MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d
SHA3-384 hash: c519dcf3998779c64877f6931a0ddf88b7d9e9a92dca38e2f4ae167fe758c2f566508e4923b2c3ba8dbe4d6e98652949
SHA1 hash: b82b824f2b4217b5fcbd217390ee6d83680d14e1
MD5 hash: 3ddde8f860008d24663a59141ffdb86a
humanhash: mango-indigo-green-winner
File name:SecuriteInfo.com.ML.PE-A.15580.26670
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:428'544 bytes
First seen:2022-10-18 02:28:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:nFypeNgl2LkZ0DcaD2F+gBZRh2K/lGKtixM0yFDnOa0Me2Vn0TuMHUzV:weNg09caD2F+gB0K7RCaTeW/5
Threatray 489 similar samples on MalwareBazaar
TLSH T15594CFA856699712D7958B31C932C216C7F6F0BF7221DE4C4A04F08D0A9BB62D865FF3
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321176/
Detection(s):
SecuriteInfo.com.ML.PE-A.15580.26670.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634e0f6f66721ebd9b2eebc9/reports/2473dbda-7ec5-4e27-b1d5-306eb45a8f4f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ffc1963f-8aa7-45af-baf0-3a688f1c5d06
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092380
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725000 Sample: SecuriteInfo.com.ML.PE-A.15... Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 6 other signatures 2->40 6 SecuriteInfo.com.ML.PE-A.15580.26670.exe 5 1 2->6         started        10 SecuriteInfo.com.ML.PE-A.15580.26670.exe 2 2 2->10         started        12 SecuriteInfo.com.ML.PE-A.15580.26670.exe 1 2->12         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 6->26 dropped 42 Creates autostart registry keys with suspicious names 6->42 44 Writes to foreign memory regions 6->44 46 Sample is not signed and drops a device driver 6->46 48 Injects a PE file into a foreign processes 6->48 14 InstallUtil.exe 15 2 6->14         started        28 SecuriteInfo.com.M...15580.26670.exe.log, CSV 10->28 dropped 18 fodhelper.exe 12 10->18         started        20 fodhelper.exe 10->20         started        22 fodhelper.exe 12 12->22         started        24 fodhelper.exe 12->24         started        signatures5 process6 dnsIp7 30 checkip.dyndns.com 158.101.44.242, 49699, 80 ORACLE-BMC-31898US United States 14->30 32 checkip.dyndns.org 14->32 50 May check the online IP address of the machine 14->50 52 Tries to steal Mail credentials (via file / registry access) 14->52 54 Tries to harvest and steal ftp login credentials 14->54 56 Tries to harvest and steal browser information (history, passwords, etc) 14->56 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 00:20:10 UTC
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjsdsmerwwmgte7sbgipq4e2ryhamn25nevvoiocc3w2s6bmn5oq._file
Verdict:
unknown
Similar samples:
46e9b7c528053162356d210a5f8d45d32bce5cea24732e54639f44966bc47cdf
SnakeKeylogger
4b60e08f3f6a2b05acdd198f871a933f9bf4e572018adc42ff8313853100f8f9
SnakeKeylogger
5c50b7e005524ede0a2c636b92a0933bc631c783bb8201e98dbdc52c390cd566
SnakeKeylogger
a19bf5cb640a44b035af484c4cacc0ab7f6caf2f77e640ef234e3e23d23353ca
SnakeKeylogger
ba0b2c1870c0c70fde4554856828673d5b78d5b7f2692ca054f78a1d963badd8
SnakeKeylogger
cb05606b742226130a4e421b47b04bee21b4da79bb883c15a3c6a9002d8dfa7d
SnakeKeylogger
dbbbd0005d11a416cff52556e90001bac5549697937d69b906a51220e44c6e6e
SnakeKeylogger
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
SnakeKeylogger
+ 479 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence stealer
Link:
https://tria.ge/reports/221018-cyj6haechl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Sets service image path in registry
Snake Keylogger
Snake Keylogger payload
Gathering data
Unpacked files
SH256 hash:
3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d
MD5 hash:
3ddde8f860008d24663a59141ffdb86a
SHA1 hash:
b82b824f2b4217b5fcbd217390ee6d83680d14e1
Link:
https://www.unpac.me/results/09c49d97-b14e-47b5-9142-b22f919aa2b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321176/

Comments