MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
SHA3-384 hash: 8fb6dc26a5c3f04755c10b55a5f54bf5d7136f42e29a8a5235d06f8127a53c7a6983472e96db9313bc6cc81dc26a0d65
SHA1 hash: abe566718fa1126828d29260f37b6ad408c954ec
MD5 hash: 7396f86cb0779358bb89ab2c7419a7df
humanhash: dakota-one-spring-carpet
File name:MV Nicos Tomasos Vessel Parts.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:623'616 bytes
First seen:2023-04-22 10:46:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'467 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:qEsjs8mStDsWzN/TA+QyXv8EgMiSnbbWT0ilqIfZIoOrsSW:vOhsWRrAW/unxT0qqIRUrs
Threatray 356 similar samples on MalwareBazaar
TLSH T1EFD4F1B9B267EFA3D7AEC8F0124867961BE233B37A7D705CAF0E44D01687394485D492
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV Nicos Tomasos Vessel Parts.exe
Verdict:
Malicious activity
Analysis date:
2023-04-22 10:48:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b46bb432-8ee9-4750-a804-4f71ed7bfc71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384254/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6443bb2951816ede1d211bac/reports/abecd75a-eebe-4af5-a4d2-fe32b3f0f410/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1c125a8-37ff-437c-9903-5b8d716cc5ea
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219169
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852115 Sample: MV_Nicos_Tomasos_Vessel_Parts.exe Startdate: 22/04/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 7 MV_Nicos_Tomasos_Vessel_Parts.exe 7 2->7         started        11 UNzdnppPuPNScT.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\UNzdnppPuPNScT.exe, PE32 7->31 dropped 33 C:\...\UNzdnppPuPNScT.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpDB29.tmp, XML 7->35 dropped 37 C:\...\MV_Nicos_Tomasos_Vessel_Parts.exe.log, ASCII 7->37 dropped 53 May check the online IP address of the machine 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 MV_Nicos_Tomasos_Vessel_Parts.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        59 Machine Learning detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 21 UNzdnppPuPNScT.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 193.122.6.168, 49683, 49684, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 checkip.dyndns.org 21->43 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal ftp login credentials 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6igcgt5fh36qmwvl7qvq4ih2mgfhqxvqdcf5ie4j4gpix7hzr6q._file
Verdict:
malicious
Similar samples:
0072635a2bda42343af1afb62d86f500d931498337411f7fbbb0a850a3e386db
SnakeKeylogger
09d16715756085ded7748ecdaea1e54e91304db6471ad9b79deeafe64e390224
SnakeKeylogger
2afc5c73079a55ba80fa508ff696f61367752ea8276def31b99df51cc3b8c085
SnakeKeylogger
5097c9d404fd3041340813c5a55acb0f8e6bcc1ff888bb2ed6989c2d0f40b7c9
SnakeKeylogger
8fcc45ad91c946c56a807d763576062e0a427539b9cb7fe2deb239b1da98e775
SnakeKeylogger
95a4f31cf9b3c1876798edc24aa9323d84e35a3c6d0fccbdde059e4062e50f78
SnakeKeylogger
a64f5b5615ebe7e09f5238788ab1e6dfc6e00acc1741ecceba0fbf3930389273
SnakeKeylogger
c5a9153aff97fd3982cba299d3b1fc114aee999ba0b0e39fd69b3abdeb846130
SnakeKeylogger
c7afa76d4d1a5546ea2c384d69b1d167306bd1f71dbcc848cfb77cd964c5e71a
SnakeKeylogger
dd61f1cf7d31d1c68a08e22c4959c42e37a950926f1dc5a12d26baeda41c3300
SnakeKeylogger
+ 346 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230422-mvjexaed68/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
MD5 hash:
aca804d5d77bd73228eaa44a95402330
SHA1 hash:
fab4900d6af18796b65e1ab8f5ca4da5c933185b
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/37699956-2a67-4245-bd18-b7b870976bde/
Parent samples :
854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f
SH256 hash:
e5673f53fe3b3e73df4b8910d1f8cc1f14d35884e41912e4ffd2a5f658eef0cc
MD5 hash:
5e9658dc75c0f672fded66c8fb914ecb
SHA1 hash:
cd518eaa44ed176f9792e274f0b67c924c066200
Link:
https://www.unpac.me/results/37699956-2a67-4245-bd18-b7b870976bde/
SH256 hash:
0cd749abce90091da28523aa94f5b73e8424fe4c73f0026c161dfb4a0b514772
MD5 hash:
4a292558c6403736c032d0bcfe5d6677
SHA1 hash:
9706e1ea62bd135e5a054be0287558f6412e68f9
Link:
https://www.unpac.me/results/37699956-2a67-4245-bd18-b7b870976bde/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/37699956-2a67-4245-bd18-b7b870976bde/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/37699956-2a67-4245-bd18-b7b870976bde/
SH256 hash:
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
MD5 hash:
7396f86cb0779358bb89ab2c7419a7df
SHA1 hash:
abe566718fa1126828d29260f37b6ad408c954ec
Link:
https://www.unpac.me/results/37699956-2a67-4245-bd18-b7b870976bde/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f90611a7d29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/384254/

Comments