MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb
SHA3-384 hash: 2f50aa89b0a597466a25a294dc20492459c3133e65d5d2a8e06c74cbbcd4fb3b75530bb9c5d1a2096a6c7f6be52b4d21
SHA1 hash: 98f45995e4891fd10a7229d89ac966be044cf8ae
MD5 hash: c059b627b34942fdb9963290d3bf54d9
humanhash: bacon-fix-four-avocado
File name:AWB 5331810761.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:623'104 bytes
First seen:2023-09-29 07:02:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:2sXs/PP5KypE/pjWsuaTvWotigoTaqb06yyOi6J:2sc/XEypE/pjvuaTOotLoTJbbOi8
Threatray 5'527 similar samples on MalwareBazaar
TLSH T1ADD4A23C21E92A8CF36596BCF3744EFF57D5796F91ABB8B7AC4CA18306A57C05502220
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB 5331810761.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 07:32:51 UTC
Tags:
evasion snake
Link:
https://app.any.run/tasks/8376617a-3d6c-4d35-aad4-9221e4fd836e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451871/
Detection(s):
Win.Dropper.Malaz-9939293-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651676a786207ed628208851/reports/ad9c6191-381f-4a8a-97a6-b0fe3567d948/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6624c583-dc10-4b0c-b922-6b952f9d6708
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316211
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316211 Sample: AWB_5331810761.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 10 other signatures 2->49 7 uxkwHpZ.exe 5 2->7         started        10 AWB_5331810761.exe 6 2->10         started        process3 file4 51 Antivirus detection for dropped file 7->51 53 Multi AV Scanner detection for dropped file 7->53 55 May check the online IP address of the machine 7->55 57 Machine Learning detection for dropped file 7->57 13 uxkwHpZ.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        27 C:\Users\user\AppData\Roaming\uxkwHpZ.exe, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...\tmp60D2.tmp, XML 10->29 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 10->61 63 Injects a PE file into a foreign processes 10->63 19 AWB_5331810761.exe 15 2 10->19         started        21 schtasks.exe 1 10->21         started        signatures5 process6 dnsIp7 31 api.telegram.org 13->31 33 checkip.dyndns.org 13->33 35 132.226.247.73, 49723, 80 UTMEMUS United States 13->35 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 23 conhost.exe 17->23         started        37 checkip.dyndns.org 19->37 39 checkip.dyndns.com 132.226.8.169, 49722, 80 UTMEMUS United States 19->39 41 api.telegram.org 149.154.167.220, 443, 49724, 49725 TELEGRAMRU United Kingdom 19->41 25 conhost.exe 21->25         started        signatures8 69 Uses the Telegram API (likely for C&C communication) 31->69 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 01:55:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7jlg7gcriapfnyovmgy2ih5a627rvfjbc254h223aup5ahnzx5q._file
Verdict:
malicious
Similar samples:
003569fddd9c4c72cfd68b3188ffc2700138a90212a85aedbf040e1f68f9acdd
SnakeKeylogger
2a4f2bb0198262260af505eb3198a4a38dcee62a483f9fa42d55568b9acc53f2
SnakeKeylogger
37126cf9380ef51cfd3edd6718f68995776eb13df819ebae3d1ac974148ec3cb
SnakeKeylogger
92252e96c7db737e221fbe7b947a2755b504006c4542aee48e77b418e1dc1056
SnakeKeylogger
96ea4265a04a7c823bc0a2d69bd32f60e2444560514e432300f54188170de56c
SnakeKeylogger
9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d
SnakeKeylogger
b3e791bbad95783e8a22c6358d4fed3a65e78be8f39664bf2df669258869f5ef
SnakeKeylogger
e47b7ff50e6e7dd47087235ad782bdc84255e2642e80744d34ae027a2db13aec
SnakeKeylogger
ed5d871ea2afdbdd66a20e04f156f2ecb0fa56e929aaeaa65779e37a13852e20
SnakeKeylogger
+ 5'517 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230929-hvcvxagc8z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6493157304:AAGHAAmVG_ud-GzRlE5SfjpNm92V1vbaysI/sendMessage?chat_id=6518133154
Unpacked files
SH256 hash:
d4a9e7a7dd1c43be866ef39837fad53efcd063acf45d522d323318a0ae9bedb7
MD5 hash:
a9193b3b186bcaf041dcb489a40edad0
SHA1 hash:
ac21be1fd5e469d40f315a6e072e3c741bf269f1
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/1492a8e8-4cb7-470f-868e-31f3b0e6a84d/
Parent samples :
37126cf9380ef51cfd3edd6718f68995776eb13df819ebae3d1ac974148ec3cb
b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb
SH256 hash:
7dff192e9ffa97da667d06ca06ca3b7f462d772adc9d3f7fee3caf749ea97eeb
MD5 hash:
111ae521ccec1c1fccd477a621b5cd68
SHA1 hash:
4da0b092352281313436414c3d4c1d8411fae477
Link:
https://www.unpac.me/results/1492a8e8-4cb7-470f-868e-31f3b0e6a84d/
SH256 hash:
f3f7b59a1b5782c6df5e129ac62d27473b638a10820929cf6c6b07b84594bae8
MD5 hash:
9824cc1c32974d27e818c969b139d1f6
SHA1 hash:
4158f644fbea9c4791a3258be782f2c39ade72f3
Link:
https://www.unpac.me/results/1492a8e8-4cb7-470f-868e-31f3b0e6a84d/
SH256 hash:
b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb
MD5 hash:
c059b627b34942fdb9963290d3bf54d9
SHA1 hash:
98f45995e4891fd10a7229d89ac966be044cf8ae
Link:
https://www.unpac.me/results/1492a8e8-4cb7-470f-868e-31f3b0e6a84d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7d2b37cc28a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451871/

Comments