MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc
SHA3-384 hash:	5e341fb0de1f8d40c13c25d195733893e887314156c73dda306f8b8890288474bc561c47694c5e99c170a50d39010bfa
SHA1 hash:	f784fd1a3a31f92091927fac47f2835475ad8002
MD5 hash:	950c269ffc596bb167ba627631af0f50
humanhash:	magazine-foxtrot-carpet-potato
File name:	9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	709'632 bytes
First seen:	2024-12-09 13:51:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:v63HI6tYy3xQkAJDIAMVFkVsnnT13XsZ18iN8IQauhfgERtyz/bwkF9Sk+fmzWbd:v0HI4YyakAo+sJX0RNbGFiz/bN/Sk+fR
Threatray	1'995 similar samples on MalwareBazaar
TLSH	T16CE41294BA6AE867E9C607BC4271C7B952355E4CEA24D3079BFAECDB3C0570C7818291
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	0884cc3860ccd420 (2 x Formbook, 2 x RemcosRAT, 1 x MassLogger)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc

Verdict:

Malicious activity

Analysis date:

2024-12-09 13:50:42 UTC

Tags:

evasion snake keylogger telegram stealer

Link:

https://app.any.run/tasks/92b2874a-84ff-4a7b-a863-4f2492c20cc2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3114.12722.13306.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6756f60548182d1685570f3f

Tags:

kryptik virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/6756f6051a7df30be12c0f0c/reports/a40a5582-4f81-418c-a8be-3455f62f2c74/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c7e0d7f-2e64-412c-9e26-4e40a4face81

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1571565

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2024-12-09 13:52:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tl4elol4c2bashh27zvsdbucdcb33ejmymit4tp27mgkb5zca3ga._file

Verdict:

malicious

Label(s):

vipkeylogger

unknown_loader_037

SnakeKeylogger

5e8880438f921f4bd81f137cc9b4c44f1ba12b321a178d4d50a0601d75aef049

SnakeKeylogger

7bd9596f753e58ba917ba418c191af8fcb9b537e73ee6a86989960099585394f

SnakeKeylogger

bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a

SnakeKeylogger

error

SnakeKeylogger

+ 1'985 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/241209-q6dkkszldz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

VIPKeylogger

Vipkeylogger family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f567d830-fc12-4d14-952a-3178af72daad

Unpacked files

SH256 hash:

0327c618a4faf85876d0f1f27505ba858e55f7b2781adb2ad210bb468177e28e

MD5 hash:

f2812be2011eddb066399fe25edac2dc

SHA1 hash:

4cbf7307b2128f27c31f4559b399ae8c4769cfa6

Detections:

win_404keylogger_g1

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/e912cb90-8642-416e-b1d6-310a60ea9e24/

SH256 hash:

e4b95200bc450c5a6e9fea660fc82acc20d2a419342a9639676bfb424bc62ac7

MD5 hash:

210ccf4c768ffb8ec09e34f5fa884ad4

SHA1 hash:

2e1b5988616688608212c9dba0b90727d7ff121c

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e912cb90-8642-416e-b1d6-310a60ea9e24/

SH256 hash:

b8c9b8c40a03d24de3d273d348414937136205511612c3049aa840a9e759a712

MD5 hash:

a79c03375b8ee8ea8610f25d0725ade7

SHA1 hash:

0ab34334165e1d4882b700ae3d97cdac22437008

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/e912cb90-8642-416e-b1d6-310a60ea9e24/

Parent samples :

0ea911380906a2d6077caf8d64ec129473490fa105e4026ced3a45ea6d3dc3c1
f45d8b8c06d91cd7fd6145b4f696852c751d16ea332fd7359f2fb9b395faf9cd
9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc
29739350ffba4e0dc877ce4e6ef22549aa859a7dbd046c3282bcb5dbd621f3ab

SH256 hash:

9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc

MD5 hash:

950c269ffc596bb167ba627631af0f50

SHA1 hash:

f784fd1a3a31f92091927fac47f2835475ad8002

Link:

https://www.unpac.me/results/e912cb90-8642-416e-b1d6-310a60ea9e24/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9af845b97c16/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample