MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178
SHA3-384 hash: 257c4a592fe29efc78a5bfc37978951e7ec8dc1ecc52b65f7618b9bde519d4d2c50d723329cd68d161ec69c2fa42bb62
SHA1 hash: 125e5fe5e713193552cb79866908a1db67ce9e55
MD5 hash: 2812ace16f2157623659d296332a812f
humanhash: charlie-fish-chicken-nineteen
File name:New order from Delo Techniki.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:702'541 bytes
First seen:2023-03-23 14:49:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:vYmGpqpRHXVgyhYOMTZ5B05p08tbeF9LzSsue33iVySaBKBfmEalD3F7x89Pg5:vYmGOJyyhYvTLCpRbuz5FCVGBKBfmEUl
Threatray 134 similar samples on MalwareBazaar
TLSH T10DE4236063A1C4F5EC504735AE2F6E236C96681F68A1DB2F17B83B4838B31D2561F72D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New order from Delo Techniki.exe
Verdict:
Malicious activity
Analysis date:
2023-03-23 14:59:02 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/5ae0b1a9-fb61-4b1b-a583-7e8e3fd64876

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/376874/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74439/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/641c671c9c109cf74b2edcea/reports/df81502a-546f-49a7-af2d-6dac5db91341/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e9395af-266b-4cd8-928a-381e81c3077e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200639
Signature
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected BrowserPasswordDump
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 833541 Sample: New_order_from_Delo_Techniki.exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 7 New_order_from_Delo_Techniki.exe 19 2->7         started        10 lueajfoxt.exe 1 2->10         started        12 lueajfoxt.exe 1 2->12         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\zlpqnv.exe, PE32 7->32 dropped 14 zlpqnv.exe 1 3 7->14         started        18 WerFault.exe 3 10 10->18         started        20 conhost.exe 10->20         started        22 WerFault.exe 10 12->22         started        24 conhost.exe 12->24         started        process5 file6 34 C:\Users\user\AppData\...\lueajfoxt.exe, PE32 14->34 dropped 54 Multi AV Scanner detection for dropped file 14->54 56 Detected unpacking (changes PE section rights) 14->56 58 Detected unpacking (overwrites its own PE header) 14->58 60 2 other signatures 14->60 26 zlpqnv.exe 15 6 14->26         started        30 conhost.exe 14->30         started        signatures7 process8 dnsIp9 36 checkip.dyndns.com 193.122.6.168, 49698, 80 ORACLE-BMC-31898US United States 26->36 38 checkip.dyndns.org 26->38 48 Tries to steal Mail credentials (via file / registry access) 26->48 50 Tries to harvest and steal ftp login credentials 26->50 52 Tries to harvest and steal browser information (history, passwords, etc) 26->52 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178/
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 14:50:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=holbyqk2vof27xsmt3akpufmkexuwff3ljasrxuwkirnt7ewwf4a._file
Verdict:
malicious
Similar samples:
8f2561369ef2cb842b5de723de6ecd7db391f32391406ced8b10b184076c8ee9
SnakeKeylogger
99cf88c829d3c072a3ed4cdd282d9876f4bc32fa3ccfa12180910caa15ba351e
SnakeKeylogger
9d4bb6ad1ecf6354fa3839fc9ae30f458bfb8a4dc0c1b99ad024108113afa833
SnakeKeylogger
ba93dd9900252c127a49b902ded6c53e6ec43d6e6607dae9103d767c241a8023
SnakeKeylogger
bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332
SnakeKeylogger
c64eedbbfb5e111089a3e0eab54f848da53dc1387b9c3a53653c534d198730fc
SnakeKeylogger
+ 124 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230323-r7ls1sac5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/de6dd323-00b9-4662-8cb6-fe38785c1a3c/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
d11d111cd38441a41a7e19848682db0cdb8d08cb14ba1d08428ea51a06ec3597
MD5 hash:
3d45aedfeee9a168122302ab0be187b2
SHA1 hash:
bffb4cac603ed88c5f68b1ab2040d30fa8e710bf
Link:
https://www.unpac.me/results/de6dd323-00b9-4662-8cb6-fe38785c1a3c/
SH256 hash:
a8bdc3052abf1f71616ea760cbd6b5a547e5916e3078c2c3879b21888bb2142e
MD5 hash:
575baef7852e9ad16a449cf59e0cb9f4
SHA1 hash:
723c6e32b8dd610675a4f0d20ad880a9dc5b833b
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/de6dd323-00b9-4662-8cb6-fe38785c1a3c/
SH256 hash:
cae81a6e007e23158a4b209f92225c19393c1cff745f3f3376e0a0fdf93d9d2c
MD5 hash:
e3e1b8206f5602221051dbac751117ba
SHA1 hash:
5434a2e97b5fdfaf72a69ad99a57f28380124877
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/de6dd323-00b9-4662-8cb6-fe38785c1a3c/
Parent samples :
164624329cd069611563f7bf809de8691e254759a75d667cea664d3bc305eb12
3f380f78cc986824f49f8e5f4a93f6a4fd5355f5086ea15948fbafcb5e7ebc31
3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178
f3f560dddb5b80bbe688cc8bae8f2160f91b8bb494a9795246af42d7b2d19b2b
5950b1a61395119d915e3f08dc3bd0ea19b7aa186b13523351e73579e44c9d19
1bd8f3260eef97220ff4fbf88e4e4005832becf5a74742c2bd2fbf542e446972
936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
eb7fbab560eeb18b5c34317156b7582d94bd1eae5b7559d2f6656f0d21e2e59a
9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5
SH256 hash:
7ff9e14e7ef110d122c67512765e8db745a2d6e7eaf6f3cb91e6cad89e7ce7af
MD5 hash:
84354f6863174958fa852e6da2ec5ba1
SHA1 hash:
cf42092cdc96a50e9f598ceda5fea4dcfcbdc7e7
Link:
https://www.unpac.me/results/de6dd323-00b9-4662-8cb6-fe38785c1a3c/
SH256 hash:
3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178
MD5 hash:
2812ace16f2157623659d296332a812f
SHA1 hash:
125e5fe5e713193552cb79866908a1db67ce9e55
Link:
https://www.unpac.me/results/de6dd323-00b9-4662-8cb6-fe38785c1a3c/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b961c415aab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376874/

Comments