MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb
SHA3-384 hash: 6d0bbc08f2a27fc3dfb64506c49d2b5cd1e0aec3786c6b3cf0c3d908f381904c0b8681ae9653479b34ada2b8e549f96b
SHA1 hash: 81f8058f4100b48d480f6532da5cf5e2eb9f4300
MD5 hash: 7de27c39cde5845fd7174f3c4a985e88
humanhash: whiskey-bulldog-island-mountain
File name:VergiOdemesi.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'083'904 bytes
First seen:2024-02-05 14:42:40 UTC
Last seen:2024-02-05 16:40:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BnXriqWh868yq0Gg4rOanzlgQV/pLBsEClDTMJcd0OxG2BKkD9c3hDpWWtKvUzAv:BX+qV68yq0N4h/pNIRTMg82R9cx
TLSH T1E435AEC4B150A8DFDC6B49F2AC2A6C3020937EAD4569C10D559B7B1A7ABB343604FE1F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474739/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c0f40519fc380914225369/reports/bae87bb8-2ab0-4a7f-a09a-1aaa84da66c1/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d2328b6-8d08-484c-babe-fe2e4b043770
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386859
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386859 Sample: VergiOdemesi.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 100 42 aborters.duckdns.org 2->42 44 varders.kozow.com 2->44 46 3 other IPs or domains 2->46 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 62 11 other signatures 2->62 8 VergiOdemesi.exe 7 2->8         started        12 QDjZVGxvNd.exe 5 2->12         started        signatures3 60 Uses dynamic DNS services 42->60 process4 file5 38 C:\Users\user\AppData\...\QDjZVGxvNd.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpF40F.tmp, XML 8->40 dropped 64 Detected unpacking (changes PE section rights) 8->64 66 Detected unpacking (overwrites its own PE header) 8->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 76 4 other signatures 8->76 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Antivirus detection for dropped file 12->70 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 aborters.duckdns.org 91.92.255.235, 49745, 49746, 8081 THEZONEBG Bulgaria 14->48 50 varders.kozow.com 51.38.247.67, 8081 OVHFR France 14->50 52 2 other IPs or domains 14->52 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 06:47:56 UTC
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=htrbbf65a2zmhkr5qe6bmy6ts5n6sy7yxxfgew5rdpxobpkao25q._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/240205-r3lmfsacc8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
971c821aa19832e04f1dd44b19cdb909d36d27be2f9e62edd10bf7887a43d15a
MD5 hash:
6d7a285502323918820b8513b5f33d75
SHA1 hash:
9633177bbb29c2563fec4a7dd381f4a278588437
Link:
https://www.unpac.me/results/822c7789-641f-4500-b8f1-3cefcf35907c/
SH256 hash:
75c64c989b913c5fcbc70a557cf25236a08f17ab6c4c71231394e98d214975b4
MD5 hash:
572863056016185f5daa4c76fa44778a
SHA1 hash:
25a0660fd71ba86b0127411d7485a6ea614e0238
Link:
https://www.unpac.me/results/822c7789-641f-4500-b8f1-3cefcf35907c/
SH256 hash:
7c8c43b5f95d9aff1c28b54206b91522bd4682d1014b7befdeb9429b09a5912b
MD5 hash:
6367831fb4bcff4d9896527f0cd2f720
SHA1 hash:
1d3af8ba7a60a97ce67c053cc50a30c48f380c5f
Link:
https://www.unpac.me/results/822c7789-641f-4500-b8f1-3cefcf35907c/
SH256 hash:
633a7e36048ae77a50f401d46f9c2180f629afb01d6c7ee113fdce66a60a9efc
MD5 hash:
fd48e43e841057f97fc33c66f27725ce
SHA1 hash:
131a2439e6110e8423363a204083c1263a64b5d1
Detections:
snake_keylogger
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Link:
https://www.unpac.me/results/822c7789-641f-4500-b8f1-3cefcf35907c/
SH256 hash:
3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb
MD5 hash:
7de27c39cde5845fd7174f3c4a985e88
SHA1 hash:
81f8058f4100b48d480f6532da5cf5e2eb9f4300
Link:
https://www.unpac.me/results/822c7789-641f-4500-b8f1-3cefcf35907c/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ce21097dd06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 3ce21097dd06b2c3aa3d813c1663d3975be963f8bdca625bb11beee0bd4076bb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474739/

Comments