MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 848317c9674dd7842859c63d0689a165d88ff8682a755db5bd7c69bf4ca080f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	848317c9674dd7842859c63d0689a165d88ff8682a755db5bd7c69bf4ca080f0
SHA3-384 hash:	38e777d2afb730316f25706db3f2850ab73d0e4ae14d385476477390b2755cfb624102d6ba8164dc43bbe7fa5d400dfd
SHA1 hash:	3267ac83cfcff9ace2db1db7170466f2453b66ce
MD5 hash:	35ac92f87a8d257c86776fc8e52bff62
humanhash:	nuts-september-kentucky-minnesota
File name:	New_Requests_56331.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	182'272 bytes
First seen:	2022-02-03 13:44:39 UTC
Last seen:	2022-02-03 15:46:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:UY3Cb0jm5SPlHMNJHvuNPmPSxwzb5rGOUk3eke/uedXxV2VAX3YxYbImPm7Mha/k:5CbSOg0MuFad
Threatray	2'460 similar samples on MalwareBazaar
TLSH	T12704CA38FDBF5D54C2308A39669D714AC6D09F498E8B8336BFE062946E6CCC8364651E
File icon (PE):
dhash icon	18808c9c8c869830 (9 x SnakeKeylogger, 2 x Formbook, 1 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

abuse_ch

Payload URL:
http://3.65.197.215/wp/New_Requests_56331.log

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/232206/

Detection(s):

SecuriteInfo.com.Artemis35AC92F87A8D.26405.24385.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

DNS request

Sending an HTTP GET request

Creating a window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/17661328-7daa-49e9-9b12-2b2de5d2bd47

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933376

Behaviour

Behavior Graph:

n/a

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/848317c9674dd7842859c63d0689a165d88ff8682a755db5bd7c69bf4ca080f0/

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2022-02-03 13:45:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qsbrpslhjxlyikczyy6qncnbmxmi76difj2v3nn5pru36tfaqdya._file

Verdict:

malicious

SnakeKeylogger

2ce55f36ec8460c1273af1411d76c3af53a3861974d66b6a168218e6af7431e4

SnakeKeylogger

30857f5b12915a6e6e21114e1176ae694d7463cb0477d7c68071a63e477284f0

SnakeKeylogger

4723f6050ea2f6739fd08f6111162abdee81e2e3ba8f5b2efad90158b54b8d87

SnakeKeylogger

60cf45262b59092f3dff9c5fa83a6a3e7d8008ad0e19c3469099e0978426d329

SnakeKeylogger

662acd5406b7e5f3f107aad8b7a06a10eaf14747b82db5a04a1958f64284cf44

SnakeKeylogger

ead300a07127a8d18e23a62fa409488c7c3b7133b2e022cc9eb3be204b52cba8

SnakeKeylogger

ecb446bcf4b7c55ebefe6dd61f7c01300df2df1257001c8440957ff9f211b086

SnakeKeylogger

f0499807bd42438f56254b0af8d2e7672d36d58b97c1480852df6b6f8f527233

SnakeKeylogger

f0f9213cad90bc44e22ce602a1fe2c2c76975d5f6617be7091692f4af10637b4

SnakeKeylogger

+ 2'450 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence stealer

Link:

https://tria.ge/reports/220203-q2d1jshhd7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Sets service image path in registry

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

848317c9674dd7842859c63d0689a165d88ff8682a755db5bd7c69bf4ca080f0

MD5 hash:

35ac92f87a8d257c86776fc8e52bff62

SHA1 hash:

3267ac83cfcff9ace2db1db7170466f2453b66ce

Link:

https://www.unpac.me/results/6bd3f64e-8e95-4608-b37b-319d3aeaa370/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/848317c9674d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/848317c9674dd7842859c63d0689a165d88ff8682a755db5bd7c69bf4ca080f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

URLhaus

https://urlhaus.abuse.ch/url/2026444/

Cape

https://www.capesandbox.com/analysis/232206/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample