MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81
SHA3-384 hash: 085ff08b875df75177aa506193ebaf429010a8cb08a11cbb8d84bd05f3d1e47686de897ad501e59aafc5b5725d02e408
SHA1 hash: b0ada9f9bb1670ddc1d553f24f2b3b6ab598fbed
MD5 hash: 9cdd63e1bfaf4710b3411892b076c35d
humanhash: lake-neptune-mirror-mango
File name:9cdd63e1bfaf4710b3411892b076c35d.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:709'120 bytes
First seen:2022-11-10 12:17:17 UTC
Last seen:2022-11-10 14:04:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:9cqXPoOBYmT1b7JH6ZTI11439FU7AFlO739oo3F5/W+sc:WjONn91O3cAG73io3F93H
Threatray 8'768 similar samples on MalwareBazaar
TLSH T1F9E4F092702D5B58C36CBB7176E583207BB07D369953D65E2ACC32CB86337844E3266B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13097/50/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9cdd63e1bfaf4710b3411892b076c35d.exe
Verdict:
Malicious activity
Analysis date:
2022-11-10 12:18:53 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/49e13501-38a9-4bc6-9230-d892ee2cd49b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/331872/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1617.26585.21542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636cebfb20a0b4943a8ebab4/reports/979b2e07-fa31-406f-8231-9634022d5de3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/722121a5-4361-480b-8e59-af4f761bea04
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1110754
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 12:04:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6yy4p2zleifffxilpkqbvj3qyxpp6aypxyxsqauoazte5kiloaq._file
Verdict:
malicious
Similar samples:
0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b
SnakeKeylogger
406e9f07aa3bb42bcc51aab336b1a672de5abb220416451cdebc0916cbb45396
SnakeKeylogger
73493f393423de3502be624402e63b53216a91ec15cb5ab1357661a75c2ad29e
SnakeKeylogger
775bfe71cc319661eab3324221ff8f507df0f88dc7062133faa70c0e1969a69c
SnakeKeylogger
8e4ee0ec7d1ac518e6f583d03c62b7d89978f2a0df7f5d1e50e709fe7a91a512
SnakeKeylogger
9b99bfeaca81fa2a9b5f525bd35d6f7f87866a65970f3fcde51085401e51e4d5
SnakeKeylogger
cc59aa1e7c1791f184e0725ba1e86bfe1d636761bd640aed519e1eb1c81161b1
SnakeKeylogger
d85e746a22444825e6140beed538bf5ffd680b30c2458f68605a4b1efc58b591
SnakeKeylogger
+ 8'758 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221110-pgln8ahfh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d0f15404-b389-49ce-97da-063e3380978e
Unpacked files
SH256 hash:
f117ef68f80cfa42bf89710d8c904c2d1aa68ab1b71efd382fda981b2770a716
MD5 hash:
07e968da5cd862e3e38bb8eaa0e5d2e8
SHA1 hash:
f24f43f264757ec60442e8f9bac8239c76e8634b
Link:
https://www.unpac.me/results/6b5416fa-daf5-4758-87ab-d28052840e74/
SH256 hash:
e7ed8ef84b157c86bcee1d2686423be50ab8a1cde695c45d181a560ded4dc12c
MD5 hash:
2ba346bcc7490285644d78bd8ec44784
SHA1 hash:
b7c73d2c221f12b027ce6749a15bf28ae70ee007
Link:
https://www.unpac.me/results/6b5416fa-daf5-4758-87ab-d28052840e74/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/6b5416fa-daf5-4758-87ab-d28052840e74/
SH256 hash:
dea51202cc2ab5f41a6184a431878a0916c9da342500adf254c84f3e8a3308bc
MD5 hash:
69b8b0beaa0f31e2c068bfc92f552147
SHA1 hash:
207de80412dc4e94613cd7738603bda206fbbe58
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6b5416fa-daf5-4758-87ab-d28052840e74/
Parent samples :
54d7590201b896cf43690362e083fb71afba0f102b23ca5c90990072a89ec011
82ab49f2560c1880f313f39bee79cee6429f5a360111448656c4b06f48349a59
37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81
2250ca2a6bd489bd69203a366b7a4572c23d8e9ec8eec6872d090c9528864090
ca5f23445d505071a55fea65975102914af4581c9aad0ae52da7c717639c5f03
5b93e1d0dba1385503522fa0fe6d595aa4c5d9e5d2fc12707536213444242d54
4de319cf407f802ea199b9904863a7c0da9071e5024470e069d7ebddc065a8dc
8cff398b16e8e2a230d61b4a8a3a9bff3180c52d42917808bde8dc3cc13baa33
0a7da056adc4dfa4ae6ca6cf29f9bb01e9d4745a02b1cb27e1ea3e231b5c4a04
64ef899448c228e4d02af5b452876418353d1633f55eb7776cd398ea86e8b2eb
707714c25c9050ce571a4decc3b6b10fbf8378ece2b29410397a5450da0e354e
8161e804d97adf2fbf82fffb3118ddeddb6e747eaa8322855cd461aaa3d5b0c1
882b7341097daf24a557e47628146f30fcea8278d6bda89395a99d4e221ce192
f3e57a4cf14c8fdcf105d76b3b76ec4366635799bf8267a370aa93f5aecb325e
86688e23e7f4912f816aa6d171fce70e5a3e3d079b2d65a354177b220f9e0c17
9791da4d42ba695fafd7a83c623ff8031e01187f0954302e40fadf922b62dbfe
985dd3f7e6155348ccb6d8e7d00bd79e1ed45524556e5e93c4f34145668f9bf5
4553f4bb88ac13c2945aa862fa8e251f2b511f1829577c9760e7046f2dec9a66
c61af53a6fb230424ba602c18ca23c785a1ad71338b061a8e68f75cbee7887b1
9b02e3cc4a73d9073ce484bdbd86bffd07da113b79a73382abccdb9fbe598635
b0ed7f500763e2e7852add02e1383799d76e71c96dbe860048a4559d7b5f754a
0da48a414780250e5e46c82f23370253f7fa66bb760e0a77d4f19142668917a3
61c198f39256af893b4c601253f5f3012a8a48fa20d090c922d35936c6504e77
6d07ef231c728f37b5c8b04440d7329cab83cd2193edc13b9077b6dc73a3c272
0dbf52d78ab0bb338530fa37c966bedf576b0d2cc6f841fea03ec0e396d080b6
4ed6abbbd38140886ff8ede3d099888908a5bb9686615d7e318c59e1cdf0e529
2050100f2b3759aa5fc9e7bb9222b22995eb873e4ad043f9c058479475b1b877
b224fda1120307ae20f7bc3cc954eb01e0f42d3a68ec52bebde216e0fbc2a0d6
5fbe0c0a58f4490e4060616d0fcc58527453a27ebe95a34161a63d4dc45d875f
dcd805dc19654c2b0a0998ca6e2f7154798d663998602b1f93cb6f626764d940
cd457647c5506fa1ebd3577f1ae8e918d4c0428038cee79db004570a7fa62c20
2787c515f1bf23eb1f84b4d0cda93a5929f094837e83155c144346ab53d0eeff
07f9fbdf3275f33f24a204c24ad3dad60ce1f74869f70caec813d18b259a1fac
fa7fd5b16def191f454534f6010b4de4a2dc6edd96b1269c6f3d393bf684d906
a0654f62824278612b4680a50d4ec37f05d34b7c4851118b6b2b0f3ebf26de92
aac543a6d3739034fa6c2b252610dc1d9afebc90b8726866f50750dc7b9968dc
ef96aff361fcc5b8c1efb69dcd5c68ec6956287f083c73ece05bf7afe86673de
62826246ed171e21b93e198d3ed59a8087d8e03b039fc566b34f54a0502cae01
f690807fa4bc8d257fd4cffadb3cd3154ee7bfaf11b7a09eba40259a311d4bc3
ec3cf9e9b9bc954296dac23688372c542ee9dd6041cb8d061489c149ea8d1eaf
5451af0f189419eb8ccd3feda51434e33c895fca5a63d05da1bf14fa0bb8f54e
131d50787d10f1df4153f4fbb95d39c666896c78987e3a7b83f643aa0c91b458
13b7007f4c163ebf9f97e33187e44cef00110c610b0fe4d25c4bb10a5a51b706
56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689
7d1c3591a7cbff524d0dcc03cfaed0fc1b7915e78b2a624747fc6dd4b3a765e7
1e743ec80b16cb881f0917b18dbe1bcf11b60f132a20586e5b75c039708cec53
093e669e3e7672fd4bce100c627920b416c2cf0ac4523289e2644ccaaa2f30a3
df990526583ae85b0713396e2f9fb5963d1de2bd1f0b85b038fd7f241ce1f1bd
52bfe70515e66a6f6d8b5ffff8b2d310bf211f0dcc745337ee12d69e85015eb2
105720dec1383492add8156554e740af732a92fbc9fb60edcca566f29c8f6ae8
b4264117c8337a2c7f689756393bec9303ddde5fe02986ef47b410ff22ba5ce1
dfce3d45a141a90bb1dda531b99447c1c8ce99be74c704d888af79f2a444c1d4
8b084a5b70a6572aa23ed19deb7007a91ea8ea740a36b801b6c98fccd7a2b3ec
0f467217bcccaa0eb494cb5da8e328cf5d16639ff4dc5d0cf56df96895f19a38
81d9661cb388676b8ac07ee0f5581f2095c68afdb8349c80217c5e39c1f1566d
0d7492d1fe1f2ccf93fd861f469ae978b2ca23c7bbc5b9ef7d0a64b87828739d
9a4d80d06be8acf452a13fbff5540cc48bd1089021d0978b41f5bdd68fd9d4a2
3468917c0bfb8bb5c07753482c3c69ff14f8a3d71aa4852478e68753654248d0
8394f08d071bc49b7eb6c186c4d4c769b82483340e850fda350797889723ffb2
280c26c26ee8fa14fecd6c866c3f4daeedfd7a48ccc501c06eded8ff096b3769
3d6efa4c776b98a784826dfd39c56d9e18398451752dcb9fd698735b9a6ac16a
94e644a9242ad93043fce6c5bb97e759d61e456b5171a0965e78405b018c5c75
9950b95b9ec431f1a93d12d2dbf4995c308f39b70742d09850b4a5995680391e
4952db48053c48e241bf6dcc0362c160eeb22d6ceedd9b57298b37659851c9ed
8d568e3e78eaaf4a8a89f03de6ad457c036bf257741f2bf42d6b861f65c5c060
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/6b5416fa-daf5-4758-87ab-d28052840e74/
SH256 hash:
37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81
MD5 hash:
9cdd63e1bfaf4710b3411892b076c35d
SHA1 hash:
b0ada9f9bb1670ddc1d553f24f2b3b6ab598fbed
Link:
https://www.unpac.me/results/6b5416fa-daf5-4758-87ab-d28052840e74/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37b18e3f5959/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 37b18e3f5959105296e85bd500d53b862ef7f8187df179401470333275485b81

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2346135/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/331872/

Comments