MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf
SHA3-384 hash: 771583f8f01cda829ebd8ae90e7dae72078ccf1a1d308951c1a7e6e1407b37335d3cf773aa5fbb2e637784087f1bf89e
SHA1 hash: 711111084fb1d92aab4444499c449064843e2346
MD5 hash: 528145723771a75601c9261ae1864632
humanhash: dakota-hydrogen-green-pip
File name:Invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:650'752 bytes
First seen:2023-09-12 09:47:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:eSyEYyVFrksEAyjB9PIBk9OH4n/VTvCdieHfeVWsU3TRnyy:aV+FIsrqBhF9xdCdie/eVWsU3NnL
Threatray 72 similar samples on MalwareBazaar
TLSH T147D4124D53ADD794DA7D2BB164A4A250A371F1036822C2ED1DCC61E5AFB7EE49202BC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-09-12 09:47:28 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/107bf4f9-9cb7-4bf3-ad1a-c3323fdd0334

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448130/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Moving of the original file
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650033d369c1cf3b6ab3fb81/reports/c59423d8-a7d9-41d0-8861-a5ae209efadd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c7cd5543-9637-45db-8559-70ab40588cb2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 03:33:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=to4p3ebqy4czghqfi2cc3gardxgquratmzrr5xnxbv6ucermvc7q._file
Verdict:
malicious
Similar samples:
085c615e80911a5a93b3f1262ca71b88f81be327d2d3b594376a5b4e5533e68f
SnakeKeylogger
29dbebeec58981c106716f9c9db0137f7ff0e808f60577a9e1a29050d036861d
SnakeKeylogger
5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762
SnakeKeylogger
9c999d23bb8110f85cc977e9a697c7eb3387dbe27ae0dba92c141986893946d3
SnakeKeylogger
9e59b864f851b2101f28ed67a8f5e52fbac208c1b4fda85b7b378dd28e182941
SnakeKeylogger
b3f8e456aeaba0afc976104eeec20357a09e59da003df7061c954cb434f877ef
SnakeKeylogger
bcf9118f67e1da42a9a14e9c8ec34eecc140b2f72d48f49df48ee6712afae01a
SnakeKeylogger
bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d
SnakeKeylogger
c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c
SnakeKeylogger
cbcef39f086d442ff02882b05b92a3f0a00b1fa6b827e5727170dd6427b28591
SnakeKeylogger
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230912-lsrstsbe3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9a63b62a1296933300f9cda87fefbdfc9f55ee908575a2130c641c9fd0c4f830
MD5 hash:
651ffbf7723d66c959851ec6c450fba2
SHA1 hash:
f7cf3587def824a298ae36da8ce82c62e2245f48
Link:
https://www.unpac.me/results/b054b901-026a-42c1-9352-c9a7007dcbbc/
SH256 hash:
b04889c4ae727218705e223a5ed2e8a561ee050ebbc474c45eea8c984069f4b2
MD5 hash:
9c833c2e705614136061cb11054e2ffb
SHA1 hash:
d0e544ed5226bf00254d4e38905c121b83bd1a53
Link:
https://www.unpac.me/results/b054b901-026a-42c1-9352-c9a7007dcbbc/
SH256 hash:
20977e0f883ca06510814419205ac9db8c704b1c3f325e3937280c68723a453f
MD5 hash:
2d6cfdeab410fec54f577ca9b4aa2c9b
SHA1 hash:
a3a80b0e5913e72961a76289d37cdc8e93a51458
Link:
https://www.unpac.me/results/b054b901-026a-42c1-9352-c9a7007dcbbc/
SH256 hash:
784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80
MD5 hash:
5caf74e6818e40e82651781613a42425
SHA1 hash:
2a182b1552373e0907bfd03db31120596df994d0
Link:
https://www.unpac.me/results/b054b901-026a-42c1-9352-c9a7007dcbbc/
SH256 hash:
9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf
MD5 hash:
528145723771a75601c9261ae1864632
SHA1 hash:
711111084fb1d92aab4444499c449064843e2346
Link:
https://www.unpac.me/results/b054b901-026a-42c1-9352-c9a7007dcbbc/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bb8fd9030c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 9bb8fd9030c705931e0546842d98111dcd0a441366631eddb70d7d41122ca8bf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448130/

Comments