MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9713d3008a592ab1b06cb6488df0fbb451ba25dac4bb8fda5260fe38f624fdd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9713d3008a592ab1b06cb6488df0fbb451ba25dac4bb8fda5260fe38f624fdd5
SHA3-384 hash: 846493ddc149996835321e1178b38f69f3f440e2c2a711112546da683b44a9b00186ec90d88501b6852a07024a3e4dd6
SHA1 hash: d87169e708260fe0ad90cc695c1d7643ec40aa4b
MD5 hash: 4cf39cae5eece0a9687304c6a24740b1
humanhash: carbon-bacon-emma-autumn
File name:4cf39cae5eece0a9687304c6a24740b1.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:552'448 bytes
First seen:2022-05-06 15:46:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oybx4wyBNM+l+2xiOWQYJwL2ID2xE2YXC:tx4wujl+WjWXJezDjS
Threatray 3'728 similar samples on MalwareBazaar
TLSH T1C2C4AD437E9CB6C6FA6D47B90822E2717BB8DE956D20DE5A19F03E9BF130740C500A76
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4cf39cae5eece0a9687304c6a24740b1.exe
Verdict:
Malicious activity
Analysis date:
2022-05-06 15:51:44 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/94ee45bb-a390-42ff-8cce-2bd641c7311d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269107/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/627542e94b517e213c1ff7a5/reports/cbc0b8e4-9ace-4d86-87b4-509a0c2c8e30/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60bbf0f9-7fb5-4422-b56c-da749ba4aa4d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989160
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621656 Sample: pmvBvMqG2j.exe Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 7 pmvBvMqG2j.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\dYrkglizt.exe, PE32 7->27 dropped 29 C:\Users\...\dYrkglizt.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp571C.tmp, XML 7->31 dropped 33 C:\Users\user\AppData\...\pmvBvMqG2j.exe.log, ASCII 7->33 dropped 49 May check the online IP address of the machine 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 55 Injects a PE file into a foreign processes 7->55 11 pmvBvMqG2j.exe 15 2 7->11         started        14 powershell.exe 24 7->14         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 35 checkip.dyndns.com 193.122.130.0, 49765, 80 ORACLE-BMC-31898US United States 11->35 37 checkip.dyndns.org 11->37 39 192.168.2.1 unknown unknown 11->39 18 WerFault.exe 23 9 11->18         started        21 conhost.exe 14->21         started        23 conhost.exe 16->23         started        process8 file9 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->25 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9713d3008a592ab1b06cb6488df0fbb451ba25dac4bb8fda5260fe38f624fdd5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 14:43:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
442c75d295ffbe050d255d30ffdf429ffcbfb1e4a1eac63b4e1e0f9570e29b2e
SnakeKeylogger
4cc791dd5b219a5248935704833d10f22c14db6f3998d100b5c55c7dba1e6df9
SnakeKeylogger
4f13b3bb65c3c0b9a52cce7f5ad403907f39d6540623d8f0259ca05ebe240454
SnakeKeylogger
89126ab29977ea93c47b855e29d58d35034972c896b8717cec0c03fdc08ee4b3
SnakeKeylogger
ae181fd0388d1ff821e016bf93a19cf7d0b19b56888e273df396ac2aca55e1a6
SnakeKeylogger
b589f04785fac0dfce5097c419fb21254218106795bd3076d86d62edf792b996
SnakeKeylogger
f627b65975a0cee2a96ff46bf73c5cf70bbba31d3641285ed0fabd63908a30b5
SnakeKeylogger
fbaf75b59e30584c535cc0ad3464d8dd0f07b56fd94995d3c71b4adfee27e96c
SnakeKeylogger
fe84e1a62e57213249801372834a30d3d218f122889258bdd83e5f016ed4f209
SnakeKeylogger
+ 3'718 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220506-s77adsaag8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
CustAttr .NET packer
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
0746d7804f1b51d50c8bb708e300360f8b27d5bf29a3f5d377f6f942d9d2254c
MD5 hash:
7301e4848a251dd6bbd2850a690ca5f8
SHA1 hash:
767aa835769eac657536dfac7e24a29326cb88a5
Link:
https://www.unpac.me/results/346f8726-567f-4336-b7a7-1a0df96ace11/
SH256 hash:
a4fcc81afe6fb39c652e37a59a358eaa7b3522db8275d5f57220f756a06acb0b
MD5 hash:
9b02b82da0ff69f1ef18bf4090ba496a
SHA1 hash:
6cbb8a35e96faa6679e32ddeec204e957ef89ed3
Link:
https://www.unpac.me/results/346f8726-567f-4336-b7a7-1a0df96ace11/
SH256 hash:
f0f97385e30343ffe20bc4a4472264f96339d7fed4feafc7e611b7e2f5be5129
MD5 hash:
58c1e433ce33ecdeb0a1a7a8f2ab2940
SHA1 hash:
159c28a73471dc859825f5409acccca1dd1ba061
Link:
https://www.unpac.me/results/346f8726-567f-4336-b7a7-1a0df96ace11/
SH256 hash:
b0aaf5131cd40c7e2595f9ba94dd68d51f22981a88edfcfcf862f71bb78ae783
MD5 hash:
5170d50c67b83f0f35981e824a1c9778
SHA1 hash:
bc0b85ff475af189b51bb9d074f201634caae75a
Link:
https://www.unpac.me/results/346f8726-567f-4336-b7a7-1a0df96ace11/
SH256 hash:
9713d3008a592ab1b06cb6488df0fbb451ba25dac4bb8fda5260fe38f624fdd5
MD5 hash:
4cf39cae5eece0a9687304c6a24740b1
SHA1 hash:
d87169e708260fe0ad90cc695c1d7643ec40aa4b
Link:
https://www.unpac.me/results/346f8726-567f-4336-b7a7-1a0df96ace11/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9713d3008a59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9713d3008a592ab1b06cb6488df0fbb451ba25dac4bb8fda5260fe38f624fdd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269107/

Comments