MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b335599221fe1c56a3783a220c80766f93085f62d6d73ff7757d0908ca4efd35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b335599221fe1c56a3783a220c80766f93085f62d6d73ff7757d0908ca4efd35
SHA3-384 hash: 14c561531cb2bd4561c68e0327b3c362dd1694c6907a9ba2f8e0187b09e668043f271ac384d61a2081cc73d4b362f690
SHA1 hash: f97ee52f82204eb024a2a6e54838b4b2dfcc3ab8
MD5 hash: dea9c101997e68ef70498f0b54ff8edf
humanhash: table-green-kansas-finch
File name:dea9c101997e68ef70498f0b54ff8edf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'033'728 bytes
First seen:2023-01-27 14:02:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:o8kyGyO4QzlGI6AAgZxP8PffCLEOV7J6f8RBo:o8kypO4jI6AlGffPqEco
Threatray 9'865 similar samples on MalwareBazaar
TLSH T1BF258A107A78DB01EE254FF610319D6427A22D1EEB2CE3581E8172EB1AFE79D3D40997
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b270f0f0f8f07092 (19 x SnakeKeylogger, 4 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dea9c101997e68ef70498f0b54ff8edf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-27 14:09:54 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/2d7605fd-766b-4cf9-8dee-2d8038b9df61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357413/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d3d99989bd67c10fdac1ad/reports/988ebf37-0501-4414-9982-e44755a3b14f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71c592e9-32a5-4783-bcf1-1c7bbeb0d6ca
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160508
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793244 Sample: OsYDdXzfTf.exe Startdate: 27/01/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 10 other signatures 2->53 7 VKcfnevUaCsCOI.exe 5 2->7         started        10 OsYDdXzfTf.exe 7 2->10         started        process3 file4 55 Antivirus detection for dropped file 7->55 57 Multi AV Scanner detection for dropped file 7->57 59 May check the online IP address of the machine 7->59 65 2 other signatures 7->65 13 VKcfnevUaCsCOI.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        31 C:\Users\user\AppData\...\VKcfnevUaCsCOI.exe, PE32 10->31 dropped 33 C:\...\VKcfnevUaCsCOI.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmp640D.tmp, XML 10->35 dropped 37 C:\Users\user\AppData\...\OsYDdXzfTf.exe.log, ASCII 10->37 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 10->61 63 Adds a directory exclusion to Windows Defender 10->63 19 OsYDdXzfTf.exe 15 2 10->19         started        21 powershell.exe 20 10->21         started        23 schtasks.exe 1 10->23         started        signatures5 process6 dnsIp7 39 158.101.44.242, 49699, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Tries to harvest and steal ftp login credentials 13->69 71 Tries to harvest and steal browser information (history, passwords, etc) 13->71 25 conhost.exe 17->25         started        43 checkip.dyndns.com 193.122.130.0, 49697, 80 ORACLE-BMC-31898US United States 19->43 45 checkip.dyndns.org 19->45 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b335599221fe1c56a3783a220c80766f93085f62d6d73ff7757d0908ca4efd35/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 19:02:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm2vterb7yofni3yhirazadwn6jqqx3c23lt753vpueqrsso7u2q._file
Verdict:
malicious
Similar samples:
2b00e652ffa3e4930797d32ac541d7b14563de78aed4d47c6e3eb4126a3159b0
SnakeKeylogger
2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
SnakeKeylogger
7d1c91342282f5a34d6035a539fa1b3f0ae9e62182cb749c1269807b2deea2be
SnakeKeylogger
9a7a657e728c731ff69db20bfb86f32dea639d2020ed4415821161aced29f7b9
SnakeKeylogger
9b5ec4049e14aa89f83aa1e7268533d5560664710c1de74c4f866d07381880d1
SnakeKeylogger
a5c5fff9f5fb5557c0be28962dd29a09b3691eeab05cb2970718d877b2559b97
SnakeKeylogger
b6ba9b1f0724dee6813ee67780cc5a130e5565d616b6acf53a7ef417ab580dfc
SnakeKeylogger
f523562a67bc90b2cde0013d43272d25b18c179dabd6ac64c281147bce7d93d1
SnakeKeylogger
+ 9'855 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230127-rcnzwsch8v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
bf01887b91f08f990ad8dc70fe9b9773f2156c2fba66e06e33a18011ac98b160
MD5 hash:
1fc7db1571e0f2e0bb79e685d5ad17f0
SHA1 hash:
c6494817c78d762a10db4b5769f7a82fa91d4a63
Link:
https://www.unpac.me/results/e0e4696b-3856-4769-8f65-4b63cee2fab7/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/e0e4696b-3856-4769-8f65-4b63cee2fab7/
SH256 hash:
f33a6612b9a76d8100b3a80fad5d4e437d1202b895233f6f1db9519c4adb0192
MD5 hash:
a32d0256f4ffaadf46b59f5e85829857
SHA1 hash:
59609c21f6f5a69e0ebe3b47a22e5cd5c36348c5
Link:
https://www.unpac.me/results/e0e4696b-3856-4769-8f65-4b63cee2fab7/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/e0e4696b-3856-4769-8f65-4b63cee2fab7/
SH256 hash:
be7e692adb6ddc9a95f4c7e98c4cfd1fa5a7638b91d8fa93b39db027f0f4e60b
MD5 hash:
93457c22f23698ae2541ee2162aca0e6
SHA1 hash:
13bfcd1c4ed7ad871b8fa1bd3a3082eaf8b5556f
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/e0e4696b-3856-4769-8f65-4b63cee2fab7/
Parent samples :
1c1205143aa726f39d6efeea85dcc4273f02936241432112d00b2c7c67ff1d9c
cfdb70e6469751ee66793a4c32efa8bcf3de901c0dfe422cba0679b65d13622f
9ad926f89e44d67df18c880a39ccc198f13b9bb53f6e71bf8d0caa82b56bf84b
7901e6da6fafe2cb3a44e0aa7fdd00b589faea5a8a512eb93fcdd6d5c6794a4d
be7e692adb6ddc9a95f4c7e98c4cfd1fa5a7638b91d8fa93b39db027f0f4e60b
b335599221fe1c56a3783a220c80766f93085f62d6d73ff7757d0908ca4efd35
0f629bc76705145918a6c04774ade9c99b4ed06c6d96424a0bf9207c442807d7
e9bd723975e0a440e52c11f8df79d37e0607bd20cac3daff0661c4bb0ab7f129
cd8be35dfd9e75a60f5f1aa9b9504823b887533f220617e65244eb9d8a0f8acf
SH256 hash:
b335599221fe1c56a3783a220c80766f93085f62d6d73ff7757d0908ca4efd35
MD5 hash:
dea9c101997e68ef70498f0b54ff8edf
SHA1 hash:
f97ee52f82204eb024a2a6e54838b4b2dfcc3ab8
Link:
https://www.unpac.me/results/e0e4696b-3856-4769-8f65-4b63cee2fab7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b335599221fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b335599221fe1c56a3783a220c80766f93085f62d6d73ff7757d0908ca4efd35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357413/

Comments