MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41
SHA3-384 hash:	d0ece18516d105bdad72823204430507b00f49dbe18fedeaf6ed0470c381154bcde62197e2549c0584699b87f9a707af
SHA1 hash:	5b52770b9b7be420217965e086f85eddd98cf6f4
MD5 hash:	59efaf9abc653a6cb1cf81cbf94a25c7
humanhash:	november-comet-london-spaghetti
File name:	Waybill Number 7807431483.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'500'191 bytes
First seen:	2023-02-22 12:58:20 UTC
Last seen:	2023-02-22 13:54:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep	24576:K5xolYQY6x84NZCLIPGJTczBBZwTaaR/kWl03rClALn6PSDAUKNaAZCCtcuJ:dYudZnP6c9H+aaR/j0bd66hK9Z
Threatray	432 similar samples on MalwareBazaar
TLSH	T1CF65BE0BB6B0A037F8AE40BC053522CF6E317A533A8CE5171F667A445D66DF7B1E8216
TrID	38.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 34.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 14.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.9% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	65626363c383e221 (3 x SnakeKeylogger, 1 x zgRAT)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Waybill Number 7807431483.exe

Verdict:

Malicious activity

Analysis date:

2023-02-22 12:59:40 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/845fa31a-28d2-4d23-8f7a-c89c12fa8ae9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369039/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Malware.Swisyn-7610494-0

Win.Virus.Sality-6335700-2

Win.Malware.Swisyn-9942393-0

Win.Trojan.VBGeneric-6735885-0

Win.Virus.Sality-6747602-0

Win.Trojan.Kazy-304

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Sending a custom TCP request

Setting a keyboard event handler

Setting a global event handler

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Setting a single autorun event

Launching the process to create tasks for the scheduler

Enabling autorun

Enabling a "Do not show hidden files" option

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

83%

Tags:

greyware keylogger overlay packed packed shell32.dll

Link:

https://www.filescan.io/uploads/63f6119801b99ad33e802c90/reports/4e3d57b3-07a7-4eb9-87ce-3f28101732e1/overview

Verdict:

Malicious

Labled as:

Trojan.Swisyn

Link:

https://www.hybrid-analysis.com/sample/9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3215071-7c1f-42be-874c-12cb9ddea0c9

Result

Threat name:

CryptOne, Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1180701

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Detected CryptOne packer

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41/

Threat name:

Win32.Trojan.Swisyn

Status:

Malicious

First seen:

2023-02-22 12:59:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 25 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sqzljtm7riywic7wbnwprpwohhxawdyrbuwuhzbj3hjahyp6v5aq._file

Verdict:

malicious

Label(s):

avemaria

SnakeKeylogger

18271dbc8d477228a12d9c20ed6d7be7c423f0ee3de9a0118b4bae74072816bf

SnakeKeylogger

1b4322eaa16e3d5e78993498dce2b9e3823bf553055039d328155e1b4f6df00a

SnakeKeylogger

279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329

SnakeKeylogger

27f98c163a61c64b9d02b780ecb06f45c7bb47d07c7b830491c7f6eea39b2e07

SnakeKeylogger

61ba3d71e0cf86858c6d93d14c331d844d78238d27a90449c69f1f26d030eae0

SnakeKeylogger

ae3280531b573e9950f18d0a9b42d413c02ad56bb0ce24787be51ed45671d2ad

SnakeKeylogger

bea81785cb10732b0885f27edf800c491a051fde3a62e6ba21aab2c64d96a37f

SnakeKeylogger

c3bbe889607ea65e9e9310509d927ba4f08630b5738d35c76937ba978bd5ecea

SnakeKeylogger

d1ef2dd93176ae8dca22ea9b653c70b9e6777db7517a019d8bcad7ac85b260f9

SnakeKeylogger

+ 422 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection evasion keylogger persistence spyware stealer

Link:

https://tria.ge/reports/230222-p73qesbf56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Modifies Installed Components in the registry

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5300146648:AAHnGWyIYhkCfGzD7b3SfmLZj94Y8lXxD90/sendMessage?chat_id=5116181161

Unpacked files

SH256 hash:

d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

MD5 hash:

915aa3d78cab8eb6920c2cf8ab39e6a1

SHA1 hash:

f4dc2ac541b600883e4648aafbc92f5e0b1811f0

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/27d46302-cbbf-41f9-9224-6efe38b24179/

Parent samples :

9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c
54bae76ab64ae74ef5b97cef8aaffa2ec1254df6fea46d54c1387b6f5d5fb025
b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f
7e039e4d466d67e2e7fe4cf46aa141db13f2454161ebc86ec1dd02c33113d154
34ae82b3da999e17e5b62fae65be1827e3f6a54c599c68f1a02666772b70eb09
d4086b64b176925017dd2db176cb3754e172bcec944037e1f3ea53ce48c1303f
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
c9234000f8f576a39a7d2a957826094c1c0e37b141ef26ee2e8e36a62e09805a
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
0f629b4e11087c4e000457daa326269c1ed26198d5a5e8f963d10e0be9dd77a7
4df7854ec37d3d2d2f8b87ef3811ac4b4ea2f16c0d37329a91a4ebeca78337fb
d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

SH256 hash:

41519ae1277ab77f762f7144f97eff6b038a113d2ff0784711b5aee261006e7c

MD5 hash:

5495577f2a2353cbc4a5c67f01666da4

SHA1 hash:

aa46c09d08ec4f54dd581bf99216ec3b18b68706

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/27d46302-cbbf-41f9-9224-6efe38b24179/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/27d46302-cbbf-41f9-9224-6efe38b24179/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e

MD5 hash:

301d49f143b4559eebb04d6604c9c806

SHA1 hash:

8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3

Link:

https://www.unpac.me/results/27d46302-cbbf-41f9-9224-6efe38b24179/

SH256 hash:

7105954633e409328e72c52cae434f5359268ead48e50f88b6c8495adf2ba07e

MD5 hash:

9f5fe437ead800975e96d8070988660f

SHA1 hash:

2e199ca34d1606dc02d77bd048fa8a0782b3bfe7

Link:

https://www.unpac.me/results/27d46302-cbbf-41f9-9224-6efe38b24179/

SH256 hash:

9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41

MD5 hash:

59efaf9abc653a6cb1cf81cbf94a25c7

SHA1 hash:

5b52770b9b7be420217965e086f85eddd98cf6f4

Link:

https://www.unpac.me/results/27d46302-cbbf-41f9-9224-6efe38b24179/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9432b4cd9f8a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369039/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample