MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39eb8788c0b7e09435f77feeb01392f97d7178c0ca95db1e5d78f6739861da95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	39eb8788c0b7e09435f77feeb01392f97d7178c0ca95db1e5d78f6739861da95
SHA3-384 hash:	2dc38d8ed6d38f9c6e8d9a8d3f56278d8da20798b64678e4c9bf669a92b3ce8d72d7c5fa42fc87ed195ecd5eea3bb035
SHA1 hash:	7279a649f988d9aaf831f0e20f2dadc11f2b0f46
MD5 hash:	fa68c840bbdc276a3e45d58648c9fc71
humanhash:	thirteen-nine-cup-black
File name:	INV. 736392 Scan pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	808'785 bytes
First seen:	2021-08-03 06:16:45 UTC
Last seen:	2021-08-07 07:59:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	49be0836dac021f86af2cb207b4613c8 (6 x Loki, 4 x Formbook, 2 x SnakeKeylogger)
ssdeep	12288:l1Wl8Tp1MxskWv6wfk6WyxmMguzd7c1vEfKCeh8e+Yw:lAGs0yN6WyweaUy8e+/
Threatray	489 similar samples on MalwareBazaar
TLSH	T16F050800B7EDA12AF4327BF45FFEC578C656BEF85A27825F1185380716B6D801B226B1
dhash icon	d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INV. 736392 Scan pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-08-03 06:20:09 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/7b1a208a-a001-4380-84bf-bda5d08a1e00

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175929/

Detection(s):

SecuriteInfo.com.Trojan.Siggen14.52481.10805.6291.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Creating a window

Reading critical registry keys

Sending a UDP request

Setting a global event handler for the keyboard

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a1db766-03e7-4878-b1a6-e2034b18ea69

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/825885

Signature

.NET source code references suspicious native API functions

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39eb8788c0b7e09435f77feeb01392f97d7178c0ca95db1e5d78f6739861da95/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-08-03 02:55:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 46 (30.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hhvypcgaw7qjinpxp7xlae4s7f6xc6gazkk5whs5pd3hhgdb3kkq._file

Verdict:

malicious

SnakeKeylogger

0497fc206987e992f615638411ea9da0470e2dcbcd05546d4240ef09a82f925f

SnakeKeylogger

2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SnakeKeylogger

2ee555b4d69513eed39976e0fb0e6a6165d20c30e8a4dcc1e55ea7e001dc1127

SnakeKeylogger

7115e54104d01f83c9561389268c68082f3b20d93bfe1469a5e8de614f3dd74e

SnakeKeylogger

8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e

SnakeKeylogger

ad34fe380bb9d7aca419a4da6729eb22cfc64f3003bda67acc3267cdc4ccdb21

SnakeKeylogger

+ 479 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/210803-grbd1h9ybs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

a1aeb3cb8384055324ae2461df2f2101d32ae7e39615ed6143d2e1f4e29ab50f

MD5 hash:

ca8a1a346b10716c703b186bf9a5fffa

SHA1 hash:

8095e500c79ab7c90e7795d47585743a67563202

Link:

https://www.unpac.me/results/ab49e1e0-167b-4ad5-8fac-b011060b7817/

SH256 hash:

39eb8788c0b7e09435f77feeb01392f97d7178c0ca95db1e5d78f6739861da95

MD5 hash:

fa68c840bbdc276a3e45d58648c9fc71

SHA1 hash:

7279a649f988d9aaf831f0e20f2dadc11f2b0f46

Link:

https://www.unpac.me/results/ab49e1e0-167b-4ad5-8fac-b011060b7817/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/39eb8788c0b7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39eb8788c0b7e09435f77feeb01392f97d7178c0ca95db1e5d78f6739861da95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICOIUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 2a4814093b37fb55c02e229f94f3840ad5fde911026a0bfd7d7f64f64e23ae30

SnakeKeylogger

exe 39eb8788c0b7e09435f77feeb01392f97d7178c0ca95db1e5d78f6739861da95

(this sample)

Delivery method

Other

Dropped by

SHA256 2a4814093b37fb55c02e229f94f3840ad5fde911026a0bfd7d7f64f64e23ae30

Cape

https://www.capesandbox.com/analysis/175929/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample