MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4
SHA3-384 hash: f2211472f85145974a0fc359aad4c48f9cbd086b9831210d727788f8e9f2e944e5785669cf01d0fff1316ab5f65ca7e4
SHA1 hash: 10e224c1ba68bf9b3921e0db5661d75769484a71
MD5 hash: bd7cfee0e2096bdf269e64ab92a5f609
humanhash: jersey-arizona-april-double
File name:don-serv.txt.ps1
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'809'769 bytes
First seen:2022-10-14 07:21:33 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:wXMaJWGpSShqySDPN6un39cIxVyrr2+h6h0epvk/gTQh7WW55ntsn/3Fbyv5cHfD:wXHu
Threatray 2'792 similar samples on MalwareBazaar
TLSH T17885551A59667EBDD7C4427E1600152689FC2C36A447F0ACD283F0FB1EA3E728D785AD
Reporter 0xToxin
Tags:Bitbucket pro2pro ps1 SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-178.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63490e210d2bcf0ff9a31691/reports/2e9209b6-91a5-4cdd-b397-284d5ca2a054/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090546
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates processes via WMI
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Bypass AMSI
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723158 Sample: don-serv.txt.ps1 Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 7 other signatures 2->86 9 powershell.exe 7 2->9         started        11 powershell.exe 2->11         started        13 powershell.exe 27 2->13         started        17 wscript.exe 2->17         started        process3 file4 19 cmd.exe 2 9->19         started        22 conhost.exe 9->22         started        24 cmd.exe 11->24         started        26 conhost.exe 11->26         started        58 C:\ProgramData\...\XSJYEGLBUOZEHBTNLNLSOU.ps1, ASCII 13->58 dropped 60 C:\ProgramData\...behaviorgraphTZYVDQNGLKWWAYUCNKYHE.ps1, ASCII 13->60 dropped 62 C:\ProgramData\...behaviorgraphTZYVDQNGLKWWAYUCNKYHE.bat, DOS 13->62 dropped 104 Bypasses PowerShell execution policy 13->104 28 powershell.exe 37 13->28         started        30 conhost.exe 13->30         started        signatures5 process6 signatures7 88 Wscript starts Powershell (via cmd or directly) 19->88 90 Uses cmd line tools excessively to alter registry or file data 19->90 92 Creates processes via WMI 19->92 32 cmd.exe 1 19->32         started        35 reg.exe 1 1 19->35         started        37 reg.exe 1 1 19->37         started        94 PowerShell case anomaly found 24->94 39 cmd.exe 24->39         started        41 reg.exe 24->41         started        43 reg.exe 24->43         started        45 wscript.exe 28->45         started        process8 signatures9 47 powershell.exe 13 32->47         started        72 Wscript starts Powershell (via cmd or directly) 39->72 74 PowerShell case anomaly found 39->74 50 powershell.exe 39->50         started        76 Uses cmd line tools excessively to alter registry or file data 45->76 78 Creates processes via WMI 45->78 process10 signatures11 52 aspnet_compiler.exe 15 2 47->52         started        106 Writes to foreign memory regions 50->106 108 Injects a PE file into a foreign processes 50->108 56 aspnet_compiler.exe 50->56         started        process12 dnsIp13 64 checkip.dyndns.com 193.122.130.0, 49695, 80 ORACLE-BMC-31898US United States 52->64 66 checkip.dyndns.org 52->66 96 May check the online IP address of the machine 52->96 68 158.101.44.242, 49696, 80 ORACLE-BMC-31898US United States 56->68 70 checkip.dyndns.org 56->70 98 Tries to steal Mail credentials (via file / registry access) 56->98 100 Tries to harvest and steal ftp login credentials 56->100 102 Tries to harvest and steal browser information (history, passwords, etc) 56->102 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4/
Threat name:
Script-PowerShell.Trojan.Runner
Create hunting rule
Status:
Suspicious
First seen:
2022-10-13 23:07:11 UTC
File Type:
Text (PowerShell)
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtn5n3enu5suh7v5zlp5oaqzsky3d6k2yejsoulxsw3cdjvrqpka._file
Verdict:
unknown
Similar samples:
02201f5f3630302f9914837b5b618ca0870ec75b459544ac42cb88a706b217a1
SnakeKeylogger
3fde627f59b1b425dbb14ddc26a088019524e089a19b0548f953ee63a573601b
SnakeKeylogger
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
SnakeKeylogger
529278edf5caa133d25e0a3ef7d138124529695f1d5a8a03aace868702ffcd64
SnakeKeylogger
a36a3366706789363864b5c0b03b0c49ce72fea8d1c3150285d16a604edbc866
SnakeKeylogger
ab62ae9f4f7e797648fd4de6633357f704d4799f77844a0368a17ad21d2a2958
SnakeKeylogger
aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2
SnakeKeylogger
bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba
SnakeKeylogger
e6f0283036672588e88f985e2b4bd4784bb3bab373ba07630d25b6779063f03c
SnakeKeylogger
f97868b93747008b2b67f509958fa5e7d3d380d384042ca655f9a6f77c610532
SnakeKeylogger
+ 2'782 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence stealer
Link:
https://tria.ge/reports/221014-h683gsdce9/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Registers COM server for autorun
Process spawned unexpected child process
Snake Keylogger
Snake Keylogger payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments