MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1
SHA3-384 hash: 94ec0d6baa3aeeed81f4b157625e2549ebf9a766700905b00eb53cd83ba4b069a280bbe85bfcd7325a86187f71a33420
SHA1 hash: 1d2061bebdce3a1052ba3e213b9e8425a82abc21
MD5 hash: fb84d5a612a1f0cc5c7370568f48a29b
humanhash: table-oregon-texas-snake
File name:FACTURA.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:911'360 bytes
First seen:2023-03-12 17:32:33 UTC
Last seen:2023-03-12 19:42:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:9YKmIigmlbtJ6oNXzwp92kGD9jzxikqKUHum:9LmIElpwp9zi7DUH
Threatray 94 similar samples on MalwareBazaar
TLSH T140159D046361AA39CB76A7BFF5612D241378785DEEBCD6485D4930CB08ADFB04881BDB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURA.exe
Verdict:
Malicious activity
Analysis date:
2023-03-12 17:38:19 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/d76fc135-964d-4232-a418-bb3426cb689c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373736/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.26031.13671.22047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerberus packed
Link:
https://www.filescan.io/uploads/640e0cd169819068058c4e29/reports/cc13ebda-f337-43ab-9b23-f92e5a847127/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a583ada9-5852-49c4-a7e7-d06c67e4d1e3
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192033
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824909 Sample: FACTURA.exe Startdate: 12/03/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 5 other signatures 2->61 7 FACTURA.exe 7 2->7         started        11 tvibeUxx.exe 5 2->11         started        process3 file4 39 C:\Users\user\AppData\Roaming\tvibeUxx.exe, PE32 7->39 dropped 41 C:\Users\...\tvibeUxx.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\Temp\tmp7A.tmp, XML 7->43 dropped 45 C:\Users\user\AppData\...\FACTURA.exe.log, ASCII 7->45 dropped 63 May check the online IP address of the machine 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 67 Adds a directory exclusion to Windows Defender 7->67 13 FACTURA.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 73 Injects a PE file into a foreign processes 11->73 23 tvibeUxx.exe 11->23         started        25 schtasks.exe 11->25         started        27 tvibeUxx.exe 11->27         started        signatures5 process6 dnsIp7 47 checkip.dyndns.com 132.226.247.73, 49709, 80 UTMEMUS United States 13->47 49 checkip.dyndns.org 13->49 75 Tries to steal Mail credentials (via file / registry access) 13->75 77 Tries to harvest and steal ftp login credentials 13->77 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        51 158.101.44.242, 49710, 80 ORACLE-BMC-31898US United States 23->51 53 checkip.dyndns.org 23->53 35 WerFault.exe 23->35         started        37 conhost.exe 25->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-10 13:20:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hz4hnsqjel57fk5elxxv2qbfei6jd2diwed7fnfuq4fsfevdigqq._file
Verdict:
malicious
Similar samples:
225c1d3377cff7773455e55202057e9e95c537c33016d26bb832333797277e49
SnakeKeylogger
777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1
SnakeKeylogger
7a54fe8f5173eda2803c41961b8b8a8e10e419501ba77077a67cd35ccada4463
SnakeKeylogger
8ab1910d7f3de293954247ef8f06fc69669c9049735fef3e324935c925ec19ca
SnakeKeylogger
a1b484e08d3161fa1d4f9a90c36c4e50e5c8515a3613b9d3d35bba4101e55e87
SnakeKeylogger
b783ea2bcc733b1d1219d3b77941884a61c11c5cf5e3e6b0540c99996336ce0a
SnakeKeylogger
bd3704c36cc99d990c773ae12328f7938e7a5bf230e18501f2f8b869532b28d5
SnakeKeylogger
c80241ea11e21a083fc390af690cc0e6b2ee1ef91df4aaed6c44b10a753a1230
SnakeKeylogger
+ 84 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230312-v4xynagg2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713
Unpacked files
SH256 hash:
098a882e474c7905de273df195c98fa23f3ceff1f1a8de496fa0571e5701cfe4
MD5 hash:
20bbeef21457df8eb0bd9015a73ead8a
SHA1 hash:
fb5e15d2181e82b3a518943d63a7f5d426fbbb5a
Link:
https://www.unpac.me/results/f6ef7856-faec-437e-b017-2e0cc75e5d9d/
SH256 hash:
dc3c9db21144b8fbd30b3912ced29eea7253b9b885603a2f7b67a4bc72ea7e8c
MD5 hash:
df9886dd65760e1f408300c170ca9bcc
SHA1 hash:
d0ec4c13b2aa8d521be81d90590f98ad2ad6dd68
Link:
https://www.unpac.me/results/f6ef7856-faec-437e-b017-2e0cc75e5d9d/
SH256 hash:
c234684a33231d86ca3a0c6459d4fc982bfd2516807b0022d9094868d2111719
MD5 hash:
33846e3d38c36db71b091f1d26d97491
SHA1 hash:
a92e54e4016e792bd11828e92c66684f69309ea2
Link:
https://www.unpac.me/results/f6ef7856-faec-437e-b017-2e0cc75e5d9d/
SH256 hash:
869a6ca799aa80d29a75967674a49a60421a45fcc8b60d10d54bd6024344a1e7
MD5 hash:
17403dd2e0eb346c18b7cb26d2f65217
SHA1 hash:
5bf8b228efd77f744549d94321f8b55f05046c03
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/f6ef7856-faec-437e-b017-2e0cc75e5d9d/
Parent samples :
c26e6e96f70d4e90215671fbd6943a8660ed3933cd78666fb6514f7666d1498e
ad4693c807e8af00bff002c9723b8cd6551996eaae936bcdbaa7ece6527313b8
fc3669875257ee267e479e6c1646c3fbb7427070fbb973453a771aa60069caed
7aec24add55bcd98a2653bbc7814f8e7cc51f3180b20f45e4c22293802e1c648
b932e7ec61f1cc9b3c858a55eb883accf378580572077c2676adcf2a0aa8dde1
12a5cceeda3e51444875cac53290564dcb180dc2c4b6608580a3b2777c4213da
8ab1910d7f3de293954247ef8f06fc69669c9049735fef3e324935c925ec19ca
d07db65b01e0b86a8e74ecd7cd9b2193d6cb5ecfc39efc28db59b681e2171205
ed5e7918456cfccd873fe19861241d97abf4b157f88e9da9a9119651480eae15
983c666a648fb57817c60b86c18a3ad671e246d7c6daabb16afffc36df5bee31
3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1
11448a58a01b27a0f74213c3c46c751abf0847cdc6bd22e8c59ac880605eb057
7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733
63df8eae2ebe31f97c4dcaf0587ffe4100d34892d03247fcba1201253c81423f
80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/f6ef7856-faec-437e-b017-2e0cc75e5d9d/
SH256 hash:
3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1
MD5 hash:
fb84d5a612a1f0cc5c7370568f48a29b
SHA1 hash:
1d2061bebdce3a1052ba3e213b9e8425a82abc21
Link:
https://www.unpac.me/results/f6ef7856-faec-437e-b017-2e0cc75e5d9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3e7876ca0922fbf2aba45def5d4025223c91e868b107f2b4b4870b2292a341a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373736/

Comments