MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3
SHA3-384 hash: 482542881d6270f0a17358ce158861480f4e5f0d89a8cada326dff5f702da39c1346eba8c99a25491e498d3ee0afb97a
SHA1 hash: 39c5164b57efa461a0ddfe1d262344a183a2287c
MD5 hash: 6be8e9398d30635fbca93732150a7840
humanhash: steak-potato-robin-cold
File name:VSL Q88.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:322'560 bytes
First seen:2023-10-03 08:58:33 UTC
Last seen:2023-10-03 09:36:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:pl8AdaxZli+Ua0z4my8PJ4+YcNM2IqEHTd51KSK:4AdahfUlz4mBPJ4gI1zd5kS
Threatray 1'027 similar samples on MalwareBazaar
TLSH T17364F71F5B587A15C36F5238E0516109DEF1CA27A38ADF8AA800B7F9DC537C1B6434AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VSL Q88.exe
Verdict:
Malicious activity
Analysis date:
2023-10-03 09:24:53 UTC
Tags:
snake evasion keylogger
Link:
https://app.any.run/tasks/15002ecc-61d2-4915-8c47-46ab63cc8ab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.3381.5035.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/651bd7d8426c8727d6e93c06/reports/9a306491-6d00-4c15-9459-294f00b877cd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22548e24-898d-422d-a2da-83d297f548c7
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318559
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318559 Sample: VSL_Q88.exe Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 8 other signatures 2->49 6 Pruim.exe 14 5 2->6         started        10 VSL_Q88.exe 16 5 2->10         started        13 Pruim.exe 4 2->13         started        process3 dnsIp4 51 Antivirus detection for dropped file 6->51 53 Multi AV Scanner detection for dropped file 6->53 55 May check the online IP address of the machine 6->55 57 Machine Learning detection for dropped file 6->57 15 Pruim.exe 2 6->15         started        19 Pruim.exe 6->19         started        27 cclafrica.co.ke 5.9.248.150, 49783, 49788, 49797 HETZNER-ASDE Germany 10->27 25 C:\Users\user\AppData\Roaming\Pruim.exe, PE32 10->25 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->59 61 Injects a PE file into a foreign processes 10->61 21 VSL_Q88.exe 2 10->21         started        23 Pruim.exe 13->23         started        file5 signatures6 process7 dnsIp8 29 checkip.dyndns.org 15->29 31 132.226.8.169, 49794, 49795, 49798 UTMEMUS United States 15->31 33 checkip.dyndns.org 21->33 35 checkip.dyndns.com 193.122.6.168, 49784, 80 ORACLE-BMC-31898US United States 21->35 37 checkip.dyndns.org 23->37 39 Tries to steal Mail credentials (via file / registry access) 23->39 41 Tries to harvest and steal browser information (history, passwords, etc) 23->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Suspicious
First seen:
2023-10-03 05:12:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbmgok34p6r7rnhpf3klrk4gq3y637oeni4cvzrjmbi2yozhilbq._file
Verdict:
malicious
Similar samples:
18efcc58d9ea4a8de71c9007578c896b544bab8186145df495ee4126f2d08268
SnakeKeylogger
771ec2a2b691842fdb6ae7d67ec69d22911f2538120b522a0082038f2ce77aa9
SnakeKeylogger
91ad210dae91d724c701330e1ce8fd5047b8ee7a475d1dcc1474a812cab351ca
SnakeKeylogger
99c5c57ec66db2b568df0891d6e8d4c6420e1bcd629ef55f7148659c9759e3eb
SnakeKeylogger
a2e5356ff3d8617b129a23d76d85c2db3f6d803dccc160bdb95200db441229c5
SnakeKeylogger
b0dd78db36781e0070e3f613749814c5167a07afc28a7225d72ec3615c351efd
SnakeKeylogger
bf38efab74ed608cfa4bb7106eded02c20a6e7ba808b7871dd65982bbbbf896a
SnakeKeylogger
da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7
SnakeKeylogger
e74eac907deb295455e5856a2f4030c175a134dd3f2d681cec2d59ebb387c275
SnakeKeylogger
ebd0f12995682c7dce98a9de8e7105f7762bfc30a297d46634c67f0c1e420f92
SnakeKeylogger
+ 1'017 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/231003-kxqkwsbd57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3
MD5 hash:
6be8e9398d30635fbca93732150a7840
SHA1 hash:
39c5164b57efa461a0ddfe1d262344a183a2287c
Link:
https://www.unpac.me/results/8c5f7a45-998f-4b05-8076-b769c385d270/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 5fa9f7e6d31ba4ba152a524a9834b4eaeb32a88e1bb48ed0e86b5d65b903ed14

SnakeKeylogger

Executable exe 9858672b7c7fa3f8b4ef2ed4b8ab8686f1edfdc46a382ae6296051ac3b2742c3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5fa9f7e6d31ba4ba152a524a9834b4eaeb32a88e1bb48ed0e86b5d65b903ed14
  
Dropped by
MD5 bbe4ed27d95620b9cc5ccd8ff22c23ee

Comments