MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 13 File information Comments

SHA256 hash:	7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8
SHA3-384 hash:	bedbb6fb872b6525a1ed9216d64f89db91efa5a3c333798214ad55f722aa6fb287c8434b561a420f4bc36e2846d53cd8
SHA1 hash:	46e81798c3f806f0bba28aaecb73dc25d0f8c7b2
MD5 hash:	3cd0d1f1684237162ca8f725a0817d93
humanhash:	maryland-ceiling-equal-iowa
File name:	akin333.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	343'829 bytes
First seen:	2022-12-21 17:41:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep	6144:EkwVSRhuirIT0tu0t2wjxS2Kjy/yN0iBr7EYZDXh:c6rS05wexxeCanNg8zh
Threatray	5'115 similar samples on MalwareBazaar
TLSH	T17C74CF29139A9865E28D3536BC709B1497584E70AEB3C186FF71BEBFB4343D729224C1
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	00ac923073c88c50 (3 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

akin333.exe

Verdict:

Malicious activity

Analysis date:

2022-12-21 17:45:59 UTC

Tags:

installer

Link:

https://app.any.run/tasks/73b5f20f-66bf-4939-814b-7a2d4ec047bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.97.4152.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a browser

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63a3456f818a052f5d8dd424/reports/90812f59-9761-473c-8439-c5dee9b152b3/overview

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3fd3e785-4cfa-4820-a10f-c43a893d0b11

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1138950

Signature

.NET source code references suspicious native API functions

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-12-21 10:04:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 39 (58.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6lwhi3x72jlms4aucfxi7jt73zthcafkszfjp3el4cl3dvmd3ma._file

Verdict:

malicious

SnakeKeylogger

11be9de3f678eaaca2d49fddd0fd21647f75ed6bc683b9216638204e9a0ac1b4

SnakeKeylogger

43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600

SnakeKeylogger

b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e

SnakeKeylogger

b4d384c4beb28700a5ca488567c34bcec8331baf771f16549383bb06e057d4a3

SnakeKeylogger

c375bf8a18680d0924c42bb9186586c7a283e7fe5d694843a76ac28b7d7b68f2

SnakeKeylogger

c8e5da5d94006e08ab1bb069102abaac24bba18c458ad2253527a29380cfdf51

SnakeKeylogger

f0464f5e9669b4112215874eb7df62b915fe83a00e5365da6d8ecf7be9981388

SnakeKeylogger

f56dcde7d06b05096835f277eb1e597526745b7f7607627855a56fd6f1fc3f50

SnakeKeylogger

fb27645c5ba18a9e7e61876df54e4220c89cfdea419892dc08c32a9a7fe9b443

SnakeKeylogger

+ 5'105 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/221221-v91lqscg36/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5527276937:AAFXPayV6BQ7JPPGsD5rUkKZ4cn3m-d_W-0/sendMessage?chat_id=5582419717

Unpacked files

SH256 hash:

84fca762dfb36ac1369dd19018028308cd2fe76877683bc41d9e12dd278d463e

MD5 hash:

27952eaafff549f6f044ea4556490a14

SHA1 hash:

a77251459ea6b33a59120db124401c2fc35af04f

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/f11472f8-13b6-4558-9441-e452e3d3fb3d/

SH256 hash:

c30294f97fd317905407c7f0c37908d5e7094ef8a067a6d1abb33ef83e4e2bc3

MD5 hash:

6ca9f3093d1147bdd58aaaec0bf35d17

SHA1 hash:

5fb3c64d57889dcbe8d1f8a4c6be39a0c3a0759a

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/f11472f8-13b6-4558-9441-e452e3d3fb3d/

Parent samples :

ac6b2faf121905b8980455fab8e39a7cc3bf4fd5b2bff91068b5a6b348d23ee3
cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa
29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce
a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44
4f5ea72df2ff98979013fbfe0781a01d8d487d886ebc5012e037f553527996d2
b88d6e2b1c5a0fbccf8af747e7bab2326b5bbf84ebceaec5d615a42a414c516c
0f8f70dd445fd84967a71a4d4f40e9f630b2a814e7d9107b1066ba1f8fb3bfa4
7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8

SH256 hash:

c36731aa489d2f8bf8b924c17ce265a405dc47c5daab97f867139cb751b4114b

MD5 hash:

d2d58cd2c349e40a25673aa9e947505a

SHA1 hash:

73d8168b09f2e97358eb9b16e2f61ba1cd04222f

Link:

https://www.unpac.me/results/f11472f8-13b6-4558-9441-e452e3d3fb3d/

SH256 hash:

7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8

MD5 hash:

3cd0d1f1684237162ca8f725a0817d93

SHA1 hash:

46e81798c3f806f0bba28aaecb73dc25d0f8c7b2

Link:

https://www.unpac.me/results/f11472f8-13b6-4558-9441-e452e3d3fb3d/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f9763a377fe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.98

Link:

https://yomi.yoroi.company/submissions/7f9763a377fe92b64b80a08b747d33fef333880554b254bf645f04bd8eac1ed8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AsyncRat_Detection_Dec_2022 Create hunting rule
Author:	Potatech
Description:	AsyncRat

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_APIs Create hunting rule

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/348786/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample