MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133
SHA3-384 hash: 9456fe9eaa427235b8deae7143e7e58a59b01692b5b60d44a749161454ae3d0033b1b3a8f02284f82a6bd0864d9199d3
SHA1 hash: 5e355628d6b34ca37101a6b74b26f3f806354bc4
MD5 hash: c7c63a90c42a93f7cb4480dc2415218a
humanhash: cold-twenty-early-bluebird
File name:Ordine d'acquisto 9100033466 dal 14022024.iso.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:604'160 bytes
First seen:2024-02-14 13:02:24 UTC
Last seen:2024-02-14 14:30:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AiD2xkluEKejEVfz1iwiSg+5xsI3deGJpLKWCD8pMMcI8:eg7KekRoS1PZ3pfLKWa8pMf
TLSH T154D423213D6C4B57D9A883FE99204CD56BF867186560EF9CAD91F0E71973FA01A3038B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 3492d06974b47c0c (7 x Formbook, 4 x AgentTesla, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133.exe
Verdict:
Malicious activity
Analysis date:
2024-02-14 13:28:40 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/8afcd1e9-b29f-4ae4-8fd7-b396736dec7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2680.16756.1697.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65ccba0dac375bec15e6f990/reports/1ae492fc-07fd-43ac-927f-7c53a1d6e123/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik_AGeneric.BXG trojan
Link:
https://www.hybrid-analysis.com/sample/7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ff1505b-629f-4b72-8d55-c416034865a7
Result
Threat name:
PureLog Stealer, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392142
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1392142 Sample: Ordine d'acquisto 910003346... Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 44 aborters.duckdns.org 2->44 46 checkip.dyndns.org 2->46 48 3 other IPs or domains 2->48 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 15 other signatures 2->64 8 Ordine d'acquisto 9100033466 dal 14022024.iso.exe 7 2->8         started        12 HfwjGVixYgyzhk.exe 5 2->12         started        signatures3 62 Uses dynamic DNS services 44->62 process4 file5 40 C:\Users\user\AppData\...\HfwjGVixYgyzhk.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpC36C.tmp, XML 8->42 dropped 66 Adds a directory exclusion to Windows Defender 8->66 68 Injects a PE file into a foreign processes 8->68 14 Ordine d'acquisto 9100033466 dal 14022024.iso.exe 15 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 7 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 schtasks.exe 12->24         started        26 HfwjGVixYgyzhk.exe 12->26         started        signatures6 process7 dnsIp8 50 aborters.duckdns.org 94.156.68.12, 49749, 49750, 8081 TERASYST-ASBG Bulgaria 14->50 52 checkip.dyndns.com 132.226.8.169, 49710, 49713, 49715 UTMEMUS United States 14->52 54 2 other IPs or domains 14->54 74 Tries to steal Mail credentials (via file / registry access) 14->74 76 Tries to harvest and steal browser information (history, passwords, etc) 14->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 WerFault.exe 26->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 13:03:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ponrypnbegcoyw25h4mq4fyf36wqq6e3cibkrshm4okpq4gy4ezq._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/240214-qac9yacd84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
42fba117f035f6f6a0927b95d36ab329475c322fde05c0184219fc7c368d507b
MD5 hash:
e46adb087b1d933a7654c78a5c3ddb39
SHA1 hash:
ffe9ce50240d8f32dbca0ca1c65f452f598a50b1
Detections:
snake_keylogger
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Link:
https://www.unpac.me/results/00dc513c-b9f6-449d-a674-757a7f7dc0f4/
SH256 hash:
d5e54ac29044ea48c678a522e6d642294c7dfb119d9bc256f007348f08ea6eff
MD5 hash:
495e6660bcbbe2d96a0119d02a22b416
SHA1 hash:
7dccb189d7f1533a11b95da8908fb1a45cfc9dab
Link:
https://www.unpac.me/results/00dc513c-b9f6-449d-a674-757a7f7dc0f4/
SH256 hash:
655f721b1b5f91805deb8ac51621edd7a8dfe42bd4e21bc5d9da607376145583
MD5 hash:
6722aa400529144fa3c61f19bdeed9d9
SHA1 hash:
1d9fddc05ed51a9b225a5ac7d5f55eba6d5028ba
Link:
https://www.unpac.me/results/00dc513c-b9f6-449d-a674-757a7f7dc0f4/
SH256 hash:
8ea4ed25ea9c725b9facc5dda5c7efcd2398ed18c17010075fb631f2048cdad2
MD5 hash:
0b553e5147a449365b7ec9b1819e5b42
SHA1 hash:
1504b8e0316844a0af8411adc152d78f048f8de1
Link:
https://www.unpac.me/results/00dc513c-b9f6-449d-a674-757a7f7dc0f4/
SH256 hash:
7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133
MD5 hash:
c7c63a90c42a93f7cb4480dc2415218a
SHA1 hash:
5e355628d6b34ca37101a6b74b26f3f806354bc4
Link:
https://www.unpac.me/results/00dc513c-b9f6-449d-a674-757a7f7dc0f4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b9b1c3da121/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 7b9b1c3da12184ec5b5d3f190e1705dfad08789b1202a8c8ece394f870d8e133

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments