MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941
SHA3-384 hash: 0fdae0f1d7015fc5682643c23d6667b3a2e981332669a6e63d9405562ffe430978e79b1c88368c381fbb9106d00a51a2
SHA1 hash: 5cf948bc30bca89a8b32ed38c5c723cca13fa196
MD5 hash: 773aeb8b7d2c978f5e6827e3156a5115
humanhash: vermont-nitrogen-carolina-mexico
File name:bank_payment form.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:235'257 bytes
First seen:2022-05-21 07:32:50 UTC
Last seen:2022-05-21 08:31:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:AYa6D/wl9+a5wo8xWslKCiH023nYjeghrS8vsPq:AY5EYlKCiHYyx8b
Threatray 7'055 similar samples on MalwareBazaar
TLSH T1EF340291E7D6D5E3FE630E700A359E601AE8B306D1774A3B17F0E69A79172C0861F392
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 332363132d353307 (6 x Formbook, 1 x SnakeKeylogger, 1 x Loki)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bank_payment form.exe
Verdict:
Malicious activity
Analysis date:
2022-05-21 07:33:48 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/45bb39e9-04c5-4bbb-959c-d46e130b5eaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273289/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19424/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe lokibot overlay packed shell32.dll winlock
Link:
https://www.filescan.io/uploads/628895ec3223462f89d7e646/reports/d69d38d5-7908-4730-8cad-87e1c0d2d312/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf980e63-7359-4372-a5ac-9b6207e8c46b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999049
Signature
.NET source code references suspicious native API functions
Detected unpacking (creates a PE file in dynamic memory)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 04:57:37 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glr7im5xgisfxtmke7jajj3q7sbnoaaq6pfrkso4shye2jeetfaq._file
Verdict:
malicious
Similar samples:
14fcb8a4565e90550de5237fccbf8b283c970055ba9b11e206fdf7329c3ad51d
SnakeKeylogger
1f7cd0cb15550fd5bf1a49353ae74845965cb3d313f5b8e66f4bd2835661917f
SnakeKeylogger
419127a78f8b1a361cab37011662b2ce411af7f4ad59d0f35ce5ca98eca1b92a
SnakeKeylogger
465168d19bfb65cdd4f4d7e12e7597484eaf1d728bdcf37aa7919d0fa2fd55d0
SnakeKeylogger
4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00
SnakeKeylogger
96929d91624ef88554c7850bc57c8cfd2bb093fb8cdaad5f8865c1001c5a5d0d
SnakeKeylogger
97d6ca695325d19dba9161f676434dce87ad47769cb1f5618adc7c5122cf6d1c
SnakeKeylogger
+ 7'045 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220521-jdhv9sage9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
a151433f58e6173254b7d262e1c82129109519cb3d0f8bdac8085619ff2c847c
MD5 hash:
2674cf60aca37565a88d9f10ed84b6e5
SHA1 hash:
45dc68b556f3c8c59c815bd2755128beecaf7a46
Link:
https://www.unpac.me/results/dde35fd3-e55c-4762-b82d-8158f6422de8/
SH256 hash:
b5562a316c8eb0ee943fd897ea3c8f59fbaeda9fda7ccdd19a50768574db7599
MD5 hash:
35ffc55135a5c5ecc0066846ef55799b
SHA1 hash:
2103f99b219e40be64b9caa2189485c5f143cbfe
Link:
https://www.unpac.me/results/dde35fd3-e55c-4762-b82d-8158f6422de8/
SH256 hash:
04d9fd140b76656a51a7701f9850ca5a430edcc6ccdf1133280f1edc8b86c6d2
MD5 hash:
f01ef5d3c337c79f1114245547923618
SHA1 hash:
9988d42f9d1922c32564aad4af300102324e0962
Link:
https://www.unpac.me/results/dde35fd3-e55c-4762-b82d-8158f6422de8/
SH256 hash:
32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941
MD5 hash:
773aeb8b7d2c978f5e6827e3156a5115
SHA1 hash:
5cf948bc30bca89a8b32ed38c5c723cca13fa196
Link:
https://www.unpac.me/results/dde35fd3-e55c-4762-b82d-8158f6422de8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/273289/

Comments