MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
SHA3-384 hash: 113ac2e642cf9c2c29ba9d550e6a5a620283562c127e9b662bfc5efa5bd550915aa3e6892f27a7bfcbf2dd0fd4f1b19c
SHA1 hash: a28a2db1cacca688a66a00ecd840aedeaef484d4
MD5 hash: 78a62a23291a3c7907e947bc9f270e09
humanhash: spring-seventeen-asparagus-tango
File name:Order_List.scr
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:706'056 bytes
First seen:2025-01-09 15:37:39 UTC
Last seen:2025-01-09 15:39:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xTWMWYMV+I4MVKWsXW+KiXe39JZArWHEkznuJVGZdkR:d/GRgjXWLYrvWA
TLSH T108E48C5A0356E4C1D0D606BC24E3FBB782544D489A21C6C247ECFEA73AA3A5D790F1DB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 33694d96962b2b2f (2 x Formbook, 1 x AsyncRAT, 1 x Loki)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
428
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order_List.scr
Verdict:
Malicious activity
Analysis date:
2025-01-07 14:31:25 UTC
Tags:
evasion snake keylogger netreactor stealer ims-api generic
Link:
https://app.any.run/tasks/2902f75d-cb3c-451b-8070-699b982c9a1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677d3abac029bd73f2859c86
Tags:
injection micro shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68cd373e-2488-4485-9380-2d37f666af06
Result
Threat name:
PureLog Stealer, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1586804
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586804 Sample: Order_List.scr.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 checkip.dyndns.org 2->52 54 checkip.dyndns.com 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 64 9 other signatures 2->64 8 Order_List.scr.exe 7 2->8         started        12 FTlLqTRGrXZr.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 process4 file5 38 C:\Users\user\AppData\...\FTlLqTRGrXZr.exe, PE32 8->38 dropped 40 C:\Users\...\FTlLqTRGrXZr.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp5251.tmp, XML 8->42 dropped 44 C:\Users\user\...\Order_List.scr.exe.log, ASCII 8->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 Order_List.scr.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 24 FTlLqTRGrXZr.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 76 Loading BitLocker PowerShell Module 14->76 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        46 checkip.dyndns.com 132.226.8.169, 49716, 49731, 49743 UTMEMUS United States 17->46 48 reallyfreegeoip.org 104.21.64.1, 443, 49719, 49730 CLOUDFLARENETUS United States 17->48 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-01-07 08:11:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzjnzw2ov7y2ch7sspxnxabwhybexwt2gpy6dql3baw72thklkda._file
Verdict:
malicious
Label(s):
snakekeylogger
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
error
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250109-s22gysvrdr/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ/sendMessage?chat_id=7222025033
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/db90bc97-03c9-4d48-8c6d-5e080933ccbf
Unpacked files
SH256 hash:
cd05a7b92fd5441e71836d4e40659fbecce8b72c6d7d4cd3558b840e03514368
MD5 hash:
4c4a3034e077abf2fa097c5f4367ea3d
SHA1 hash:
f11ae5ae0ccffd69e98a7af1314c4c5fa0880a5e
Detections:
snake_keylogger
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/4034f3d9-d7d7-4019-9a89-99e4fa7a3bcd/
Parent samples :
3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1
SH256 hash:
168b6065d141a70c80f8c09204fd7252eb104de2e450599fc5896c1439322f6e
MD5 hash:
96858749c6f54f23560dc6a5aef2c32b
SHA1 hash:
861a04be243f05efe28e6d5dd5409ed56ff64476
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4034f3d9-d7d7-4019-9a89-99e4fa7a3bcd/
Parent samples :
6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
ea2305b81698e84ea423f196cbea17b3eddc98c57d5f53342f5ba82fb5ea3856
8515cd8f15f1b16373993dfb77427a0fe071abb0384f9bfe55f14adc4ff5d30a
cbae135ce99b7218f36189a750bca0868612e0c2ba0ab5fed90a32bc123d989d
87c6bd3556e570f5c0acb04c5286da5b222d6f4e2105827ccde74e4123ee55aa
67cc97b2f5e9d35039589c92c7f6fda7831af0f259ddf248fb166664e4027b91
24777f80f39fba9da6a66bb0804bd3c3a510126f583eefb8918e24fa5fdeb69b
c024729558cdf11515cc4024d0f3118d8313a86c68d48846376c55b8ec97c0e4
3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53
9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
1787fd4fd81dca24ca10625e93d43168eea906184da17183ba53a306856c0f28
31a2ec31c4722d3011b75595c76e677aba7e5bc164c667d709943893ebea4f97
31dd67c25cb99830d6df7e63abee058598eed026076acd4a659fed12fd8647ef
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
SH256 hash:
a0c3893e876b5ffe157da4adda38408a5d22024c2e3380af4d11245aa678aa23
MD5 hash:
860e44cfe6f344726fee1fe57fb95c71
SHA1 hash:
18c90442cb04f825a0040b943c6836f6372c8b7e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4034f3d9-d7d7-4019-9a89-99e4fa7a3bcd/
SH256 hash:
3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
MD5 hash:
78a62a23291a3c7907e947bc9f270e09
SHA1 hash:
a28a2db1cacca688a66a00ecd840aedeaef484d4
Link:
https://www.unpac.me/results/4034f3d9-d7d7-4019-9a89-99e4fa7a3bcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments