MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f
SHA3-384 hash: 3e51dce385ac24b8f1ff71a7cc1ac81bda733ef294298ca07d6c40bc893b7342da54ac9a9922af133e9cb3ec0af81ff2
SHA1 hash: 81278be3db80184f01e0053d9f9b6502d5ace0ee
MD5 hash: cd33454c943fdc36b83884ac634882f7
humanhash: nebraska-robert-north-cardinal
File name:i0SMYKEMSyOapoV.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:593'920 bytes
First seen:2023-05-09 06:34:43 UTC
Last seen:2023-05-13 22:52:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:b+Oc5/MwrdwrfUspQ/7ewAW70FDWZz9nRt0wU:b+f/P6Q/7e+QMZF0wU
Threatray 912 similar samples on MalwareBazaar
TLSH T1E9C4F111B2DABF81E53E4BF42858724007F2712BA5E0F26D5DA291D97AE6F401B40E7F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
i0SMYKEMSyOapoV.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 06:37:18 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/acb450bd-dab2-495b-ab55-c0fa19d5c6d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387676/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6459e99dd054a0b0ef842b40/reports/be88b263-7036-49e8-a7d7-2788558a2748/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0bb89fa-ea37-44c0-a025-ba82b59a86a5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228884
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 861848 Sample: i0SMYKEMSyOapoV.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 7 i0SMYKEMSyOapoV.exe 7 2->7         started        11 kjsgNqEQtirke.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\kjsgNqEQtirke.exe, PE32 7->31 dropped 33 C:\...\kjsgNqEQtirke.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpE5BE.tmp, XML 7->35 dropped 37 C:\Users\user\...\i0SMYKEMSyOapoV.exe.log, ASCII 7->37 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 13 i0SMYKEMSyOapoV.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 kjsgNqEQtirke.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 132.226.247.73, 49684, 80 UTMEMUS United States 13->39 41 checkip.dyndns.org 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 193.122.130.0, 49685, 80 ORACLE-BMC-31898US United States 21->45 47 checkip.dyndns.org 21->47 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 06:35:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
51
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlhbv5o4htyjyqforvgayt2jt67btfwhyba64b7db6zefa5ugq7q._file
Verdict:
malicious
Similar samples:
20fb89955cb329bf5597f90a7510f92a33ab31d05c21e1374a52e89dde377a91
SnakeKeylogger
494979f4e2eca84b240d774c80ad703ada9db1f3314d6431bdb6228045c7e2b5
SnakeKeylogger
82acd801b01b749f54598cea752c642b2b47f45dd63fafe53050ed4b06b342a5
SnakeKeylogger
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
SnakeKeylogger
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
SnakeKeylogger
cea471b18f25770dc19304e536ca3926c0fbf161c6f64aa018cd077a8a150a1b
SnakeKeylogger
cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36
SnakeKeylogger
d4601263f30743332a7f29149b89adb1b59f3b12c38ef70b9c5fe6c7c8a18faf
SnakeKeylogger
ec5a5103e89195cb445c89737a73996d34374ea0a99ddbfb0165b70b645dc414
SnakeKeylogger
f68d6a0977abf5978dbcc20cfff9fbf9b308ff08c7066e94d0a4a50abc545fc6
SnakeKeylogger
+ 902 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230509-hccgesee84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
MD5 hash:
aca804d5d77bd73228eaa44a95402330
SHA1 hash:
fab4900d6af18796b65e1ab8f5ca4da5c933185b
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/e46ca297-eb10-4293-b575-adc70ab449c6/
Parent samples :
854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f
SH256 hash:
9504112b06252e8f14cfe574ecb51c43ca98e28fa75003f1295e3a284d293328
MD5 hash:
5a568892ffd80afaa8b6a685d7c32ea7
SHA1 hash:
9e0fd19e8af50ab37dd84b5eb3d64f226219117d
Link:
https://www.unpac.me/results/e46ca297-eb10-4293-b575-adc70ab449c6/
SH256 hash:
5b8dbe36cb069b3ae818771c8697c3717674b081bf10d4880efbc4eb069d0f54
MD5 hash:
6978576aeda25674e24b21c02657d208
SHA1 hash:
4c207da2834122c6be2e89d0e657c7d45cad98d9
Link:
https://www.unpac.me/results/e46ca297-eb10-4293-b575-adc70ab449c6/
SH256 hash:
eca63d566d73981e8d24e60879d815f700f7232b2ab5c443c8aa29e54573c7a9
MD5 hash:
c12ae3b789463d3b70bff2761a6e4938
SHA1 hash:
41cecf0e658913df40102272ef6560238f9d3301
Link:
https://www.unpac.me/results/e46ca297-eb10-4293-b575-adc70ab449c6/
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/e46ca297-eb10-4293-b575-adc70ab449c6/
SH256 hash:
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f
MD5 hash:
cd33454c943fdc36b83884ac634882f7
SHA1 hash:
81278be3db80184f01e0053d9f9b6502d5ace0ee
Link:
https://www.unpac.me/results/e46ca297-eb10-4293-b575-adc70ab449c6/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ace1af5dc3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387676/

Comments