MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0
SHA3-384 hash:	f0be7cf6fa4b48e2697cffb91f053e44d426544cd2810b8e48370a351882dfe000048d037668a0d5596b13427b28aa56
SHA1 hash:	a3071a5aa1d8b4b169c33adfbdf82e1614ba6150
MD5 hash:	fb887d3c131bfa65b9595d74936f7812
humanhash:	winter-lake-arizona-nevada
File name:	SWIFT USD 14.500,00 20231002104546.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	590'848 bytes
First seen:	2023-10-02 15:26:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:KWOu13YBp53OpEDjL/2xM16Gn9wtu9SNDCcU/gc7cvizNumB09IfvBUIPr9mr:5Ou13YBWpEDn2x2JnX8NDC//gc7cvHy
Threatray	458 similar samples on MalwareBazaar
TLSH	T142C4E099321172DFC81BCD768DA41C64FA2434BB571BD206A00726ED9A1DADBCF252F3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SWIFT USD 14.500,00 20231002104546.exe

Verdict:

Malicious activity

Analysis date:

2023-10-02 15:37:10 UTC

Tags:

evasion snake keylogger

Link:

https://app.any.run/tasks/7346212a-9863-47e7-a947-fb08231bda5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/452641/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Restart of the analyzed sample

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/651ae14a83a0c6425d051a02/reports/cc91e44f-66db-40e0-bcd7-c9dde5ede8e0/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/91d63f5f-8902-4130-badc-6ba0d3c11ad2

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318026

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-02 11:23:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gi32pv7zhz6dsa42cdqrddbbufilqkupyefszi744c2lbc76g7aa._file

Verdict:

malicious

Label(s):

agenttesla

SnakeKeylogger

3ebbd8420e5203a6c4a7c22f4d530ed2af31cd2638b7fd026f498bc1e55da16f

SnakeKeylogger

457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b

SnakeKeylogger

47d6529e37038734bc351ff57eb13cfff614304d18759899a9d71df381ec9193

SnakeKeylogger

75c3496ee243be07930a47bd8b2a34bec9fb5f956f60d3dbfcc798753c6a9421

SnakeKeylogger

b5797aaf9a2230a8703d9b814835822c8abc6da3fb5fe1435528964f713abbc4

SnakeKeylogger

dc8b8a802ba59375eb9bed0c1a49303a7ce869f456d047585ab507e4ece76c3a

SnakeKeylogger

e98b47568deded212c6c6aaf8157929f5db1254a49a5e47c84e36d4d954ff21f

SnakeKeylogger

+ 448 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/231002-svrdeadg36/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

d60dec072f893a5f398ba30e3a15cb61570cb724c19751afeb2c4c659b59622a

MD5 hash:

8c865d459cbe885b9611d339deb8d457

SHA1 hash:

de13418769a5c9a2cc0050abebc928dfa7b789f1

Link:

https://www.unpac.me/results/0436710f-7b67-44a0-a254-4a39f3a84c5d/

SH256 hash:

df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c

MD5 hash:

8383b9306b9b5929b0aed1f24991d929

SHA1 hash:

6acebb9f139a62de981a3ec15ce35f61f5c3132e

Link:

https://www.unpac.me/results/0436710f-7b67-44a0-a254-4a39f3a84c5d/

SH256 hash:

04fdd50637263cef78514e6c9e050c80792456f21dd4034d3a5ded98e6f2b10c

MD5 hash:

29fc4bab9babd2d2e6838f12f1956411

SHA1 hash:

2ef4ca8d59f6f1fda552894844db82f62906b112

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/0436710f-7b67-44a0-a254-4a39f3a84c5d/

Parent samples :

e140957366f6040c31704645bf11779a7d29ce1f5e83439d27eef95d7d0b021a
a9fc57ab4ffcca4baa8f4fe69708ea3d63d5f85f5f5916bd7870fe547f368e02
3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0

SH256 hash:

fc3d06dc5089d06f8f8dd019b928dbe038178f594c83109bf4849c0886b74d24

MD5 hash:

3b60fc4b2e7ed17c9f38c5ff019b9806

SHA1 hash:

2e65b7a75dfc97576f5a4142cf0e746136360f10

Link:

https://www.unpac.me/results/0436710f-7b67-44a0-a254-4a39f3a84c5d/

SH256 hash:

3fd0bedc0411d2ef09bb38f50a70888b9db436aa3f1a3f6340b3957a8bf1cef3

MD5 hash:

f7e3ee72e28761ebde68a3d0e2aeea6f

SHA1 hash:

102da2e7659210602f3ccfbb7768d8478428a565

Link:

https://www.unpac.me/results/0436710f-7b67-44a0-a254-4a39f3a84c5d/

SH256 hash:

3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0

MD5 hash:

fb887d3c131bfa65b9595d74936f7812

SHA1 hash:

a3071a5aa1d8b4b169c33adfbdf82e1614ba6150

Link:

https://www.unpac.me/results/0436710f-7b67-44a0-a254-4a39f3a84c5d/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3237a7d7f93e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 3237a7d7f93e7c39039a10e1118c21a150b82a8fc10b2ca3fce0b4b08bfe37c0

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/452641/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample