MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515
SHA3-384 hash: aec6347b7658bdbe3397e29cc3204469a698204408a183e4abfd03e8bbcc3ccbd98a37b4d42244ac9cb05d19c356fab5
SHA1 hash: b085be051b2bd39f160317a224bfe3ed832c9ea3
MD5 hash: 3e7817369dd5d96f8ea1d9f373787336
humanhash: oven-georgia-fifteen-november
File name:033MSOG232441305.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:584'192 bytes
First seen:2023-09-07 06:24:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:r3c2iNHkDwMD83IYWclwe+3w/o+mV4ZgzoDID8LXe0sQQAu:r3c1RkDV83IYBlHA+mVcgzfDoXPdX
Threatray 226 similar samples on MalwareBazaar
TLSH T1A1C4021AB3FC1B6BC576A7F018601094077AA926A5F2DB494DC270E725B3BF10B42F97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
033MSOG232441305.exe
Verdict:
Malicious activity
Analysis date:
2023-09-07 06:26:57 UTC
Tags:
evasion snake
Link:
https://app.any.run/tasks/dd804918-feb7-4479-8b6f-e515bc8bbb80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446849/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f96cc6c95366b9ef014db8/reports/fa56e49f-aeca-4b64-989f-973c7cc804aa/overview
Verdict:
Malicious
Labled as:
Ser.Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2aae53db-bd6d-4afb-9ee3-e2232932d802
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304939
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1304939 Sample: 033MSOG232441305.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 7 other signatures 2->51 7 033MSOG232441305.exe 7 2->7         started        11 xKojhJZs.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\xKojhJZs.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmp8949.tmp, XML 7->33 dropped 53 May check the online IP address of the machine 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 033MSOG232441305.exe 15 2 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        59 Multi AV Scanner detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 21 xKojhJZs.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 35 132.226.247.73, 49715, 80 UTMEMUS United States 13->35 37 checkip.dyndns.com 158.101.44.242, 80 ORACLE-BMC-31898US United States 13->37 39 checkip.dyndns.org 13->39 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        41 193.122.6.168, 49716, 80 ORACLE-BMC-31898US United States 21->41 43 checkip.dyndns.org 21->43 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 12:59:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=scq5t3mbrfeoz5j3ra4jucs2474wxhctbjg7jlmdci4louutkukq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4853da12f682cf7232c3a41b5de1c28e838cf72c8c118fec7f66dabd451598b0
SnakeKeylogger
4e6fda468f16cee9f106def8f3217930ba442d79daa41cde7dd5b6f817bd5127
SnakeKeylogger
6eddba1588ba6d7183a7940a9974cc188c5473a5087f6853dc40c48df726d598
SnakeKeylogger
7ad8b74ac85044fdec2b62194c0e22ce7d31b353a97bce4ea09e80151bff60fb
SnakeKeylogger
7d4f7981db8db1cd2ace8fb209ff9c5e73315bd1ded3157f3ad9bc085052d2e8
SnakeKeylogger
bee949c5192f46467c2fb76490dd2407f4206639c2e5e824c74e879c02fcc342
SnakeKeylogger
ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee
SnakeKeylogger
d9819797562fc37901466523b731e2114efd43d2395887cf44116e7b208e7d71
SnakeKeylogger
df8944cca7e607a5fe6765794fbd8c009de24cc170a99cd0cb7055b177b6a217
SnakeKeylogger
ea4c93c7108d234fa463739575ee27035d327f026c813b39ba2b93a634cdc7e8
SnakeKeylogger
+ 216 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230907-g6mzksfa3z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
55ea20faf9b0c8c00f3d3ea16ff5bfd836fa99f1941946885d45240d2f681f4c
MD5 hash:
eec54763c3b2e33ba860048ffe88f910
SHA1 hash:
8034038ca99a91c8fdf69b1bc745e9dcdaac02e4
Link:
https://www.unpac.me/results/c4c8ef85-5eae-44e5-bc09-039431e61a24/
SH256 hash:
264caf7746ca039fbea45cc9a691f7124285b29cdcca0c5b8d7049f2c24fda9d
MD5 hash:
c9f306fecb17214b8ac9a9daf5030846
SHA1 hash:
4ef925e7deab1ae32e4926f6d7cc65318c0a1f0e
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/c4c8ef85-5eae-44e5-bc09-039431e61a24/
Parent samples :
90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515
347a49b7e5d032c2585811ec299182ec24139fd12d967aea4749e44cf0c6dc9a
SH256 hash:
0bdac11b6b7a8789b83bde120fc7b00dbd51bae110b6cb719497110686591715
MD5 hash:
83c87982b402e46e8b9bf47952096385
SHA1 hash:
225fe88c5f77334dd77f4b97f63d3139c145d777
Link:
https://www.unpac.me/results/c4c8ef85-5eae-44e5-bc09-039431e61a24/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/c4c8ef85-5eae-44e5-bc09-039431e61a24/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515
MD5 hash:
3e7817369dd5d96f8ea1d9f373787336
SHA1 hash:
b085be051b2bd39f160317a224bfe3ed832c9ea3
Link:
https://www.unpac.me/results/c4c8ef85-5eae-44e5-bc09-039431e61a24/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90a1d9ed8189/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 90a1d9ed818948ecf53b88389a0a5ae7f96b9c530a4df4ad831238b752935515

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446849/

Comments