MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6
SHA3-384 hash: 8b11833bde56630e245e760b501f6ecc9c49fad85a47d54c91b28c7f04cb5f6eaca839c09dea0ccfa4b5f345aa07ba60
SHA1 hash: 5719945332214941b2c0da538d7012e574fc4e5c
MD5 hash: 6ff764fe33b3e6fca261b7e086898056
humanhash: july-nitrogen-delta-timing
File name:6ff764fe33b3e6fca261b7e086898056
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:393'728 bytes
First seen:2021-07-09 11:15:55 UTC
Last seen:2021-07-09 11:43:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:TtSW8uCJjuCn6iQUB8CHPku8TvKNK6KSKnv5nftfBlxNRqCbFnA/ZOxorr:BSW2spxv5lzxNRqCtAB
Threatray 162 similar samples on MalwareBazaar
TLSH T13D84E1A1A56C943DC2DB87F6DFA3A7406EB3AF07D46091C430EE77A573B2F80A512548
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ff764fe33b3e6fca261b7e086898056
Verdict:
Suspicious activity
Analysis date:
2021-07-09 11:18:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cacc0d82-39f2-459a-a937-d19484b2b8a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170655/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.919.6059.1519.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f14be098-17d5-4143-84b7-2f4cdf3ddd9e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813958
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446369 Sample: ySBEWsGsWH Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Yara detected Snake Keylogger 2->54 56 4 other signatures 2->56 6 ySBEWsGsWH.exe 1 7 2->6         started        10 chrom.exe 5 2->10         started        12 chrom.exe 2 2->12         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\chrom.exe, PE32 6->24 dropped 26 C:\Users\user\AppData\...\ySBEWsGsWH.exe, PE32 6->26 dropped 28 C:\Users\user\...\chrom.exe:Zone.Identifier, ASCII 6->28 dropped 34 2 other malicious files 6->34 dropped 58 Writes to foreign memory regions 6->58 60 Injects a PE file into a foreign processes 6->60 14 ySBEWsGsWH.exe 15 2 6->14         started        18 ySBEWsGsWH.exe 6->18         started        30 C:\Users\user\AppData\Local\Temp\chrom.exe, PE32 10->30 dropped 32 C:\Users\user\...\chrom.exe:Zone.Identifier, ASCII 10->32 dropped 20 chrom.exe 14 2 10->20         started        22 chrom.exe 12->22         started        signatures5 process6 dnsIp7 36 checkip.dyndns.org 14->36 38 checkip.dyndns.com 216.146.43.71, 49732, 49733, 49735 DYNDNSUS United States 14->38 48 2 other IPs or domains 14->48 62 Tries to steal Mail credentials (via file access) 14->62 64 Tries to harvest and steal ftp login credentials 14->64 66 Tries to harvest and steal browser information (history, passwords, etc) 14->66 40 checkip.dyndns.org 20->40 42 162.88.193.70, 49769, 49770, 49772 DYNDNSUS United States 20->42 44 172.67.188.154, 443, 49771, 49794 CLOUDFLARENETUS United States 20->44 68 May check the online IP address of the machine 20->68 70 Machine Learning detection for dropped file 20->70 46 checkip.dyndns.org 22->46 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 11:16:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3390c123938c77d21a6ae1dc750265427ea0fb5f5dd3571a9f2dcb069ee66812
SnakeKeylogger
4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c
SnakeKeylogger
4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29
SnakeKeylogger
4ff2f77293b6804df81124399a416b304d7e778e5c6157bf1bd90f6e011f06d2
SnakeKeylogger
6e0bef23794d4e93ef917868ab89ce22bd27e35361e4e7d2f60ad3f82455e75e
SnakeKeylogger
78dd328a721ab033b3d63be6add959894ba7cf1d7ba380f78b078a1c9d1da16c
SnakeKeylogger
a3ca7c4385206990d3927c273f08e4daea47887567774da579337e0966593ae4
SnakeKeylogger
b03842095a0325b7fbed6892815537a01b6f9c57f7d57047124436bd7d058698
SnakeKeylogger
c0122aead3c5a7b1a3a8d5f5cd7dcafa2ea0966d08cd4480ee041f5dd8eae89d
SnakeKeylogger
ff1e03472ebb3a86fe6a41c3849d799dcfa035e93c43a1380071d67775bc6f83
SnakeKeylogger
+ 152 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210709-egs1k9fb3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
514e2497a461da0fcfe2755adf33767c4e5a43fcf1e0247b349021424a774304
MD5 hash:
6fc84b0a112d9e817c6a3a89c6a6d316
SHA1 hash:
e54be4720cfd5df5b9ca81459ccf194dd23e91a2
Link:
https://www.unpac.me/results/1411125b-6565-4ca7-88e8-7e9caac0130a/
SH256 hash:
99cbb33afed8c6109ca78d547694a1f1cbfe706322c0396c91f4a2d823f9f99b
MD5 hash:
185c6324507fae6d800d97c23e722210
SHA1 hash:
e790a082826aa6121b6173bc7f0714e72265ab52
Link:
https://www.unpac.me/results/1411125b-6565-4ca7-88e8-7e9caac0130a/
SH256 hash:
eb86fb79e853b6eb8312b57c95ef8e262579c59a2823431674469139bd49060c
MD5 hash:
7ca6416a7e52650634f5485711809932
SHA1 hash:
23bc67ec53760b83686af44e2b59853ee785102c
Link:
https://www.unpac.me/results/1411125b-6565-4ca7-88e8-7e9caac0130a/
SH256 hash:
3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6
MD5 hash:
6ff764fe33b3e6fca261b7e086898056
SHA1 hash:
5719945332214941b2c0da538d7012e574fc4e5c
Link:
https://www.unpac.me/results/1411125b-6565-4ca7-88e8-7e9caac0130a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 3848e63c938d02dbfe989e3011c11d984849a14e49f9a0cc0022fbea12e097b6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1438679/
Cape
Cape
https://www.capesandbox.com/analysis/170655/

Comments


Avatar
zbet commented on 2021-07-09 11:15:56 UTC

url : hxxp://lifestyledrinks.hu/wp-includes/cs3/ETL_051179320007.exe