MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340
SHA3-384 hash: c320188cbbad5de670301bb10e1ea42b85f90b120991ab8af71bfc075ae0ac9ed7ed8088df6b864a32ac9c54a136ba3b
SHA1 hash: a5c3dd689600ae86731babff602f54c16d8b51f7
MD5 hash: 396b45afc8dc70a3f916302a3b83224d
humanhash: lemon-muppet-five-purple
File name:MV YAMAHARU- VSL PARTICULARS.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:498'176 bytes
First seen:2022-06-29 16:02:49 UTC
Last seen:2022-06-29 17:30:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:l7YMOsDcQfhlQFbXrjauu2iNHvPy6DqE1yN/UBv6yx3UDavEM:Duu11PyqeMJ6ukD2
Threatray 8'177 similar samples on MalwareBazaar
TLSH T15BB46C983A2C31EEC957D4728E985CB4EA6224BF671B5113D063299DDE0CB87DF604F2
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284294/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bc77f9a80f69eaf34a7da4/reports/ef595b1d-cb71-4df5-a30f-efafab3895c1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e7c9e6d-7a39-44a7-965a-4e99cdf464f8
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022121
Signature
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 14:39:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qfwqoch3xyzxijflqknfrfz6ykfhibb5q37jlqeewky4xeranaa._file
Verdict:
malicious
Similar samples:
16c9ef9684c42255f47a495b2984e99f3227d5a13f899c9eabe89ed831a67204
SnakeKeylogger
279b911a8deff7f7887920f7580adfd320630808c39e481beb0d3c619242a718
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
b16bc49773e1653815010381ec864517966d8566eb1249b53c217758f89318e9
SnakeKeylogger
bf3e7b08e131f9ff5b860058ae7afc405d95a718f6c65cbc239dd35ec0f39d3a
SnakeKeylogger
c87e8d2f201fab1985505b25f2eb6a78880a10be371060f788a6615af34ae9e9
SnakeKeylogger
e081465f75b5fc1a981ad522ad595642d28c19df648d26c2694f6d09d8035872
SnakeKeylogger
ed406bf65b9ee9c2f1e695b06fe2719868b4e8917ef2bde8052b724e82476c61
SnakeKeylogger
+ 8'167 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220629-thb9dsahbj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
192fcad001d5eeb69fd440908a9855e0f796958b1107e37e84c283aca14083fb
MD5 hash:
e38ac68337289f9aa9276b115c5e3bb1
SHA1 hash:
78d00d0e6b092829500780e641b900a52055852d
Link:
https://www.unpac.me/results/f2995d59-d823-4a29-9d77-9e5ac8ab88bc/
SH256 hash:
64de81755fe1db47ded221bdd046e7d15f860ea692e60da095cb32b9f25b7e06
MD5 hash:
3770c50d1da2881555c5de9acb211e24
SHA1 hash:
6a623ae8f77e3f6ffa6cf7b63346b99db0c5e1c4
Link:
https://www.unpac.me/results/f2995d59-d823-4a29-9d77-9e5ac8ab88bc/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/f2995d59-d823-4a29-9d77-9e5ac8ab88bc/
SH256 hash:
dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340
MD5 hash:
396b45afc8dc70a3f916302a3b83224d
SHA1 hash:
a5c3dd689600ae86731babff602f54c16d8b51f7
Link:
https://www.unpac.me/results/f2995d59-d823-4a29-9d77-9e5ac8ab88bc/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc0b683847dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe dc0b683847ddf19ba1255c14d2c4b9f61453a021ec37f4ae0425958e5c910340

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/284294/

Comments