MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd
SHA3-384 hash:	85e940e018b09dbb845074722f963cc71bb297fedd4b130ee9e1f502a753c8a4b8a566dbd78581812977a3e5598118b3
SHA1 hash:	b8ad3ef06ace2a86780d8f493b36e987fee28d67
MD5 hash:	5793bccd58568fa90f9cab543cb92afb
humanhash:	uncle-queen-low-north
File name:	VESSELS PARTICULARS.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	761'856 bytes
First seen:	2023-07-12 06:03:09 UTC
Last seen:	2023-07-12 06:43:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:bWT8Aq904DyW7xuXt6CCQd4Icht+JHDiRhK8USfNTpeMusGzFKdOT:B8RA+JjMcd8leMpGg
Threatray	3'146 similar samples on MalwareBazaar
TLSH	T17DF4443DA4542226CD7CDEAA42CF494CF2E2560BF35EB93F2AD61AC34612941F7C681D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

VESSELS PARTICULARS.exe

Verdict:

Malicious activity

Analysis date:

2023-07-12 06:10:55 UTC

Tags:

evasion snake keylogger trojan

Link:

https://app.any.run/tasks/7b02ef08-0cc2-4651-8241-3aa4cd2ea96b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/416239/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19324.24459.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Restart of the analyzed sample

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed replace

Link:

https://www.filescan.io/uploads/64ae4254a15fc7eb4fd10ffc/reports/8ad19007-485a-42ec-99a6-df4062d76ff6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b088554a-bf5f-4cf6-a233-9da19bd4c4fa

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1271653

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd/

Threat name:

ByteCode-MSIL.Worm.LovGate

Status:

Malicious

First seen:

2023-07-12 06:04:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xhxy3qd6ottbecdfbzqudjpzvhy5hq72b2jfzjnwyofkd5hzadgq._file

Verdict:

malicious

SnakeKeylogger

11ac39821487f87eac7ad91f2d6d94037cd25947d6485a0e974d89fadbf2f950

SnakeKeylogger

1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac

SnakeKeylogger

4bd65c6278bf0a954b76e47052d212150a61be572f3f0dd2dac5345dfd875707

SnakeKeylogger

53081b8516852eee078265c82b2f9b70367d3d2a50d8886e24f2704a3b683929

SnakeKeylogger

8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057

SnakeKeylogger

9c3a93c9fb73bcb55516b64442f10442919ce9e8d6e00a751e5a86f516bd9ecf

SnakeKeylogger

b88395f4d398c54925af660992e5b72acae5e15823ea88b91b528415eb674566

SnakeKeylogger

eb6ac5c1adc4a760d3632874fd1ce4299e761023a5afedeaffdcf27009d185b8

SnakeKeylogger

+ 3'136 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230712-gsljlaca88/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

34cf93a496018b90f41ec0fc9dc49e13357a00c91ab9124562090fd1581b7dc3

MD5 hash:

c95366fd32623b3bc9c57701e156051f

SHA1 hash:

edc775f1a6bb6125a6b8c91cccca25de1c33e9e1

Link:

https://www.unpac.me/results/0197a54c-4cf4-40eb-81b3-3e88ab76585f/

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/0197a54c-4cf4-40eb-81b3-3e88ab76585f/

SH256 hash:

d13c6f18c9166783d0df281b20f83c1eead33c8ad8ae3fa649f0484d46ad2e4f

MD5 hash:

2e79fb8c175018dbae8284e99a3bb56f

SHA1 hash:

00ff18727d6f2de95ccf9bfb5b3f336dfd64ee42

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/0197a54c-4cf4-40eb-81b3-3e88ab76585f/

Parent samples :

e74ecf1c2f87e3182e7a6414767b62eeea8a49e1d1b08894fbb50a8cd6243961
bde75e5a73df3ef95e72fd79905f718427f70945166bbf8558f9e84b3605abaa
a854d103628be8a5a7fba616001a113407ef81f817e61961099fa6138c0690d5
4bd65c6278bf0a954b76e47052d212150a61be572f3f0dd2dac5345dfd875707
8158e1869f8d46e43475b20b428189503dee35d2a34da9467fd58c95fc7f6057
9c3a93c9fb73bcb55516b64442f10442919ce9e8d6e00a751e5a86f516bd9ecf
b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd
08d13a3f8a8759c5124ced987c74889a2fdf42b491e78e30a4a546857c4eed0d
11ac39821487f87eac7ad91f2d6d94037cd25947d6485a0e974d89fadbf2f950
7753af1911ff73ecac07b26ff5ce15cf04ed197748bc2ac3984c5413faa19a97

SH256 hash:

b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd

MD5 hash:

5793bccd58568fa90f9cab543cb92afb

SHA1 hash:

b8ad3ef06ace2a86780d8f493b36e987fee28d67

Link:

https://www.unpac.me/results/0197a54c-4cf4-40eb-81b3-3e88ab76585f/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe b9ef8dc07e74e61208650e6141a5f9a9f1d3c3fa0e925ca5b6c38aa1f4f900cd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/416239/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample