MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c
SHA3-384 hash: c1f8fd3541d22e31d903d706d4975adfd9292b5da45ae53602c186b2e7c665b36161c409c81355df6e75c4a4d88e03a4
SHA1 hash: 56652e4ea6bb349e1d2aa6ae0b69fb8b7c215752
MD5 hash: 45bff7963591793ec50f2f5f2a56e6a0
humanhash: venus-table-friend-mirror
File name:PO#08347_20022020.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'266'688 bytes
First seen:2023-03-09 13:05:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ZuOZ6wGkB+e9uf8mSNA+sicxj82C2S2WrIlHPRiOM:Yz+F2SCRiOM
Threatray 138 similar samples on MalwareBazaar
TLSH T119459F92E449ADDEE51BC63A5363484911E60E35F1386CD618B8F1663AFB2831F1DCB3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b464ecd0f0e8dcd0 (7 x RemcosRAT, 6 x SnakeKeylogger, 3 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#08347_20022020.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-09 13:10:08 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/87d4cdc8-f6d4-4048-9fac-767706e5dc87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372979/
Detection(s):
Win.Trojan.Autoit-7356348-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6409d9bcf0b8f72099e88c23/reports/876d26e9-08d7-4cac-a215-d997ae338a48/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d927cf09-5de4-4090-a00d-0f532a7dfe38
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190612
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823486 Sample: PO#08347_20022020.pdf.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 7 other signatures 2->59 7 PO#08347_20022020.pdf.exe 7 2->7         started        11 hkrgVcq.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\hkrgVcq.exe, PE32 7->37 dropped 39 C:\Users\user\...\hkrgVcq.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpC601.tmp, XML 7->41 dropped 43 C:\Users\...\PO#08347_20022020.pdf.exe.log, ASCII 7->43 dropped 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 PO#08347_20022020.pdf.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 23 hkrgVcq.exe 11->23         started        25 schtasks.exe 11->25         started        27 hkrgVcq.exe 11->27         started        signatures5 process6 dnsIp7 45 checkip.dyndns.com 193.122.6.168, 49696, 49697, 80 ORACLE-BMC-31898US United States 13->45 47 checkip.dyndns.org 13->47 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        49 checkip.dyndns.org 23->49 51 192.168.2.1 unknown unknown 23->51 73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal ftp login credentials 23->75 77 Tries to harvest and steal browser information (history, passwords, etc) 23->77 35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 11:02:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tee3s3urazvvbuug2x27oh5m5cgrxoz6dyt3vqcu4ahnxsqjgioa._file
Verdict:
malicious
Similar samples:
01a61878fb688719bbd35d4788d8443d850e878e087d6b4949b31753089cad40
SnakeKeylogger
24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1
SnakeKeylogger
2507f0613d7ab926c08a9f07d16c5e4ff4a76b2fad7a2839c92f9d3969fe5812
SnakeKeylogger
2fbe8381a484cb4c52055f448ec0934e04230d60fe109b3982008c598714c8ae
SnakeKeylogger
6c98dc3f008e013320c88ae59b178eba59473ecfd4c6d6687eb686a83a67cf01
SnakeKeylogger
790f8d85765401dc539584fc2075b326e306982adc99010f06637a769bb9443e
SnakeKeylogger
a1b484e08d3161fa1d4f9a90c36c4e50e5c8515a3613b9d3d35bba4101e55e87
SnakeKeylogger
a74fa0d307bc42f7118fb46c786b9f9bde4aa25826d6edea9b582b9174013b1e
SnakeKeylogger
ecadf3a82456432d82fb7e6ce72761aa85253bff9e17d6ae25566132620a280c
SnakeKeylogger
fd4b7a99c9e1425af888702bce5c88c071edfd4e0d1cbae52aa4c637b7fde738
SnakeKeylogger
+ 128 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230309-qb3wzsbd4z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5568312416:AAHFcV7Sj5ZHvpqi5PHfNfJ6Z7VDXDyymUI/sendMessage?chat_id=1884866272
Unpacked files
SH256 hash:
70ec4df6d56a3dbb0470b32c00c2e2c018fdbe62576fad0f5eb5553a8355e42a
MD5 hash:
4c63b63d65e2e81b8a8e61bb97740464
SHA1 hash:
e04653d9b2a54555550fbd7f59a2ee962a5ee67e
Link:
https://www.unpac.me/results/7bfa56e7-36b6-476e-9dd4-5cc6bbd3f529/
SH256 hash:
57c9f486be687ebc08a756e5fd750fc63f3f3b8892b46508589ecfd2b69c9eca
MD5 hash:
cd7051e0594ee4d89521baffc7693b41
SHA1 hash:
9b7ee6f1bc68f29807b96c7487b12c751cff427b
Link:
https://www.unpac.me/results/7bfa56e7-36b6-476e-9dd4-5cc6bbd3f529/
SH256 hash:
8ae321991aac2611077d79366d57df8cdc954514d62f3ae82d5ecaaa8d0746c9
MD5 hash:
aae69bad43ba2e79d44075c46c974375
SHA1 hash:
5f3a430cfe704f28ec0706cdd88044ef9cccc0d0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/7bfa56e7-36b6-476e-9dd4-5cc6bbd3f529/
Parent samples :
9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c
830f47013c72aa00109bdc7aa0a60e03fb70f7cbd3926e7f86edefccafcb3f53
8ae321991aac2611077d79366d57df8cdc954514d62f3ae82d5ecaaa8d0746c9
5bfbf751176aa59b055cae2a1b3abeba1c2c5560902faec2d6b646e7fc22b085
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/7bfa56e7-36b6-476e-9dd4-5cc6bbd3f529/
SH256 hash:
5dd52ade485535a75651203d69f5132194c3a788c71023731782e7052ca63cd5
MD5 hash:
d9d0b4b5b246cd98d8744a55f865fc31
SHA1 hash:
02783644a1dac129cceb0a22b8a53842d9d3c69e
Link:
https://www.unpac.me/results/7bfa56e7-36b6-476e-9dd4-5cc6bbd3f529/
SH256 hash:
9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c
MD5 hash:
45bff7963591793ec50f2f5f2a56e6a0
SHA1 hash:
56652e4ea6bb349e1d2aa6ae0b69fb8b7c215752
Link:
https://www.unpac.me/results/7bfa56e7-36b6-476e-9dd4-5cc6bbd3f529/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9909b96e9106/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9909b96e91066b50d286d5f5f71face88d1bbb3e1e27bac054e00edbca09321c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372979/

Comments