MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f
SHA3-384 hash: c036abb52d0fad4b7cb6ae6b67d02b9185f3267c5bb8117dd18083671a55163f96052fcc3b2e286f00f19dc2beeb2e7b
SHA1 hash: 541d0eb275873c736eb7b80ab1b3619c8c2024dd
MD5 hash: 7805af2fe70854ae49f57b6d3a95e59e
humanhash: winter-yellow-asparagus-aspen
File name:Mellekelve a proforma szamla.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:614'912 bytes
First seen:2024-10-09 08:03:31 UTC
Last seen:2024-10-09 08:40:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:znC0w99+n4+7zVlsIML0qv3V5X1TnluGvy7Y1/xy1q5mE+:Rwyn4YRlsZ5v/XRlutcysEE
Threatray 367 similar samples on MalwareBazaar
TLSH T1C5D4016C9245D607C8A527B80931F9B41B785EE9B502D31B6FE9BDEF7ABBB040C44183
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter smica83
Tags:exe HUN SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
424
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4b1c6ffcfbec78b82623868cfe8d5a08a3aafe9430dd4562cd6ba16399647758
Verdict:
Malicious activity
Analysis date:
2024-10-08 13:23:02 UTC
Tags:
arch-exec evasion snake keylogger smtp
Link:
https://app.any.run/tasks/a5223d1c-d6b8-47ad-9b79-8140088fe91a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.28263.9027.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67053231dcb599bb05a5080e
Tags:
Powershell Spam
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/670638f20439dbe39ca75589/reports/52a96216-391d-4717-aff9-98caa9754705/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcb9ad90-1443-488a-82d7-d2d0bce21d7b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529694
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529694 Sample: Mellekelve a proforma szamla.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 mail.pishgamsanaat.com 2->51 53 2 other IPs or domains 2->53 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 15 other signatures 2->79 9 Mellekelve a proforma szamla.exe 7 2->9         started        13 VbAPDfoDcfwBL.exe 5 2->13         started        signatures3 77 Tries to detect the country of the analysis system (by using the IP) 49->77 process4 file5 41 C:\Users\user\AppData\...\VbAPDfoDcfwBL.exe, PE32 9->41 dropped 43 C:\...\VbAPDfoDcfwBL.exe:Zone.Identifier, ASCII 9->43 dropped 45 C:\Users\user\AppData\Local\...\tmp18C8.tmp, XML 9->45 dropped 47 C:\...\Mellekelve a proforma szamla.exe.log, ASCII 9->47 dropped 81 Adds a directory exclusion to Windows Defender 9->81 15 Mellekelve a proforma szamla.exe 15 14 9->15         started        19 powershell.exe 23 9->19         started        21 schtasks.exe 1 9->21         started        83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 23 schtasks.exe 13->23         started        25 VbAPDfoDcfwBL.exe 13->25         started        signatures6 process7 dnsIp8 55 mail.pishgamsanaat.com 217.144.104.62, 49844, 49912, 49934 NETMIHANIR Iran (ISLAMIC Republic Of) 15->55 57 reallyfreegeoip.org 188.114.97.3, 443, 49719, 49720 CLOUDFLARENETUS European Union 15->57 59 checkip.dyndns.com 193.122.6.168, 49713, 49716, 49727 ORACLE-BMC-31898US United States 15->59 61 Moves itself to temp directory 15->61 63 Tries to steal Mail credentials (via file / registry access) 15->63 65 Tries to harvest and steal browser information (history, passwords, etc) 15->65 67 Tries to harvest and steal WLAN passwords 15->67 27 netsh.exe 15->27         started        69 Loading BitLocker PowerShell Module 19->69 29 conhost.exe 19->29         started        31 WmiPrvSE.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 WerFault.exe 25->37         started        signatures9 process10 process11 39 conhost.exe 27->39         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-08 10:53:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsmkh5ewp33jfizrmm3qr4ikzc56k5lzsvyqfp7hkhgupgsmzexq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
404keylogger
Create hunting rule
snakekeylogger
Create hunting rule
Similar samples:
8d52a6534dfc1c94d317743c22235f782f1ef7a2e3755ec8ecf04cd7068eb8c9
SnakeKeylogger
96daab3a11b4fb4f306dd3af66065c069f3c4647708e0a0ea987f1d1639b09c9
SnakeKeylogger
b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f
SnakeKeylogger
error
SnakeKeylogger
f45af8f50fd6e0ce6ccffb8aa16d0fe0b11d9db564c3d22a6789ed68ec36933f
SnakeKeylogger
+ 357 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/241009-jx9hbs1bkh/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/322cf801-5425-4a4a-8cae-6f4cf79b6e86
Unpacked files
SH256 hash:
b0468935e0cb61cbf678dd0ba5cbaf4c4c593f4c2530da2270cb72cdbca8d60a
MD5 hash:
366bf856cb942ef26ee8a7f54ba332fb
SHA1 hash:
92fad9b7d1187da016e1d972545b276d972876b5
Detections:
snake_keylogger
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Link:
https://www.unpac.me/results/715164cc-8432-4257-a746-78db8c86713a/
SH256 hash:
f1bb521aa5350287384f80c65c7124a9f21d552201a5d16780c30fe9dc361cdd
MD5 hash:
70032cd7fc0b04d277e3a163d4d56631
SHA1 hash:
39e866a60bb4dff883fb498a18721c1441ae58b6
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/715164cc-8432-4257-a746-78db8c86713a/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/715164cc-8432-4257-a746-78db8c86713a/
SH256 hash:
b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f
MD5 hash:
7805af2fe70854ae49f57b6d3a95e59e
SHA1 hash:
541d0eb275873c736eb7b80ab1b3619c8c2024dd
Link:
https://www.unpac.me/results/715164cc-8432-4257-a746-78db8c86713a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments