MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1
SHA3-384 hash:	5b8785af38e20b90e35e3d8f2513cb4c5adad1077e2869afc688ec70310727b0450873d716f77e0f238824bd59edc55c
SHA1 hash:	8cea2052547bdb3cf23cceb3671a7e28a8b2da3b
MD5 hash:	ca72531e5be781f589e9a3a6790f21bf
humanhash:	rugby-bakerloo-one-crazy
File name:	Payment Information.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	809'984 bytes
First seen:	2024-08-21 12:14:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:N5xLg+D+BlYfXYgZEKBKF4p5WV4EYONV:DxLxD4lbgZEFF4KV4EYO
Threatray	1'973 similar samples on MalwareBazaar
TLSH	T1710512B8A768EF12C6A20BF80650F37517F86E9EF412D3574FEA2DDB7924B056940603
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	threatcat_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment Information.exe

Verdict:

Malicious activity

Analysis date:

2024-08-21 12:17:15 UTC

Tags:

evasion snake keylogger telegram stealer

Link:

https://app.any.run/tasks/ee3dbbdb-c590-4b2b-b195-03b84a72f5d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.25653.3408.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c5da49e7ff3f5a063bb2ea

Tags:

Discovery Generic Network Static Stealth

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed vbnet

Link:

https://www.filescan.io/uploads/66c5da4e98e036ebc63672e5/reports/f3160d03-3334-4918-aa72-6d28008f5ed7/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2f1eff9b-26ca-4b82-a0dd-dd0aef21f549

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1496574

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=umytv45bhz4acv3mxtmtthu3opi2r2husqgb2rhqafcrhywoc6yq._file

Verdict:

malicious

SnakeKeylogger

a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

SnakeKeylogger

c2c4eb306f16f75c7cc6a4afc6b5161b8f84eb242604b739d172ac1ae1f01d15

SnakeKeylogger

d3bcf5854e83b2c9367039bfb1b22f430318b400c5117f5e1c1feacbc1fdeae6

SnakeKeylogger

f35f4d73501f046d2319a9d6284235bad63461584faced48db23d9fdd032a045

SnakeKeylogger

+ 1'963 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection credential_access discovery keylogger spyware stealer

Link:

https://tria.ge/reports/240821-pewrea1enr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

VIPKeylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot7470097193:AAH7g9zj8FQx12YOFkn9mZO_1-BTN4b6gKo/sendMessage?chat_id=6155920142

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/040d6d24-e41b-431f-b3a4-6efeb19e3384

Unpacked files

SH256 hash:

a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

MD5 hash:

ca72531e5be781f589e9a3a6790f21bf

SHA1 hash:

8cea2052547bdb3cf23cceb3671a7e28a8b2da3b

Link:

https://www.unpac.me/results/037aca4d-1a66-4b0a-93c7-b3ad925712f8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample