

2024-05-02 06:07:48 UTC

Tags:

evasion snake keylogger

Link:

https://app.any.run/tasks/645cd1e3-7ab3-4116-9456-aa312f5c98a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66332d10874e85cc56654036/reports/81fb043f-47c8-4b1f-8805-61ae01865869/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/937ba957-16f6-4cdf-a2b4-5e98cdfab3d9

Result

Threat name:

PureLog Stealer, Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1435150

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2024-04-30 00:33:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dccksspja2h74doyjptwitgtvd7debkceuxfgphb2iqu66nvbgia._file

Verdict:

malicious

SnakeKeylogger

43c6410d4d0943d1cf6c89ca1fc65ca986b5d4da93d4e5d59916a47ef15e2ef4

SnakeKeylogger

6a73ce1fbde07e660aa6713b7e1c20cc34aa6f576d82f2189da9661abaa5211f

SnakeKeylogger

855c4ef75b1244f719dfa072fa496f1d63e30e9239c99ced6e1370495cbeb2c2

SnakeKeylogger

+ 159 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/240502-gs6vjada92/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://scratchdreams.tk

Unpacked files

SH256 hash:

44e08dc0addf10f4e99661df9a9876ae5489e68108058f0fc94c1d5feaaae277

MD5 hash:

0161c9f57872a218bcf329a1d5981667

SHA1 hash:

d60c82e9762abe0e2db450caa9ee0fd25270d829

Link:

https://www.unpac.me/results/260c2938-29fd-475a-9fc2-b89fcc85d3e8/

SH256 hash:

8dae5599d2122068a3f07d467acb5c9bac600cdef1bc163cc3c99c095f20e721

MD5 hash:

b0439ea8d4693096012185de00119f48

SHA1 hash:

ab4b070511ddd2f5da7df78cf0f332791b4db91b

Link:

https://www.unpac.me/results/260c2938-29fd-475a-9fc2-b89fcc85d3e8/

SH256 hash:

e1c622628bd86d1d3e801afb5dee83b551d223f281e937e17529190d67c2e6ae

MD5 hash:

596ff23b412ac2abc3e5c178558eacfb

SHA1 hash:

8476916e82f85f77ff4cb066110d3a14a5da67ee

Link:

https://www.unpac.me/results/260c2938-29fd-475a-9fc2-b89fcc85d3e8/

SH256 hash:

20149bf1f305ca19e8b03288c79f26f017a20a4e5a1f6e46beb88938d5349af4

MD5 hash:

1c2daa040e1abd0dd3b7a5589f60b715

SHA1 hash:

530466e0ea2571d44a9de98ad8e55682e372363c

Detections:

snake_keylogger

win_404keylogger_g1

MAL_Envrial_Jan18_1

MALWARE_Win_SnakeKeylogger

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/260c2938-29fd-475a-9fc2-b89fcc85d3e8/

Parent samples :

d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1
672047c9f1f92700303fa90df3ecce9faf67138888eedce5fd47a599120e0ec5
8b9dedaa09d239667dd9cabe0c7efab61712868b32ebb3a50110df8980823ce9
1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990
9745e0d21f50b1c553b40e8c353b11bb172a2bae1a83b3b9cfce26f9e01b3b89

SH256 hash:

1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990

MD5 hash:

d20ba9548abd76ba228729949f845e59

SHA1 hash:

55d97abeb438e0c4aec352523f10ec3c9d773a8c

Link:

https://www.unpac.me/results/260c2938-29fd-475a-9fc2-b89fcc85d3e8/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1884a949e906/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample