MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
SHA3-384 hash: 2dce1ef1a0d8be2eba9a8a0197705d7eb982695266e880ce22dee89f8775112b4be202f86f71635fd9f14883dbc1a922
SHA1 hash: 2e593eb6217db01a316fe0e3b896162184ba7bfd
MD5 hash: fea070006007750c1c69082e0563f7af
humanhash: hawaii-yankee-stream-wyoming
File name:fea070006007750c1c69082e0563f7af
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:986'624 bytes
First seen:2023-03-07 11:56:38 UTC
Last seen:2023-03-07 13:46:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:WJX3OBVmNUfqBe4nvSopG4q91hl+7fCGiPPvG3kz6c03tSO08ZjYhP6M:KIYNUfqBpvHGcDCp/Zm9SH8G8
Threatray 4'648 similar samples on MalwareBazaar
TLSH T133259DA56F19A257E7C1A1B31804A7B7EBAC7D4D2427C0883ED13D8FB1B9D2C1111EAD
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fea070006007750c1c69082e0563f7af
Verdict:
Malicious activity
Analysis date:
2023-03-07 11:57:13 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/e2bfae41-711b-4735-b80d-0ea6423d2493

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372192/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.14370.22747.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6407268f692e8896660bf68e/reports/6a5c351e-a691-45bb-b9f5-94479a8da8eb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d825396-b3f6-4754-8f9f-595c33c068ad
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1188500
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821376 Sample: Y0Z7HHHBFC.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 96 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 5 other signatures 2->59 7 Y0Z7HHHBFC.exe 7 2->7         started        11 pwhPOKi.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\pwhPOKi.exe, PE32 7->35 dropped 37 C:\Users\user\...\pwhPOKi.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\Temp\tmp9CC.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...\Y0Z7HHHBFC.exe.log, ASCII 7->41 dropped 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 Y0Z7HHHBFC.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 23 pwhPOKi.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 193.122.6.168, 49702, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 132.226.8.169, 49707, 80 UTMEMUS United States 23->47 49 checkip.dyndns.org 23->49 51 192.168.2.1 unknown unknown 23->51 71 Tries to steal Mail credentials (via file / registry access) 23->71 73 Tries to harvest and steal ftp login credentials 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 12:18:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 25 (72.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm5jrtsjrbdag76wrmqflwbvizfbgugjybt6euditiv6d4l5zgdq._file
Verdict:
malicious
Similar samples:
1fd1e0ff7b9e6bc7b9014cbdfa12b15459011086a2398185e5b51ca92bf8a8e5
SnakeKeylogger
4a63d124fccf3d47730bf3b1b9d1befadb2b225b3b38fdacaa135f0800548c6c
SnakeKeylogger
4f8dc84952cc5e606fb05b608f35a150e5fa629c380db2cb2cb7a5aee1f322b6
SnakeKeylogger
77864a5c81d11e61e24fa26853404d5e75a8780cd476cd6a0c7e525128a589ad
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
SnakeKeylogger
8d77e4bcebfa77845ac1775d6ea0dbb44c8e874bffac615c334ef984b9b71ace
SnakeKeylogger
b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
SnakeKeylogger
d592465fda14fe34f19703d3222ce71ac81592f87911b908e5c12cf68cf258ac
SnakeKeylogger
e8e100895fa60d667eb81cc2fb660ac12dd998f8f20aa6d7e0ea942854dc831f
SnakeKeylogger
+ 4'638 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230307-n4kvrshg94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
a24fbedd124cfd526ca36638273c36be572fc987268050e8b6943fad10e7a172
MD5 hash:
96d5493a82daf27407972e57180a33ce
SHA1 hash:
fa2bbd87002bf927772d0a7b72f26c3bf93da675
Link:
https://www.unpac.me/results/4660cadc-98fc-4395-8f5c-a8b1012fbaf4/
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/4660cadc-98fc-4395-8f5c-a8b1012fbaf4/
SH256 hash:
3f27f00b220f5374e839f6d4dd6cae231eb32efa669219ae193919b4f9384c75
MD5 hash:
63dcd8430f2d1be0715b16ac70c68018
SHA1 hash:
a39caa36b4e9ff68c6b4d9d4c3bf34c637ed4038
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/4660cadc-98fc-4395-8f5c-a8b1012fbaf4/
Parent samples :
ffe2eeba3c307df2994455331d6c7f19cffdcda1feeceb9ac50d519685f53c48
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
96b8969e22bf1183fcc6ba3778115801dd2e6ab5d05c46d7e9b03fc95558aa43
777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
e83c5b4a9fbfb2294eeb8be89c3d871ad2f20b776bf9594bd0b0ecd288ad47f8
313ad26ae426d1f3293c2d78ed3fde9093661e90dc876246e8703f0a20522a21
27379979a480e5ebfe00f58eb1f2fd09836eb8a13a7dde9ac1451e4ef09c73f1
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/4660cadc-98fc-4395-8f5c-a8b1012fbaf4/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
b27b78cfffa681eee1532a5b927901700e4728bf8f57eedb6f6a18b3d764740f
MD5 hash:
3935a785e51ab6ba860403d912e9fa00
SHA1 hash:
40953bd209a0d98366e6a7c3fadb8f394b9a07d8
Link:
https://www.unpac.me/results/4660cadc-98fc-4395-8f5c-a8b1012fbaf4/
SH256 hash:
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
MD5 hash:
fea070006007750c1c69082e0563f7af
SHA1 hash:
2e593eb6217db01a316fe0e3b896162184ba7bfd
Link:
https://www.unpac.me/results/4660cadc-98fc-4395-8f5c-a8b1012fbaf4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b33a98ce4988/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2561548/
Cape
Cape
https://www.capesandbox.com/analysis/372192/

Comments


Avatar
zbet commented on 2023-03-07 11:56:41 UTC

url : hxxp://198.46.174.164/118/vbc.exe