MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d3b6b64ac6d617d239daf44b19160a88844802014f7e7ec993df79c673d992a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	3d3b6b64ac6d617d239daf44b19160a88844802014f7e7ec993df79c673d992a
SHA3-384 hash:	2fbb70d5642658ff0aad866f49e854741deca87c48127bec522d9ac1eb543e6041a7e1326cc6d19b708a56af4389fa01
SHA1 hash:	df38463cdf86a0d5ff66dc7cd80f89b1a90cbeeb
MD5 hash:	bb754e5b00a8b8d3be795219c680b665
humanhash:	steak-rugby-mars-chicken
File name:	ScanDocbob.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	592'845 bytes
First seen:	2022-04-19 06:35:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	12288:HNl+6Y3Q9wyGkHUE8BgM0BNco+Uailpct7aiGOBvs/HZ:HNl9R93V0lgMONcpdpNZxvaHZ
Threatray	2'818 similar samples on MalwareBazaar
TLSH	T177C423143BD8C82BC89376B20D660D9EF2E5BD3C542403DFAB582A5DA824BC59D4FB74
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/264498/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/625e5857ffe27d511908832f/reports/7d40a7cc-86f4-402e-a6ce-2835816bcdd0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ad5d9aa1-0399-4e1b-b4f9-eb6e8b8e9376

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/978644

Signature

.NET source code references suspicious native API functions

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/3d3b6b64ac6d617d239daf44b19160a88844802014f7e7ec993df79c673d992a/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-19 06:36:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hu5wwzfmnvqx2i45v5cldelavceejabact36p3ezhx3zyzz5teva._file

Verdict:

malicious

SnakeKeylogger

5d44448d9368f5ec2b3594446bca10ae98f173176a4e9a55fd239c3c6d9c6edd

SnakeKeylogger

64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070

SnakeKeylogger

a871695c7312b67a4d3e5c3a41094a5c3824fcfa9f02ee67b2e0d21a0ba061d2

SnakeKeylogger

ac3e120197091d544f8e462bc2338c88545d511e6d29a680b17b9cbf3469ecff

SnakeKeylogger

c3d161f4e83f33738a48161f6a70e3dce8572f9d720d313cf633204d02ccc037

SnakeKeylogger

f2d973372cb16c6b4a4ea6a6dd1d2bc5382218528e084b233becb39ce8278201

SnakeKeylogger

+ 2'808 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/220419-hcw6tscgh5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

c1eba397aec7cb95fff8a7097df89ee132cea4224af63ad7a0e489ba02a785e0

MD5 hash:

93d724388ae47fe778deae67aec39721

SHA1 hash:

efd51144f8a7f5e8d633db9d3dc95a788739ad59

Link:

https://www.unpac.me/results/06b35cd3-8754-4ffb-8a7b-a32202a4caa9/

SH256 hash:

cda116657ad2b5f5c967e4d2fe7ccba486f722b470bf0105aabbcafeeb3c158e

MD5 hash:

07026794588038be8d54eb48e8a9dd15

SHA1 hash:

153f5ea17d1356e68211eafaf4456c2a2b4a1b29

Link:

https://www.unpac.me/results/06b35cd3-8754-4ffb-8a7b-a32202a4caa9/

SH256 hash:

5a112a769b87c5b913de4f9ad491495be32af058a1815c1c2b00838eea7aa0d4

MD5 hash:

ab8ce218cde707aa3f22bc543adc8ed3

SHA1 hash:

c43ff39acf81eb630036340c39ecc04557d06c1e

Link:

https://www.unpac.me/results/06b35cd3-8754-4ffb-8a7b-a32202a4caa9/

SH256 hash:

3d3b6b64ac6d617d239daf44b19160a88844802014f7e7ec993df79c673d992a

MD5 hash:

bb754e5b00a8b8d3be795219c680b665

SHA1 hash:

df38463cdf86a0d5ff66dc7cd80f89b1a90cbeeb

Link:

https://www.unpac.me/results/06b35cd3-8754-4ffb-8a7b-a32202a4caa9/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3d3b6b64ac6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3d3b6b64ac6d617d239daf44b19160a88844802014f7e7ec993df79c673d992a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264498/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample