MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
SHA3-384 hash: 74e55202384248332bcadf6e9e9a67869eb4f39c45e9a667ee9dbc89343708f5a47835855cad49bd525d2c64462d55b8
SHA1 hash: 7d2af9d9e23f056769befb43a1d03f0d12179b71
MD5 hash: 3531cf533d859003c224747afadc8f55
humanhash: alanine-orange-high-failed
File name:Signed po_000165.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'002'496 bytes
First seen:2023-03-30 17:20:38 UTC
Last seen:2023-04-04 23:30:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:WmkO8EYGCBso0c4cF5oHCOYmsmRv2Hriq1o25zimX:W5OXYGCGojF5ACOYsYHXo25
Threatray 199 similar samples on MalwareBazaar
TLSH T1922512047AE8C10DC126937DA1E0D2B067B6DDC9E2A2C7675FC9BCD773CE749A520286
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed po_000165.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 17:33:15 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/009f0a94-8e24-47f6-a426-a22519b7f622

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378887/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6425c5074fbb909ff92e5e07/reports/b618d880-9023-48cd-aedb-a798272ec18c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcd6317c-812b-4034-aa54-7d1fca14b09b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1205414
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BrowserPasswordDump
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 838336 Sample: Signed_po_000165.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 9 other signatures 2->57 7 Signed_po_000165.exe 7 2->7         started        11 TevrSyiwyl.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\TevrSyiwyl.exe, PE32 7->33 dropped 35 C:\Users\...\TevrSyiwyl.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpE555.tmp, XML 7->37 dropped 39 C:\Users\user\...\Signed_po_000165.exe.log, ASCII 7->39 dropped 65 May check the online IP address of the machine 7->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 7->67 69 Adds a directory exclusion to Windows Defender 7->69 13 Signed_po_000165.exe 15 2 7->13         started        16 powershell.exe 20 7->16         started        18 schtasks.exe 1 7->18         started        71 Multi AV Scanner detection for dropped file 11->71 73 Machine Learning detection for dropped file 11->73 20 TevrSyiwyl.exe 14 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 132.226.247.73, 49697, 80 UTMEMUS United States 13->41 43 checkip.dyndns.org 13->43 45 192.168.2.1 unknown unknown 13->45 25 WerFault.exe 13->25         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        47 158.101.44.242, 49708, 80 ORACLE-BMC-31898US United States 20->47 49 checkip.dyndns.org 20->49 59 Tries to steal Mail credentials (via file / registry access) 20->59 61 Tries to harvest and steal ftp login credentials 20->61 63 Tries to harvest and steal browser information (history, passwords, etc) 20->63 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 17:21:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snxhqdv2jn6aijt73gjaffo47ttoltdhqltv3tkwaqou5jan4yhq._file
Verdict:
malicious
Similar samples:
14bbd07c46327a8c4aeb412454bca9b2b46f254f63f562012d2d45f02b812766
SnakeKeylogger
191529d733524665838e0d27b44844ca0a3c914d8577d4f2d8c8b93ea4a7729a
SnakeKeylogger
3ca1a9ee70e56cd13b3472f4263f9c480d5fa9d70a18335e28ea41b5bb048461
SnakeKeylogger
3fae62e5822434bb1d7ec5583521a3f08e43a2521e0df922dde8ad18e666bac7
SnakeKeylogger
559b97a856fca272b7f5891100f1317d5f4846d12e86d113c8334c9861e4b026
SnakeKeylogger
7c69c8b13870df342b88a74c4593de7cdafd313516a613e6d2c358654989b197
SnakeKeylogger
80b6e703e67ace7480854fa2e005495b86c53b0f2afd72018d0c77bf9fd43605
SnakeKeylogger
9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
SnakeKeylogger
aad777a2d2f4c889859ca2fbdc9d2bc782cf989c31d95be12abda966f4cbaf19
SnakeKeylogger
+ 189 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230330-vw1pksfa3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
541279fe8509ce7c477f6aa505f054c20b8084a58d2a87f331694a4815e500fd
MD5 hash:
fc872b15160efee9ad7519982b83ea9f
SHA1 hash:
be5ee32862344ff80b8944805a80fe750f0a9531
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
SH256 hash:
e72af8bd85b1c7c422071d02df699f88a0c9fb0c896941a75a58f52e83fcdf41
MD5 hash:
173687cfff37837d6ebb60873ceacd73
SHA1 hash:
a7360c1ab58b86c9893bb5bf966f3e7551ae41e9
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
SH256 hash:
cae81a6e007e23158a4b209f92225c19393c1cff745f3f3376e0a0fdf93d9d2c
MD5 hash:
e3e1b8206f5602221051dbac751117ba
SHA1 hash:
5434a2e97b5fdfaf72a69ad99a57f28380124877
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
Parent samples :
164624329cd069611563f7bf809de8691e254759a75d667cea664d3bc305eb12
3f380f78cc986824f49f8e5f4a93f6a4fd5355f5086ea15948fbafcb5e7ebc31
3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178
f3f560dddb5b80bbe688cc8bae8f2160f91b8bb494a9795246af42d7b2d19b2b
5950b1a61395119d915e3f08dc3bd0ea19b7aa186b13523351e73579e44c9d19
1bd8f3260eef97220ff4fbf88e4e4005832becf5a74742c2bd2fbf542e446972
936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
eb7fbab560eeb18b5c34317156b7582d94bd1eae5b7559d2f6656f0d21e2e59a
9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5
SH256 hash:
436ac80006877badd4c37e59e14611060fbc6ba40eb9cf1f1c7b86d0cfe62b2c
MD5 hash:
45b307ee6c486a9744c054574add6c04
SHA1 hash:
4df57509a1f5230be636645b446f9ea9387f6b75
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
SH256 hash:
936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
MD5 hash:
3531cf533d859003c224747afadc8f55
SHA1 hash:
7d2af9d9e23f056769befb43a1d03f0d12179b71
Link:
https://www.unpac.me/results/174687e5-e0bc-474d-abe8-51239460b81e/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/936e780eba4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378887/

Comments