MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e3bcb513af35cefa69e5194f7c1a7ded5e53ea1a26c0fb81ccac9d7998fe2b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e3bcb513af35cefa69e5194f7c1a7ded5e53ea1a26c0fb81ccac9d7998fe2b2
SHA3-384 hash: 9f4e84b77e542d2903856c57ab6cc8bf449819b72292122a455fc5b796fc858760d7b5f901244b71dc368bdc16306314
SHA1 hash: e4a1d9ade705803442a3de969d355f9545f0f6b9
MD5 hash: 127cee27db896b4c275915fa14811bd6
humanhash: finch-potato-summer-missouri
File name:127cee27db896b4c275915fa14811bd6.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:973'312 bytes
First seen:2021-09-06 06:32:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 12288:YJmWMzH+hB/pzxJi3X3+b6umJBDARbeqTJgnJVBREnDebtYVsnsOZKT:ILpXk+b6umJBDAJeqtgbrYKOOsOcT
Threatray 976 similar samples on MalwareBazaar
TLSH T10125F41326BCCAE5F59E3E74A074170096B9AC065675E64BD80FBCEAD8B3743C9113E2
dhash icon 31b09c969698b033 (55 x AgentTesla, 27 x AveMariaRAT, 15 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
127cee27db896b4c275915fa14811bd6.exe
Verdict:
Malicious activity
Analysis date:
2021-09-06 06:36:12 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/7357f86f-06b1-4990-98e1-c61a51121071

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185533/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Seraph.ac.13346.14149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ca19e88-d112-4129-ae6e-af9aa48afc19
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845739
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478166 Sample: v12J9Am9Y8.exe Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 7 v12J9Am9Y8.exe 6 2->7         started        process3 file4 33 C:\Users\user\AppData\...\v12J9Am9Y8.exe, PE32 7->33 dropped 35 C:\Users\...\v12J9Am9Y8.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\...\v12J9Am9Y8.exe.log, ASCII 7->37 dropped 57 Writes to foreign memory regions 7->57 59 Uses powershell Test-Connection to delay payload execution; 7->59 61 Injects a PE file into a foreign processes 7->61 11 v12J9Am9Y8.exe 7->11         started        15 powershell.exe 19 7->15         started        17 powershell.exe 16 7->17         started        19 4 other processes 7->19 signatures5 process6 dnsIp7 39 149.154.167.220 TELEGRAMRU United Kingdom 11->39 41 216.146.43.70 DYNDNSUS United States 11->41 43 104.21.19.200 CLOUDFLARENETUS United States 11->43 63 Multi AV Scanner detection for dropped file 11->63 65 Tries to steal Mail credentials (via file access) 11->65 67 Tries to harvest and steal ftp login credentials 11->67 69 Tries to harvest and steal browser information (history, passwords, etc) 11->69 45 8.8.8.8 GOOGLEUS United States 15->45 21 conhost.exe 15->21         started        47 192.168.2.1 unknown unknown 17->47 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e3bcb513af35cefa69e5194f7c1a7ded5e53ea1a26c0fb81ccac9d7998fe2b2/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 05:32:41 UTC
AV detection:
12 of 43 (27.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ty54wuj26noo7ju6kgkppqnh33k6kpvbujwa7oa4zle5pgmp4kza._file
Verdict:
malicious
Similar samples:
3ed830ef9609f573a4a9ce7f0abc234f6cd226ba7a55bb8319cb1b47a0f2be7d
SnakeKeylogger
8c366ee263db756db2648d00eb615b16fc8b92262f8bdf7d3269267eb1382cb0
SnakeKeylogger
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
SnakeKeylogger
96007bdda9d12cf59fd2844843f62d3a86b85cb732ee76004e2f93ac38d8c8af
SnakeKeylogger
a1588613803bbed9e0f4ae3f526aaacbbd2b6cba0d1b5c7f585403c0770e0788
SnakeKeylogger
a1ef7c34fac1d166d47f99112a77e8f00f229c78f3a248da9ef005387997001a
SnakeKeylogger
bae6aa63d36a0a714752cbd48d486e7b585db8b8517f9afc98d55397cbafec8b
SnakeKeylogger
c45096343494d886b5af190001a970929eb711d8a80515cf2ac1effc6d35a948
SnakeKeylogger
d935261d62e1721db7f65671dc26c56c532b98d8b3335fce23455b2404a39ed2
SnakeKeylogger
+ 966 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210906-ha9zxaaee6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendMessage?chat_id=1407381447
Unpacked files
SH256 hash:
591090d00f8a32a01c99697a8022e249802a1c3076a416f9ea32cf6d693938c3
MD5 hash:
cf8d32cd78b72c50313897d1cc5d9bec
SHA1 hash:
ef701191e0b036844ea43ec8b4dd12f4a2f54314
Link:
https://www.unpac.me/results/9db62222-63f0-47bd-86ba-57cbee02d8db/
SH256 hash:
18d4c277a896986766ac699166481c81929686780ecf1382290a6fc27aaa1dea
MD5 hash:
19d3d7055c6443fa325abb82b6cc12aa
SHA1 hash:
be3ec34f1ca37b892cb56ee19ffdcf44118d1172
Link:
https://www.unpac.me/results/9db62222-63f0-47bd-86ba-57cbee02d8db/
SH256 hash:
8eb34c3c6540686493d2a8ad428006cd27a1dc938121b5066184e908df5cacc0
MD5 hash:
5edb0b6c73f7b7ea840c7317449a3c35
SHA1 hash:
7373ae5330220b0652b8fdacc33852b2a5b4d384
Link:
https://www.unpac.me/results/9db62222-63f0-47bd-86ba-57cbee02d8db/
SH256 hash:
9e3bcb513af35cefa69e5194f7c1a7ded5e53ea1a26c0fb81ccac9d7998fe2b2
MD5 hash:
127cee27db896b4c275915fa14811bd6
SHA1 hash:
e4a1d9ade705803442a3de969d355f9545f0f6b9
Link:
https://www.unpac.me/results/9db62222-63f0-47bd-86ba-57cbee02d8db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e3bcb513af35cefa69e5194f7c1a7ded5e53ea1a26c0fb81ccac9d7998fe2b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 9e3bcb513af35cefa69e5194f7c1a7ded5e53ea1a26c0fb81ccac9d7998fe2b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1435626/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185533/

Comments