MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294
SHA3-384 hash: 00b7f9537b238c02554ba1cf829a5b84d6f3090754ed8576d86b6c2faaffa4871285a680546bf0191930c95ed9fe5b73
SHA1 hash: d49a634b3b5fd252382f29ae5ebd021c1f3a74fb
MD5 hash: 95ce3051b7d02e5df8d9dd771dba52e7
humanhash: island-virginia-eleven-timing
File name:Purchasr Order 2023-04-11.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:528'896 bytes
First seen:2023-04-13 05:41:15 UTC
Last seen:2023-04-13 06:33:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RRfLcgpyUhRtk6Hfi82adjWdOLWWEJDBtaGLn:Xj/hzHb24jW8LWWctaGLn
Threatray 56 similar samples on MalwareBazaar
TLSH T1A7B4F0B852C0D34EDC012BBE2A14289837F68DF5C0C5DE5DCA7AE8CB1EBC7658145E69
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchasr Order 2023-04-11.exe
Verdict:
Malicious activity
Analysis date:
2023-04-13 05:43:50 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/c1311a2b-ce32-40a3-874c-0cacd3769ed6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381948/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6437962cb4ec50bace5fe69e/reports/5bb15998-03c8-4187-9e68-de3d227bfdf7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02a6f221-aa1a-4ebc-98dc-623128e7158b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213035
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845951 Sample: Purchasr_Order_2023-04-11.exe Startdate: 13/04/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 7 other signatures 2->57 7 Purchasr_Order_2023-04-11.exe 7 2->7         started        11 fZBwoVm.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\fZBwoVm.exe, PE32 7->33 dropped 35 C:\Users\user\...\fZBwoVm.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp56FF.tmp, XML 7->37 dropped 39 C:\...\Purchasr_Order_2023-04-11.exe.log, ASCII 7->39 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 Purchasr_Order_2023-04-11.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 21 fZBwoVm.exe 12 2 11->21         started        23 schtasks.exe 1 11->23         started        25 fZBwoVm.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 132.226.247.73, 49686, 80 UTMEMUS United States 13->41 43 checkip.dyndns.org 13->43 45 192.168.2.1 unknown unknown 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 132.226.8.169, 49687, 80 UTMEMUS United States 21->47 49 checkip.dyndns.org 21->49 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal ftp login credentials 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 05:42:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlppojuodpwsvrqbwji2a7cfjuwcjgl37li2iwevwgygo3gzgkka._file
Verdict:
malicious
Similar samples:
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
SnakeKeylogger
2425598129b104c77948e02bdbfab451e7696de693d90f875d0cb0e3ffdb300c
SnakeKeylogger
44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
SnakeKeylogger
578873c16060e04fcfe43f9c9c04d2779a09a7566b3b4e97c1b18d87ac381057
SnakeKeylogger
63df8eae2ebe31f97c4dcaf0587ffe4100d34892d03247fcba1201253c81423f
SnakeKeylogger
79a10af0de5ed3a53f84e7a5f8aa3a53e09dfc43f9113bb893758338147fc3ce
SnakeKeylogger
7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733
SnakeKeylogger
80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f
SnakeKeylogger
bffea4bf5d2cda8c23b02e73e1a5cc9a43da3816c7193f23db798e4982916c66
SnakeKeylogger
ce3c9c47d811745d5534bf268331382438b274a112d2327396cdc8623e82f98b
SnakeKeylogger
+ 46 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230413-gdz4faba8w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6027997964:AAEH07He_SiagYDvKptfS_p8vvXuVU7AHBs/sendMessage?chat_id=5864292056
Unpacked files
SH256 hash:
885b9a25df14ebd782da09feebd48e6faa1f7261bde7ac28fdeb348459b8a707
MD5 hash:
1875deb56c3f1afded823992f1582d59
SHA1 hash:
d47c099b2269cf60975c00dee42f37671e5cbbda
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6cb87539-eab5-444d-9f8e-637b13984b2e/
Parent samples :
c3b8b8535f2d3661988efa63998dd1c15202ad9ba358b12de77825d581a1f230
aeaad26f7cefaefbc5bb668ac5891281bf21c63c7aa82e727c0a4ee39250b33c
3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294
SH256 hash:
931c12298df7893465a6a5f4c006db08b615ac34bd87582f128592ec67e9dd25
MD5 hash:
e5f6261205286a3914bce7a21a222dd3
SHA1 hash:
d4558c12ad981e9807f14f0bbc574a19b74c7c29
Link:
https://www.unpac.me/results/6cb87539-eab5-444d-9f8e-637b13984b2e/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/6cb87539-eab5-444d-9f8e-637b13984b2e/
SH256 hash:
4963ae94095cfa5b90def9396722559531991105a445638cddd5700eb3e0f89f
MD5 hash:
f40acc2caefbf86b93049c727d974a33
SHA1 hash:
7d658f8697aa9b18ab6cbd03400a670c54b07905
Link:
https://www.unpac.me/results/6cb87539-eab5-444d-9f8e-637b13984b2e/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/6cb87539-eab5-444d-9f8e-637b13984b2e/
SH256 hash:
3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294
MD5 hash:
95ce3051b7d02e5df8d9dd771dba52e7
SHA1 hash:
d49a634b3b5fd252382f29ae5ebd021c1f3a74fb
Link:
https://www.unpac.me/results/6cb87539-eab5-444d-9f8e-637b13984b2e/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3adef7268e1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381948/

Comments