MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a
SHA3-384 hash: 833de83ae6ec71b5a9fc5c39f75b339cb1c241f1de1e42066687c22f7cd3331ab7b75cc21b8f21aa1b56d71739b59688
SHA1 hash: 3c3a20e4ed9b7fee6eecbf4d38366c4c2602df2b
MD5 hash: f6016fe7dcc0d49cc0fc10f18736fa5c
humanhash: lactose-arizona-colorado-pip
File name:Vessel Particulars.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:823'296 bytes
First seen:2023-03-17 13:30:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qzCnhNpjkjXyuaqrw4WuzwgMGpn9RgPp9IPLk+vq8f16x2pllOAt0YjAqEMM:3fjkj+UfWuzNpgPzIo4XtLOAnEMM
Threatray 4'673 similar samples on MalwareBazaar
TLSH T118050148B725EB22CB7E9BFEB471206193F3890E5225D38C5CCF64EA2A63F954501D4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0c4f4c4dcdcdcf8 (8 x AgentTesla, 6 x SnakeKeylogger, 2 x Formbook)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Vessel Particulars.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 13:32:23 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/a1ca6fa8-e74b-49ab-badd-bee0700ffac8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375108/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64146b9828f6cfd59136ac48/reports/686b5eb9-846a-4b43-b1df-2524edd26c50/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2afa2bdd-b4b0-42d5-a201-d6545384d66a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195859
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828756 Sample: Vessel_Particulars.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 42 checkip.dyndns.org 2->42 44 checkip.dyndns.com 2->44 52 Snort IDS alert for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 6 other signatures 2->58 8 Vessel_Particulars.exe 7 2->8         started        12 hQUSrk.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\hQUSrk.exe, PE32 8->34 dropped 36 C:\Users\user\...\hQUSrk.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp2FA9.tmp, XML 8->38 dropped 40 C:\Users\user\...\Vessel_Particulars.exe.log, ASCII 8->40 dropped 60 May check the online IP address of the machine 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 Vessel_Particulars.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 22 hQUSrk.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 46 checkip.dyndns.com 158.101.44.242, 49700, 49701, 80 ORACLE-BMC-31898US United States 14->46 48 checkip.dyndns.org 14->48 72 Tries to steal Mail credentials (via file / registry access) 14->72 74 Tries to harvest and steal ftp login credentials 14->74 76 Tries to harvest and steal browser information (history, passwords, etc) 14->76 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        50 checkip.dyndns.org 22->50 30 WerFault.exe 22->30         started        32 conhost.exe 24->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 13:29:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qst3smihtjmbutrtgsr345hjyfuhnmpqbrisod3652a56zzygqfa._file
Verdict:
malicious
Similar samples:
2a16f2ee7eee4dc583d3d36d3b119d4b10000dc7cbf7d76650558bf6c9448dcd
SnakeKeylogger
59849ade722e0ac68e1105fb13ad623c8cf5b5e44fe325e5239f470195bfe7f9
SnakeKeylogger
86f818237bb4ed674b8d269912dd5063cf141ac7a2f5eba21a186032c471105e
SnakeKeylogger
b8208e83d1b83690605ad2dea2dc633597775b94e1ddab9a7bffbc2e4cc055c2
SnakeKeylogger
bd3704c36cc99d990c773ae12328f7938e7a5bf230e18501f2f8b869532b28d5
SnakeKeylogger
d156d6626e85584270b990b2b53c325a53be473e21c6fd32e1ac4e50301ee165
SnakeKeylogger
ddf534695055117a966d111e1102446be62148e55eadfcc5a01dd2b444ffc0e8
SnakeKeylogger
f2c53057334b62ee92c3c21f8b8f1f5dbacda5d79db75734abcd879c08a7c805
SnakeKeylogger
fd6c69d8a9592b239028cbe1f7180a1513f0efdc6745f6fa41dadcc6b438cc7b
SnakeKeylogger
+ 4'663 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230317-qsdnesgd77/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/f009c6fa-6ec4-4ed6-b662-8b0e276748c1/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
0a2973c847bc7c00d1d88b595473e436aebb16420118cb8c90bddb9a614b2558
MD5 hash:
347b6eee198d74d878bd7f2122d83be9
SHA1 hash:
7796b2ea7d9558e9e6d549bdbf0cdafa2e3de1db
Link:
https://www.unpac.me/results/f009c6fa-6ec4-4ed6-b662-8b0e276748c1/
SH256 hash:
4a578463552effa2da7b8f9334450376450bbf12c68415b48622d3886a314065
MD5 hash:
e0497b09c8e0ac52cfb8ad8fd026a362
SHA1 hash:
573dcc7a65b5d100f661486d856fde2a7d722d11
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/f009c6fa-6ec4-4ed6-b662-8b0e276748c1/
Parent samples :
04f767d0d1a67f91822eb85f38fd960faff4c4c2f13d3c019e0d7b3961fbad2c
ddf534695055117a966d111e1102446be62148e55eadfcc5a01dd2b444ffc0e8
84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a
7b19720913425839002145fec9db388330e2b6dd411a8673a277b3ef5c6b42a8
c890238fdb361d15295c7753d750b5a19bdc1012250963d7f37c2b35ae367f05
a5daa13bcab440154c01d336ff4a9dbf4ff40ece572ce781557a47641fe01de4
SH256 hash:
509f252d2393501f97dcfe7d3a93c4539e763c07f6c35929cba336710bfa95fc
MD5 hash:
2c4122d8874c5235f03fb05dfb1f422a
SHA1 hash:
0c56d3fb2fea17b9ddbf2f88af89f5399ed32cd8
Link:
https://www.unpac.me/results/f009c6fa-6ec4-4ed6-b662-8b0e276748c1/
SH256 hash:
9e5fcea2d9f00b7dd2e6c8c46f09e86d1e5bbbdd8096f57dc374b9b14ec9a7cf
MD5 hash:
ec1ad2ead9a77e4a0f3655671d319805
SHA1 hash:
065fc764be15568704d1e07d1b477ba4671a8f14
Link:
https://www.unpac.me/results/f009c6fa-6ec4-4ed6-b662-8b0e276748c1/
SH256 hash:
84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a
MD5 hash:
f6016fe7dcc0d49cc0fc10f18736fa5c
SHA1 hash:
3c3a20e4ed9b7fee6eecbf4d38366c4c2602df2b
Link:
https://www.unpac.me/results/f009c6fa-6ec4-4ed6-b662-8b0e276748c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84a7b931079a581a4e3334a3be74e9c16876b1f00c51270f7eee81df6738340a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/375108/

Comments