MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874
SHA3-384 hash: e5ddb10f29011ebd415d11c7ebcee5b64de7cc856d270e4c5cbc0d76b14b056aa58740f1ed5b489b90a0937eef5f668a
SHA1 hash: ebbf981673b34b3c9b103c273c46ec3f4975dd2e
MD5 hash: c057375810d910fa597ed62275e359b1
humanhash: fourteen-blossom-wisconsin-kitten
File name:Maersk MRKU8781602.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:626'688 bytes
First seen:2023-04-05 05:59:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:srt8R4lOv+iUl9kTvBLWAt75xvubnFOXg3mHglwU:srt8RB+fklt99U3mAqU
Threatray 11 similar samples on MalwareBazaar
TLSH T1F8D4122433E55F34C99F4B7AE9B2310603F9BD2A2451F34D6EC2A4D91EA3700DA516B3
TrID 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.7% (.SCR) Windows screen saver (13097/50/3)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 00706dd050697000 (9 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maersk MRKU8781602.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 06:00:21 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/1d5cb285-568f-4337-a9d2-7cbdd1dadd01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380189/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642d0e656d5da9b446732b4a/reports/d3417ab1-583c-4e5e-b37e-1da930a9cc50/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac10e996-f748-4707-bd26-c2276052c2eb
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208590
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841506 Sample: Maersk_MRKU8781602.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 5 other signatures 2->54 7 Maersk_MRKU8781602.exe 7 2->7         started        11 ziBbNJN.exe 5 2->11         started        process3 dnsIp4 32 C:\Users\user\AppData\Roaming\ziBbNJN.exe, PE32 7->32 dropped 34 C:\Users\user\...\ziBbNJN.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpCC3B.tmp, XML 7->36 dropped 38 C:\Users\user\...\Maersk_MRKU8781602.exe.log, ASCII 7->38 dropped 56 May check the online IP address of the machine 7->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 14 Maersk_MRKU8781602.exe 15 2 7->14         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        40 192.168.2.1 unknown unknown 11->40 62 Multi AV Scanner detection for dropped file 11->62 64 Injects a PE file into a foreign processes 11->64 22 ziBbNJN.exe 14 2 11->22         started        24 schtasks.exe 1 11->24         started        file5 signatures6 process7 dnsIp8 42 checkip.dyndns.com 193.122.6.168, 49706, 49707, 80 ORACLE-BMC-31898US United States 14->42 44 checkip.dyndns.org 14->44 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        46 checkip.dyndns.org 22->46 66 Tries to steal Mail credentials (via file / registry access) 22->66 68 Tries to harvest and steal ftp login credentials 22->68 70 Tries to harvest and steal browser information (history, passwords, etc) 22->70 30 conhost.exe 24->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 02:03:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqo3o2m7j4rutuwoysuf6cnitgzsejulqeoxekvj3kpagxanxb2a._file
Verdict:
malicious
Similar samples:
0a55d4ec929122952ccf0962347a5a5672a0051bcb31ead7f2c0d7df516eee6d
SnakeKeylogger
48b3525f35a068cb4ec4d6a9206bb06f0f44c968860b01ae3eb44342aecc43f4
SnakeKeylogger
7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3
SnakeKeylogger
8754efcd69c5921c8e34189d86a84ebc6f2a37ac05e7fa0de911005984be1321
SnakeKeylogger
892fdc8fd8904cfd1899e92eb06dcad91b8f6edab5903c067b54ba9086582d09
SnakeKeylogger
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020
SnakeKeylogger
b6a43c7e7e920c85e8d0228a483f4f06173c89a512f32ff0f36de6da64411d46
SnakeKeylogger
c66f9de1d4c00ed7cf572dda373abd01568a6d8a732a5763c0884d42f68d8e08
SnakeKeylogger
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
SnakeKeylogger
f0e160fc8c0dacffdd789b3a91933fd9c3d629077d25e29a4f69217220689374
SnakeKeylogger
+ 1 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230405-gqbllsca73/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5616959587:AAExtOpZFeIG_Fr6GGD2wxulyGXrUhSr8vU/sendMessage?chat_id=2095430248
Unpacked files
SH256 hash:
57a801be4fe763a0795de01e337380d5d64a9b3a610855a04310287296ed4e32
MD5 hash:
07751ba73dce3751b211f562441a07a3
SHA1 hash:
e6eaac1b69cec960c40d18431b5e16d9a4415f14
Link:
https://www.unpac.me/results/4d196d3c-0f9e-4743-8a50-1ae093f6d62c/
SH256 hash:
78263b569d4f9ed2016bd9c29718f62e55413cd4ca0106295c0443fafdc085d5
MD5 hash:
aef59f95e1a844e2551c8f3b4ef5a3b8
SHA1 hash:
d93e7ad3d586dfdee6b1c99db9237760671dd928
Link:
https://www.unpac.me/results/4d196d3c-0f9e-4743-8a50-1ae093f6d62c/
SH256 hash:
d0284e4cd27a97845d8d4bb45fa7dc7b0d5b7301ef5a082d250ac5e63fe1e130
MD5 hash:
d609c54e9934152bfac5d1145ef5383c
SHA1 hash:
2c4711c46581af86f12622afd766d26137a7b2ec
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/4d196d3c-0f9e-4743-8a50-1ae093f6d62c/
Parent samples :
98aec31af0a8a5abc9d25b32efbb5b4cd5b54d2a2810e196c00ea77d9969b12b
7ce06c4227d8b111e23ea4af903379bef4211205ff6a6a582aa7c74149ec8b47
341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874
6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb
bffea4bf5d2cda8c23b02e73e1a5cc9a43da3816c7193f23db798e4982916c66
SH256 hash:
7130e3330f909cfcd3a8d53ea97b09d665996b777f84d9a1d799df04257af5bb
MD5 hash:
f10376f7efe46051865e147d026554b4
SHA1 hash:
4ec83d2c4e75c79c41ccbcfd45026ce640e06816
Link:
https://www.unpac.me/results/4d196d3c-0f9e-4743-8a50-1ae093f6d62c/
SH256 hash:
e4e6cbef9a59d20973cddb69814231686e244804f96df5bcc4052c0397a18412
MD5 hash:
2514aaf7e50ee4b1b512b6fa9090f346
SHA1 hash:
0288254dca305f26b1661716ea1dbba71ea3040f
Link:
https://www.unpac.me/results/4d196d3c-0f9e-4743-8a50-1ae093f6d62c/
SH256 hash:
341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874
MD5 hash:
c057375810d910fa597ed62275e359b1
SHA1 hash:
ebbf981673b34b3c9b103c273c46ec3f4975dd2e
Link:
https://www.unpac.me/results/4d196d3c-0f9e-4743-8a50-1ae093f6d62c/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/341db7699f4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380189/

Comments