MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1
SHA3-384 hash: 8eb5f3876ac27d4f00171e02bc1fc5ef7ecc487487c5cd7a2c6442b27059926aa7ca1b14939a747760053ffa2097b31e
SHA1 hash: 01fb2ec9093c0f7abdfc6c07e3868782f3048af2
MD5 hash: d47e02ea5f155d3ede305a45c9f0b2a2
humanhash: cold-yankee-seventeen-autumn
File name:RFQ PT089110.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:347'376 bytes
First seen:2022-12-19 13:12:24 UTC
Last seen:2022-12-19 14:48:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:UkwlSRcw5fqcV1WYQEXvSksppDlg1yN5lIMbWjd:s6h5j1UAvSJlL5Od5
Threatray 5'567 similar samples on MalwareBazaar
TLSH T12B74CF19135AA864E28D3571B8709B1097A84F345EB3C58AFF70BEBFB4743D728264C6
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 00ac923073c88c50 (3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ PT089110.exe
Verdict:
Malicious activity
Analysis date:
2022-12-19 13:15:34 UTC
Tags:
installer evasion trojan snake keylogger
Link:
https://app.any.run/tasks/61cf3ab6-da29-488f-b3fa-00d89d6ee9b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347969/
Detection(s):
SecuriteInfo.com.Variant.Jaik.77520.12992.12070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56d0c098-0d1a-422b-a387-1a43f9c72edd
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137163
Signature
.NET source code references suspicious native API functions
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1/
Threat name:
Win32.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-19 13:13:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfy2c2cr5efzxjbr5rody44satyw2nq3k6wcfk2dubp65yhtt3iq._file
Verdict:
malicious
Similar samples:
0dd996545ef3178719d3a8253b674b1fedfcf0ea1d9bb6af1409f6a47000dc1d
SnakeKeylogger
2a9cd913906e0f913fbf49f3eb0539baa49e83a46e578750b1da290e1662a21c
SnakeKeylogger
7d302f9d3565d5968f1500d01a8e6ea2b8440a318858a24a6abbe24fbf5c2214
SnakeKeylogger
a0bafce415317d58c1a59d6a176b23a07213e080dedd628611fdd423bf825096
SnakeKeylogger
b3271cac975a34320b8dd67850d535e5ef96651e3371356cf3ec7cfca34a3caf
SnakeKeylogger
c375bf8a18680d0924c42bb9186586c7a283e7fe5d694843a76ac28b7d7b68f2
SnakeKeylogger
c8e5da5d94006e08ab1bb069102abaac24bba18c458ad2253527a29380cfdf51
SnakeKeylogger
ce7267faa71bcac017522d43d0d80ad25088c83c65f01688cf26a27b7d264925
SnakeKeylogger
+ 5'557 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221219-qf3rsafa75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
a4dea87c44153bb33ce223c0193582b6ef2e73f17d632ecb4392fcb2830fa7ec
MD5 hash:
d19ef48d7f6d470b405e3577b65131b4
SHA1 hash:
f53b620e189662da1daf92a874c5510e64a5f0f3
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/3c32a69b-6e0e-4759-bd30-498d8c3f7d89/
Parent samples :
a7f5873d043294de859736362df3aa0fb6c50ece6b9325c9b48cde35d9cddf8a
86b69e37fb4f94c2b24904bbb004474b8f57abecc6332ff595c1eacc7ab59bf6
460924c55f59314a09c710e31d9c215fdb471eafbb5d6bd348972fee078a316e
2e873b3c9f0817c1d492ee2b05319fdd277a4535c1623592c2c097f811ac45fc
cce8ba621c797e9782cc2c56058cbb25555b367673a5f70aff660dd0bd509390
15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d
bb6240ace6a64b0d45a7180d0b0f482597f69e270de56f7cfb47049d096b720d
15e5350ed0a3c724d2d904f87e87adadb2f658a71584b486409302c8a5b99c85
622c2192e22e7e407ee6f870dcd26689a2998571c725ac4d7f2682ec72de0fdd
30204f8d475b5d9da3ab0f5282468414fb3680aea9e171f2be3677c3531c34e7
9f8bd35c99417ab86d20781c7f4737a247ab64354e73ffbc52d5c5e35f8cdc14
2b3bc8ae8908f619944ca14696ecec764b92d6ff891838d1a7fe951580b8edea
d742297ca5cc509b66ce7090284d5a996b4bf3fb284797442402fff10ae47e74
62807c3f8896bab3bad4537ffc327dc1775e250c0f0d8822f2df585e843e3f47
454529ef92f2ff17bdfb7f8ec8df852fd1f7c7919a021adf1b6b1d41b4519ef6
a888f1a58c8c2ab3a2ae32743d0362fe01f145e76b4196c21b9c2bafc978e7fb
76cec159d26635e1caf4cd67b798904fac19e37ec5f85ca63f7a0b3d66de91e0
04a99d8b230a027d26f94dbb34a80129744482e7bf4ef5d4c94de770da6f4d84
42b6acf48bac461e6e74d778b14ff37c892369020eda38a64ff1e33ed9453206
689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c
8f5a23cb25c7cb7ec6ea3a53261ed6c7983751eabaccae62dd964b8dee5259ee
0ca6f42f7efb21a5b4a93bbe6c2c4f69e9f9381f2a858872dd82df7e01332f7a
b13ea396ab71dd043b9df28dd8c484d432382228c03c8bcf57c01040d5a39ca6
33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9
b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1
2b290eb25ebac77c8286c8bee0ca6b59898f1aac63c7aed531ce031864c29a73
SH256 hash:
ce541c435bb37ed19b84b9dfd04eb1aab3b9373cde591e78e1dc95f9cd767228
MD5 hash:
297b8571779244d9a2053c2f520c4378
SHA1 hash:
7fc3cf62a1a667d6496d04f37def0a1eedc5dfd0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/3c32a69b-6e0e-4759-bd30-498d8c3f7d89/
SH256 hash:
55085cf84af3439aa6e6f4301a415bdf78f4ee8b897799944d3527c4a64e4da0
MD5 hash:
95c3e6cdb0d14232b824bdb81dfb7ca1
SHA1 hash:
3e0e7a7fb3c519b6f56c0e58df34beb37507bc53
Link:
https://www.unpac.me/results/3c32a69b-6e0e-4759-bd30-498d8c3f7d89/
SH256 hash:
b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1
MD5 hash:
d47e02ea5f155d3ede305a45c9f0b2a2
SHA1 hash:
01fb2ec9093c0f7abdfc6c07e3868782f3048af2
Link:
https://www.unpac.me/results/3c32a69b-6e0e-4759-bd30-498d8c3f7d89/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b971a16851e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_APIs
Create hunting rule
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/347969/

Comments