MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f
SHA3-384 hash: c05d2aa7a541d4a7feadc3764778218d2ae99ad02edb5560c0735caf19dca34670f4bd68250deee1960c7f89d27770de
SHA1 hash: 51a2211b6abf5638bd805df1fce3259b68b9bc6a
MD5 hash: b8eb18c7a33fec016ff3c1777f3819c2
humanhash: bluebird-vermont-uranus-mike
File name:Remittance Advice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:965'632 bytes
First seen:2023-03-10 12:06:40 UTC
Last seen:2023-03-10 13:31:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:KFlLKHFjcs6BJs0w6xRDqnB9FmYGzj1Usr+B+gAMaUUNaGokRbXtgJO6gEWuk:ABhw6xwBXGv1YHAv7Zdd
Threatray 257 similar samples on MalwareBazaar
TLSH T11725CF446311A97ACB27A67FF2161E28223C6D1EFEBCD6485905309F08EDFB544C29DB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance Advice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-10 12:10:54 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/1c998336-2d8b-495e-8681-0eb7038c6108

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373327/
Detection(s):
SecuriteInfo.com.Variant.Tedy.303850.29733.28931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/640b1d6879380d66a3b24cf1/reports/198f9d3c-7fc7-4df2-ab97-025a4ac9678c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81751565-5f00-46d9-9387-1aa8d14ffd39
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191149
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824025 Sample: Remittance_Advice.exe Startdate: 10/03/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 5 other signatures 2->59 7 Remittance_Advice.exe 7 2->7         started        11 bAUQCehpkwerHJ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\bAUQCehpkwerHJ.exe, PE32 7->35 dropped 37 C:\...\bAUQCehpkwerHJ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp43F0.tmp, XML 7->39 dropped 41 C:\Users\user\...\Remittance_Advice.exe.log, ASCII 7->41 dropped 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 Remittance_Advice.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 21 bAUQCehpkwerHJ.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 bAUQCehpkwerHJ.exe 11->25         started        27 bAUQCehpkwerHJ.exe 11->27         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 193.122.130.0, 49702, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 47 192.168.2.1 unknown unknown 13->47 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        49 132.226.8.169, 49703, 80 UTMEMUS United States 21->49 51 checkip.dyndns.org 21->51 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal ftp login credentials 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 33 conhost.exe 23->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f/
Threat name:
ByteCode-MSIL.Trojan.Marsilia
Create hunting rule
Status:
Malicious
First seen:
2023-03-10 09:55:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbnq3r2z3knktbuiby3ferd5wglinq2zwensp35mo4qaylsikrhq._file
Verdict:
malicious
Similar samples:
6323b9e2d7bab4074d8866bda3fec2c38c00263ebca6237d2599efddafad5cf7
SnakeKeylogger
6bd93280c677623b4c964daf8cea0c20ae3c32ea8cee4c2e52da9a8b3dfc5ec8
SnakeKeylogger
9bdb5db36a0d82f4cbdc06a3cec49c6ba164be2b7c62e236d3b4ee3c5ebd73a1
SnakeKeylogger
9ecc5cce9cdf7a5a0e32a29ae99348e95520126499e5f02caed1bd37f5e00fd6
SnakeKeylogger
9f5e89aa93961e166ea0aa24c0005541f58e1d352ae7c5781ce63f4369f62555
SnakeKeylogger
a57c5beaa6ae6ab8b14a46bb514767afc0be570b26eb86e51c351cd468ea813d
SnakeKeylogger
b938ff358f891462489b2dc54b8d4cb2486eeebae2fa2dcd5a2e5c0de679b426
SnakeKeylogger
e8738a421e052a4b0824102fc4a1d6d530dfa5ab90a651e0aca6ff8730d2bc02
SnakeKeylogger
f612e06403e19aab32db50beb92fcd9ac362e9c448ff13d00731355731b78c65
SnakeKeylogger
fd63f671c5984fd1cd39cf00e35bf5e978b8dedce3e209d29c120325f1984254
SnakeKeylogger
+ 247 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230310-pafvdsde42/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
c234684a33231d86ca3a0c6459d4fc982bfd2516807b0022d9094868d2111719
MD5 hash:
33846e3d38c36db71b091f1d26d97491
SHA1 hash:
a92e54e4016e792bd11828e92c66684f69309ea2
Link:
https://www.unpac.me/results/613365c3-8056-4371-ae09-e0b491b4918d/
SH256 hash:
e2afa458fd5c2c9d43e615065ad905a6ce67ab5a7765dca6092bb85195ce204e
MD5 hash:
8617b0ccc9168222e123bef78501f3b0
SHA1 hash:
642afe0d03c45484b0bf0f102f0421dc06e8946b
Link:
https://www.unpac.me/results/613365c3-8056-4371-ae09-e0b491b4918d/
SH256 hash:
621449f8675e9f70c0a7d3f4cc3e74594b4915d7f99b8b94db40426e233bb0e4
MD5 hash:
a9fa99999a182b32365616dd3dd1031e
SHA1 hash:
140569f0478435e6ac94ecb0caf94603b765be4f
Link:
https://www.unpac.me/results/613365c3-8056-4371-ae09-e0b491b4918d/
SH256 hash:
b6e5e66fb1623c9f27965fa42810d5088485eba7105171f68180f9dd6731b55f
MD5 hash:
ee8d47615787e4d793cd0843d69deb19
SHA1 hash:
0e7c65d8ffe986e68cc008024c168ef7e96297f0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/613365c3-8056-4371-ae09-e0b491b4918d/
Parent samples :
385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f
67768864f24ba7a78e166bdc7e88eda674c67728645be4126b19202118bfdd07
cc252929bc3564bcf17ef0df09801dfff3f8d6b8e71d00b449a920ac2380596a
2b781ae6ff39d255f2e608de9ac6519a7644df12f13f574aa8caafa0123927a3
2f723e39cf2fcb28e858a0002e6945fe0e7266e16ec272fe9c9deb1b49309a57
31f26627d71b58fe5accc2077b600f8b7f25a8cdc75b4a538207c170d6275590
e52bcbeaffe46a94b7dec2d73f1560e80c30061ddb845dcc50b57a3d2d9f7f65
221e4f5c1f12b340bde3be53c3ab9bdbf4940b4d9d22aa5a451a06a06572c171
ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62
SH256 hash:
cceef6725b62d03b99f66b3c85ed1989245ac7bd80d39bc7031483c098834c6a
MD5 hash:
7857f4252b4471067f7f5a76690212f7
SHA1 hash:
02f7fa26c65fee02d43d67554e2f81a0f0ac0af9
Link:
https://www.unpac.me/results/613365c3-8056-4371-ae09-e0b491b4918d/
SH256 hash:
385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f
MD5 hash:
b8eb18c7a33fec016ff3c1777f3819c2
SHA1 hash:
51a2211b6abf5638bd805df1fce3259b68b9bc6a
Link:
https://www.unpac.me/results/613365c3-8056-4371-ae09-e0b491b4918d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/385b0dc759da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373327/

Comments