MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e
SHA3-384 hash: e7a927ce1ac7aeb1cd28bc8fab3b081b1e22c002e258caf147f61b0fcbcc6a70f7603696a0414b74f5ee43320f90b523
SHA1 hash: e69e691975d326f2a8dcad262c3c89e896884fa0
MD5 hash: 5884c08f7eb5490047e223bdaaa8a4a4
humanhash: nuts-mobile-louisiana-tennessee
File name:INVOICE_070621_PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'121'792 bytes
First seen:2021-07-06 16:10:17 UTC
Last seen:2021-07-06 17:17:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:vEmBaIMVjLz7TOKCiOces3gVZsZZZsZb9bqnV5UDSDihcjBkpjCWRJsP0NmeeK7t:PiORxgUrcjBkpjCUaPzeeat
Threatray 113 similar samples on MalwareBazaar
TLSH 77358C7672728F91DD7FC73C8331561C4FAABF7AD352E2786C94709A05B1B850A12A23
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE_070621_PDF.rar
Verdict:
Malicious activity
Analysis date:
2021-07-06 11:13:14 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/217d3d7d-df56-4297-9cc4-831f6c3e9bbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170032/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.27013.23749.7983.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e349d9b-a84d-45dd-a261-a392529b45a3
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812462
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444873 Sample: INVOICE_070621_PDF.exe Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 28 mail.greentrading.com.pk 2->28 36 Found malware configuration 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 8 INVOICE_070621_PDF.exe 7 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\cmwxuc.exe, PE32 8->20 dropped 22 C:\Users\user\...\cmwxuc.exe:Zone.Identifier, ASCII 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmpA34D.tmp, XML 8->24 dropped 26 C:\Users\user\...\INVOICE_070621_PDF.exe.log, ASCII 8->26 dropped 44 May check the online IP address of the machine 8->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Injects a PE file into a foreign processes 8->48 12 INVOICE_070621_PDF.exe 15 5 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 30 mail.greentrading.com.pk 192.185.164.148, 26, 49745, 49746 UNIFIEDLAYER-AS-1US United States 12->30 32 checkip.dyndns.org 12->32 34 3 other IPs or domains 12->34 50 Tries to steal Mail credentials (via file access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 18 conhost.exe 16->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 10:25:59 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hekkdxk3x34633hp7jyy2uag3ttti6y2gam3iuwoovdalqhdfyxa._file
Verdict:
malicious
Similar samples:
18143a1b4315ecaad0f887b3ae467aaffcb85e5eafa8502a8c179151746af7cc
SnakeKeylogger
43b482ed9c25983fb5b1681d25315e57e12c4268f003ee57145f33059541cf8b
SnakeKeylogger
49793c0e162eb58b6d48edd89bad3964bee44f9669442c26671da2ad35dd6406
SnakeKeylogger
54312ea9106139b43ff7ab38cdee369e00aa1b5d6433971e167716e9a55ee4b8
SnakeKeylogger
790f0af1ab6f93fa126688c3fde6655be666994b4dc5db719d31ac8a2648019e
SnakeKeylogger
bfa0c6d6a166011476ffd4f4fa1c2c1669c273fa945f729267fa537ce7689b44
SnakeKeylogger
c2d1f5494d37cd229d820b263c934eba39bab86570c54e207730d1c84de98393
SnakeKeylogger
cb9797415542f1f8decb64021d470b5debb10f17c5e37b3b5a3ed6b1bb2d4024
SnakeKeylogger
eabc684c6ec2632dec308766f3a11dec1bc238a96cb65fd07733aea1d6052c3a
SnakeKeylogger
f354ab2b18c8fcabbc94123f41ce225fb9ec4adaceafda7c5fefd61dee656f70
SnakeKeylogger
+ 103 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210706-kzn38kstk6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/bfdf8392-f62e-4080-ba3d-acf69ef7e7ce/
SH256 hash:
489fdc0d6ded13afedcfdad31b84a6db35b04d7af6791157f81894c59a6b34e4
MD5 hash:
cda9c76477773d1ee56cd79acf6c20eb
SHA1 hash:
8f4eb8571bac32ae11f64625dd69f05291cfabdf
Link:
https://www.unpac.me/results/bfdf8392-f62e-4080-ba3d-acf69ef7e7ce/
SH256 hash:
0238a8ea75619d7560ce19839145fa5d199ff97e7fb0d1e36baede5e29758ca7
MD5 hash:
58158df59909844b8339136368ca289d
SHA1 hash:
7c291eef324d658925ce3f670dc2778f783f61a3
Link:
https://www.unpac.me/results/bfdf8392-f62e-4080-ba3d-acf69ef7e7ce/
SH256 hash:
3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e
MD5 hash:
5884c08f7eb5490047e223bdaaa8a4a4
SHA1 hash:
e69e691975d326f2a8dcad262c3c89e896884fa0
Link:
https://www.unpac.me/results/bfdf8392-f62e-4080-ba3d-acf69ef7e7ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170032/

Comments