MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SHA3-384 hash: 665b7145dc089f49559c389040ba0538e0e8970a91b0b0d5fed47392d5894ae1799b34b831480c513e56a654061a0f19
SHA1 hash: 97c47123d2c5e2312672b9e06e9502bc68ce7686
MD5 hash: 38995914b9924395a93a8fa7231af63b
humanhash: utah-quiet-maine-monkey
File name:ürünleri listele siparişi JPG.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'408'512 bytes
First seen:2024-05-10 08:30:05 UTC
Last seen:2024-05-10 09:22:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:0xlH0Rs/5AT8v+/pOwZOPdM5A/F+XQU664vPu4imnT8grEzQthOjLNui8FOPSKFz:MlH0Rs/GTgwZOPaOFH5thOjLNui8FOPv
Threatray 416 similar samples on MalwareBazaar
TLSH T19555AF517B8C9204D5FFCB37A472E00B5A347D492AA2DB5D7ED0348D5CA3303AB266A7
TrID 30.6% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0999908fc78787fb (14 x Formbook, 3 x AgentTesla, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f.exe
Verdict:
Malicious activity
Analysis date:
2024-05-10 09:56:04 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/3e6a46d5-2795-468c-a13f-f751141617b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Banload-6981577-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Mardom.IN.Generic
Link:
https://www.hybrid-analysis.com/sample/90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2dcabab-75e6-4ae1-b7fa-9e32de6ca511
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439548
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439548 Sample: #U00fcr#U00fcnleri listele ... Startdate: 10/05/2024 Architecture: WINDOWS Score: 100 37 checkip.dyndns.org 2->37 39 checkip.dyndns.com 2->39 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 9 other signatures 2->55 8 #U00fcr#U00fcnleri listele sipari#U015fi JPG.exe 3 2->8         started        11 skype.exe 3 2->11         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 57 Injects a PE file into a foreign processes 8->57 16 powershell.exe 13 8->16         started        20 #U00fcr#U00fcnleri listele sipari#U015fi JPG.exe 15 2 8->20         started        23 skype.exe 14 2 11->23         started        25 powershell.exe 11 11->25         started        43 127.0.0.1 unknown unknown 13->43 signatures6 process7 dnsIp8 35 C:\Users\user\AppData\Roaming\...\skype.exe, PE32 16->35 dropped 45 Drops PE files to the startup folder 16->45 47 Powershell drops PE file 16->47 27 conhost.exe 16->27         started        41 checkip.dyndns.com 158.101.44.242, 49706, 49716, 80 ORACLE-BMC-31898US United States 20->41 29 WerFault.exe 19 16 20->29         started        31 WerFault.exe 23->31         started        33 conhost.exe 25->33         started        file9 signatures10 process11
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f/
Threat name:
Win32.Trojan.SnakeStealer
Create hunting rule
Status:
Malicious
First seen:
2024-05-10 08:31:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
68
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdoqemjyqzzfwowrt2vapahxdcout2grum2okhsugibh4izgyfhq._file
Verdict:
malicious
Similar samples:
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
SnakeKeylogger
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
SnakeKeylogger
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SnakeKeylogger
a5395961ee5eeddf2c81583e2eb11dafe8f8ebcc350204e0c8344e4d3e1614e6
SnakeKeylogger
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
SnakeKeylogger
+ 406 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection execution keylogger spyware stealer
Link:
https://tria.ge/reports/240510-keq4psch3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Detections:
HKTL_NET_GUID_BrowserPass
Create hunting rule
Link:
https://www.unpac.me/results/fa78cd81-ac4f-4cc2-b75c-4fd2e6dca134/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
48c58481d9ffddd3527c8ef3ad414a6ca5f547009c4daaf9c4fb4dc8d91d0e29
MD5 hash:
e03dc8e535c86d8bab6ba33ab875e587
SHA1 hash:
3ab146e413ee814a84724cf2bc5194d08745b0e8
Link:
https://www.unpac.me/results/fa78cd81-ac4f-4cc2-b75c-4fd2e6dca134/
SH256 hash:
ca54db6ee68aa620745e05c2aadace9cc1c89ad4bbe0d568024f88e864e05fb7
MD5 hash:
9e15e7bee7b9c9654513b0e570e87015
SHA1 hash:
e10ac74ca5b451c77ca8f9b211b6bd2d63f15ef6
Detections:
snake_keylogger
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Link:
https://www.unpac.me/results/fa78cd81-ac4f-4cc2-b75c-4fd2e6dca134/
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/fa78cd81-ac4f-4cc2-b75c-4fd2e6dca134/
SH256 hash:
0e7e3b63b0d963c7b238949c74a621e2089127daaad889453ffead06242fd973
MD5 hash:
11cce2203a8496e49ad7b66331a533f4
SHA1 hash:
74d6fd0cb43d79657c2f5cb505b4f949578ae6f0
Link:
https://www.unpac.me/results/fa78cd81-ac4f-4cc2-b75c-4fd2e6dca134/
SH256 hash:
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
MD5 hash:
38995914b9924395a93a8fa7231af63b
SHA1 hash:
97c47123d2c5e2312672b9e06e9502bc68ce7686
Link:
https://www.unpac.me/results/fa78cd81-ac4f-4cc2-b75c-4fd2e6dca134/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90dd02313886/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments