MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595
SHA3-384 hash: b485a14c65b6c002e0753d57bd2c3b6a48be61b436ec025b3e555dab21468576052c791109c81a6a26861e072c436692
SHA1 hash: 1502c65ca59bfa2a74b4720869f973e3c9e68767
MD5 hash: 688f969a6a68d441c0c6f0466cf6835a
humanhash: mountain-nevada-william-carpet
File name:POqQQRRYit7HAd30.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:814'080 bytes
First seen:2022-10-17 17:31:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:p9em4sJ2ajmGjnHWLGab3y+lfoBdyFaUwOX7W+5dsGcs/g:p9GsEajNDHyGabi0foB0FDfXb5d
Threatray 3'532 similar samples on MalwareBazaar
TLSH T1F305387A12964617E8293275C8C3D2F32AFB9D607061D1C79AD76F6FBC440BF9212386
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/321079/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634d919bb5f60e72b8c7121e/reports/424227e4-7de0-4f34-af54-ca368ad02792/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b91e0f8-156c-4099-8395-39451d9f0154
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092138
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 724758 Sample: POqQQRRYit7HAd30.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 8 other signatures 2->55 7 POqQQRRYit7HAd30.exe 7 2->7         started        11 jyPCrXHAoYfDa.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\jyPCrXHAoYfDa.exe, PE32 7->31 dropped 33 C:\...\jyPCrXHAoYfDa.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp125F.tmp, XML 7->35 dropped 37 C:\Users\user\...\POqQQRRYit7HAd30.exe.log, ASCII 7->37 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 POqQQRRYit7HAd30.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 jyPCrXHAoYfDa.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 132.226.247.73, 49711, 80 UTMEMUS United States 13->39 41 checkip.dyndns.org 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 132.226.8.169, 49714, 80 UTMEMUS United States 21->45 47 checkip.dyndns.org 21->47 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 14:11:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=um5rwvq37uryjmjlaojaskpdki5kaab77ih7sxgeas5qggzb6wkq._file
Verdict:
malicious
Similar samples:
3322f0adecd7f6e55f7d22ff1b6601eb7818285e21f96e0102a24a87c92d347a
SnakeKeylogger
397664877d247f7eafbf36c917d6a619e4032e1f04da16c6211e3f8f0a6f2b0f
SnakeKeylogger
70730de8e215d6d1ddebe78090badefd43ae78d50a646c317579b49265e76832
SnakeKeylogger
7ef57837d1427b3146d85b511aff1f671a9d89462e62e76589e15ef8e5fb1761
SnakeKeylogger
98f57a58e8c04c7905cd96329487ea551f61ec1265d991f502fe7413254def12
SnakeKeylogger
be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7
SnakeKeylogger
d40f32f81438c0c6bad28f8b8b08ebb452871640a691cb879ea1a4220b452017
SnakeKeylogger
e15b4c36878dd4b68d7875fd502d4259a53ab0e0d7b800df5fcbcdee3d9e9db4
SnakeKeylogger
+ 3'522 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221017-v39wtscfeq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5730126224:AAG8ho12ohAuTwDslxp72eUrJPYucSLMPS8/sendMessage?chat_id=1841961979
Unpacked files
SH256 hash:
6ad9a93fbc7a8d7ccc890478c7c96ece23484f0e8a6f0a23137cb8b5bcb9183a
MD5 hash:
84c39daf16361e60d5e8b76bc26bd1e5
SHA1 hash:
c045f1e212870df67291aec9f0a23688b8122459
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/ccbd9b93-abe9-47bb-b0a8-f78f3eacb359/
Parent samples :
baaa48d4e27a4398dba1e8be81b4e092a6fbc0bac2ac3609831265c7a28a1eec
a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595
SH256 hash:
d692f09c0d89400be6d4f11004c3b36afa7c3a2af050aa6b8c8e96de30ff422a
MD5 hash:
69a52cfb4d92133824e47ddf10fdf69f
SHA1 hash:
a43c281b5349ea32ef66da4fa9ff9135922d8194
Link:
https://www.unpac.me/results/ccbd9b93-abe9-47bb-b0a8-f78f3eacb359/
SH256 hash:
34b4f4531d3d31bec2019922f0e3b88b79ac01b2b0bc93217916759fca2501e0
MD5 hash:
8c8dd58f54be77679cb750c3e8d55d16
SHA1 hash:
7722a6b313b282ea6114fc519eac8a628b79454a
Link:
https://www.unpac.me/results/ccbd9b93-abe9-47bb-b0a8-f78f3eacb359/
SH256 hash:
45573325c05007a1d23eed3b6333822fa55757fd5adf1fd3c5782f335b1f2d02
MD5 hash:
87183bb9232bb1ab12614022d12086f8
SHA1 hash:
13f30c3db11061dda537b07f7d8fb3e43b4479e2
Link:
https://www.unpac.me/results/ccbd9b93-abe9-47bb-b0a8-f78f3eacb359/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/ccbd9b93-abe9-47bb-b0a8-f78f3eacb359/
SH256 hash:
a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595
MD5 hash:
688f969a6a68d441c0c6f0466cf6835a
SHA1 hash:
1502c65ca59bfa2a74b4720869f973e3c9e68767
Link:
https://www.unpac.me/results/ccbd9b93-abe9-47bb-b0a8-f78f3eacb359/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a33b1b561bfd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe a33b1b561bfd2384b12b03920929e3523aa0003ffa0ff95cc404bb031b21f595

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321079/

Comments