MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b
SHA3-384 hash:	262d109c22e629021a0fbb098ec4e072c85aac9e95fc02f65d9b9a737df95282c80e836c82237426dc2134d1d7cb3684
SHA1 hash:	6260c7585b053f38e24bbb8b2af97dc7f641cecf
MD5 hash:	f151ad25f40a872a7240469724f9d5e5
humanhash:	apart-emma-oxygen-missouri
File name:	Curriculum Vitae Estrella Torres.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	687'104 bytes
First seen:	2024-11-11 14:26:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Y4X2sUVFkaj9PaOAXvrBm3mbOUQSMD+QJfcGtLFnw5zBM:Y4m5VPj9yOAXvrw2Kx7D+QJ3nnwo
Threatray	5'672 similar samples on MalwareBazaar
TLSH	T154E49BC03A367B29CEB857F19A29DDB103B51968B415FAE25EDE77C73498B015A08F03
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	malwarelabnet
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

370

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Mensajes en cuarentena(5).zip

Verdict:

Malicious activity

Analysis date:

2024-11-05 12:24:06 UTC

Tags:

attachments attc-arch arch-exec evasion snake keylogger

Link:

https://app.any.run/tasks/f70fe5e7-16b1-4f19-a6d2-cc7bf8fe87b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.29206.19040.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6732146d0d3694d4fc4e815f

Tags:

snake virus gates msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed packed packer_detected snakekeylogger vbnet

Link:

https://www.filescan.io/uploads/6732143b058cd3deb69e743e/reports/5c489ae7-a00a-4e91-a386-6f7c8e5e2742/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/79de294d-0fb0-4a40-9a57-a91d9da317af

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1553667

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b/

Threat name:

ByteCode-MSIL.Spyware.Snakekeylogger

Status:

Malicious

First seen:

2024-11-05 09:05:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xmmtqqt3un5hycmvhclwjfri27gvez7cts5xnyi4sj2p5ej5fufq._file

Verdict:

malicious

Label(s):

unknown_loader_037

404keylogger

snakekeylogger

SnakeKeylogger

2c2278d30f145b813ad9eafe8fcc77ed6cb35679b136221974f708e943a2afaf

SnakeKeylogger

48769d9bf9c85f5285abc8e656352c4956c42e29f86102ff7a57be0a250938b3

SnakeKeylogger

71eba39e12395d9976498f3e4a3149a91ef60781a028165c1e4411b5d9101f38

SnakeKeylogger

80a98cf22ecb8a4904bd619d065c52ec7f4e44c14419a66dfe705c13395520eb

SnakeKeylogger

9c0df6bb5a583077732c10adb7c12ade664b637f4f2fcd9f05c90a5c3577d010

SnakeKeylogger

error

SnakeKeylogger

+ 5'662 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/241111-rseq6azgll/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7719054034:AAHonYJDOpWskt5QdgdvYe662dLuhtscDqw/sendMessage?chat_id=6370711846

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a11c3c85-3be8-4eed-a1f2-6bdfe5f195f5

Unpacked files

SH256 hash:

664529a5e0ff4c62ecc653f16fdc9676814c0f44e984fab3330550dc482738c7

MD5 hash:

0956f41ad2104cce1227e059ab0cce0a

SHA1 hash:

bca3e9a10f0105b71a78e39e93dc4c088909baca

Detections:

snake_keylogger

win_404keylogger_g1

MAL_Envrial_Jan18_1

MALWARE_Win_SnakeKeylogger

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/a38087e5-a032-40a6-b760-518890b39fd9/

Parent samples :

493218a40cbf407847bbec867d10d27b58af8c60b75c1ff157a17c0feddb375d
d1b74631302b5c504591567f870ce97e2b449e9172da6bf07a24d12923b9366c
bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b
60c02fe06b1245384055747b14c0c5af879c0973ff23c7701a45fd92372bf631
04a71f87d4223328a0dbef5085168ff3710b488b68bca528de391d706e01cd5a

SH256 hash:

0450d327a53b8433cf1b991cfb6ee1bb197706f6f297949cfc81f1bde7954a07

MD5 hash:

0ae826a1d3266dd5d7241e5b6490e73d

SHA1 hash:

5af126f6dc98e2d0db5d1dfc63735edfcc35ee36

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a38087e5-a032-40a6-b760-518890b39fd9/

SH256 hash:

d252a21832ae0d6b142c04e7e24aa0f9ab5040e0d3c7ace11f41411b43c6c7b2

MD5 hash:

e58c0881649203a5d9abcb69bf3e4c42

SHA1 hash:

349c8071c7d4cb34e42a36ba4b12aa8aeb79a343

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/a38087e5-a032-40a6-b760-518890b39fd9/

SH256 hash:

bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b

MD5 hash:

f151ad25f40a872a7240469724f9d5e5

SHA1 hash:

6260c7585b053f38e24bbb8b2af97dc7f641cecf

Link:

https://www.unpac.me/results/a38087e5-a032-40a6-b760-518890b39fd9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bb1938427ba37a7c09953897649628d7cd5267e29cbb76e11c9274fe913d2d0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample