MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5
SHA3-384 hash: 9dbd67890ed83b429440a2e15c0ff11a5f34b765986e248a3658602aef591beaaad9819add450002dd62a54017ac7db9
SHA1 hash: 2e81c8f032110720eff770dfbf03c4173268aabb
MD5 hash: 034828b725ae8224daada8e14d8f9167
humanhash: three-alanine-sixteen-lamp
File name:Signed po_000165.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'052'160 bytes
First seen:2023-04-05 22:19:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:pxAqHaY3imXQ8PcHY2ZF2VkUBKknlXEHPUQAuNtGtl3tBMLj:pxAqHadpYVTVruNwtlbMLj
Threatray 288 similar samples on MalwareBazaar
TLSH T17125121433EDCA15E423A7BD44F0D2B42336CCC6A962C72B4FC9BDCBB29D716952215A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed po_000165.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 22:21:46 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/eb40404e-6933-4746-bad1-5bd2d0433cb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380458/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed snakekeylogger
Link:
https://www.filescan.io/uploads/642df4137dc0445b2389240f/reports/f874255f-52fd-47c5-8b8d-a5bbe13d687d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d998912-21c3-4006-a03b-c53ccacbde8e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209290
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BrowserPasswordDump
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842206 Sample: Signed_po_000165.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 7 other signatures 2->56 7 Signed_po_000165.exe 7 2->7         started        11 lhANCO.exe 5 2->11         started        process3 dnsIp4 34 C:\Users\user\AppData\Roaming\lhANCO.exe, PE32 7->34 dropped 36 C:\Users\user\...\lhANCO.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8C4F.tmp, XML 7->38 dropped 40 C:\Users\user\...\Signed_po_000165.exe.log, ASCII 7->40 dropped 58 May check the online IP address of the machine 7->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 7->60 62 Adds a directory exclusion to Windows Defender 7->62 14 Signed_po_000165.exe 15 2 7->14         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        26 2 other processes 7->26 42 192.168.2.1 unknown unknown 11->42 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 22 lhANCO.exe 14 2 11->22         started        24 schtasks.exe 1 11->24         started        file5 signatures6 process7 dnsIp8 44 checkip.dyndns.com 132.226.8.169, 49698, 49699, 80 UTMEMUS United States 14->44 46 checkip.dyndns.org 14->46 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        48 checkip.dyndns.org 22->48 68 Tries to steal Mail credentials (via file / registry access) 22->68 70 Tries to harvest and steal ftp login credentials 22->70 72 Tries to harvest and steal browser information (history, passwords, etc) 22->72 32 conhost.exe 24->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5/
Threat name:
ByteCode-MSIL.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-31 03:58:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzf5egivgwdgoacnscwc3f45kti3i2jtfvczmcbjktu6rwk5lpkq._file
Verdict:
malicious
Similar samples:
1224acc15643267fe1c2f4585b3439037e65c819ca2cfc306b1dac95b2479b5f
SnakeKeylogger
164624329cd069611563f7bf809de8691e254759a75d667cea664d3bc305eb12
SnakeKeylogger
189d5e75f300e21f30ae87cef1c384a3e33e26b5546b8404090bffe3251d4a34
SnakeKeylogger
1bd8f3260eef97220ff4fbf88e4e4005832becf5a74742c2bd2fbf542e446972
SnakeKeylogger
3857fcbee4a5113f3be6d087d6c01d1b78383e1b5930b0549ec8bf78a8bb1fdb
SnakeKeylogger
3f380f78cc986824f49f8e5f4a93f6a4fd5355f5086ea15948fbafcb5e7ebc31
SnakeKeylogger
65cef9a73e732b359256574dd3619770177a8db2d9d8a77c52caad320e0562a5
SnakeKeylogger
936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
SnakeKeylogger
c64eedbbfb5e111089a3e0eab54f848da53dc1387b9c3a53653c534d198730fc
SnakeKeylogger
f3f560dddb5b80bbe688cc8bae8f2160f91b8bb494a9795246af42d7b2d19b2b
SnakeKeylogger
+ 278 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230405-183btshg84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
63d1fd2a671ca8e138392eb6dd1afba5de9ef245a1c6b77b5584c6d1c39624f5
MD5 hash:
ea7bde9d823d4cd80ecfc8bae5168fb1
SHA1 hash:
2c3ea65e8ca9c29bd8ceaf3bbf583da357461948
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
SH256 hash:
096f80249deb3dd10a2583112e60823db4d8f54ad51e0b58a2b3327b77288616
MD5 hash:
36efcd6fad83dc265ff8f7bb132c7ef3
SHA1 hash:
b67f9e15587d79d7f70d95c51d3d98817e252f3e
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
SH256 hash:
4ce6e033caef7a199f6deba24d3ae92457f77deaa6b6883cae097690491396ec
MD5 hash:
4572cee5e0d03f819d90da18ab40231f
SHA1 hash:
7926befd07104ff7969d071abc1af0535172d725
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
SH256 hash:
cae81a6e007e23158a4b209f92225c19393c1cff745f3f3376e0a0fdf93d9d2c
MD5 hash:
e3e1b8206f5602221051dbac751117ba
SHA1 hash:
5434a2e97b5fdfaf72a69ad99a57f28380124877
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
Parent samples :
164624329cd069611563f7bf809de8691e254759a75d667cea664d3bc305eb12
3f380f78cc986824f49f8e5f4a93f6a4fd5355f5086ea15948fbafcb5e7ebc31
3b961c415aab8bafde4c9ec0a7d0ac512f4b14bb5a4128de965222d9fc96b178
f3f560dddb5b80bbe688cc8bae8f2160f91b8bb494a9795246af42d7b2d19b2b
5950b1a61395119d915e3f08dc3bd0ea19b7aa186b13523351e73579e44c9d19
1bd8f3260eef97220ff4fbf88e4e4005832becf5a74742c2bd2fbf542e446972
936e780eba4b7c04267fd9920295dcfce6e5cc6782e75dcd56041d4ea40de60f
eb7fbab560eeb18b5c34317156b7582d94bd1eae5b7559d2f6656f0d21e2e59a
9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5
SH256 hash:
9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5
MD5 hash:
034828b725ae8224daada8e14d8f9167
SHA1 hash:
2e81c8f032110720eff770dfbf03c4173268aabb
Link:
https://www.unpac.me/results/9632ea38-c5b0-43f7-bd6b-a11c5317ff11/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e4bd2191535/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 9e4bd21915358667004d90ac2d979d54d1b469332d4596082954e9e8d95d5bd5

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380458/

Comments