MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f
SHA3-384 hash: 259b9d4bcf696a7633fb9473beb81e403bddc960e60dd1de82c60e6c32708391afea07edf8b5ba4bd5e36570f8896445
SHA1 hash: a0368e137b1ed4c4a442fd99f71582a3b5ae8413
MD5 hash: a795d9b44255617250be22ccd818670e
humanhash: jersey-enemy-twelve-king
File name:a795d9b44255617250be22ccd818670e
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:407'552 bytes
First seen:2021-12-27 17:23:40 UTC
Last seen:2021-12-27 19:27:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:auLNUPp24IMUlT9JNfO8uWp48L9OmRJEOpx0X7XgfYQ6XCx23gTzu:HLurzT3gTzu
Threatray 2'852 similar samples on MalwareBazaar
TLSH T169841D2EBA454A72FD1D90304DC10A06BB768B073284AB861FEF19CA874F1756D5DEF8
File icon (PE):PE icon
dhash icon 6ac8f8d6d6d2d2d2 (4 x SnakeKeylogger, 1 x NanoCore, 1 x ModiLoader)
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a795d9b44255617250be22ccd818670e
Verdict:
Malicious activity
Analysis date:
2021-12-27 17:28:04 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/d8eb9125-84ee-4b61-b49c-07af5a3bb3fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216583/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn33.3547.9830.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61c9f6b88991ba72b39b44d0/reports/75163afa-295f-4b09-9073-b5b4cc12f0b3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70604132-9681-474d-a39c-4f33331afd6d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913203
Signature
.NET source code references suspicious native API functions
Binary or sample is protected by dotNetProtector
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545681 Sample: zoL8lL02nV Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 7 mork.exe 3 2->7         started        10 zoL8lL02nV.exe 3 2->10         started        process3 signatures4 71 Multi AV Scanner detection for dropped file 7->71 73 Machine Learning detection for dropped file 7->73 75 Writes to foreign memory regions 7->75 12 vbc.exe 2 7->12         started        16 cmd.exe 1 7->16         started        18 cmd.exe 2 7->18         started        20 cmd.exe 7->20         started        77 Tries to delay execution (extensive OutputDebugStringW loop) 10->77 79 Injects a PE file into a foreign processes 10->79 22 vbc.exe 15 2 10->22         started        24 cmd.exe 3 10->24         started        27 cmd.exe 2 10->27         started        29 cmd.exe 1 10->29         started        process5 dnsIp6 51 checkip.dyndns.org 12->51 53 131.186.113.70, 49808, 49809, 80 DYNDNSUS United States 12->53 55 192.168.2.1 unknown unknown 12->55 81 Tries to steal Mail credentials (via file / registry access) 12->81 83 Tries to harvest and steal ftp login credentials 12->83 85 Tries to harvest and steal browser information (history, passwords, etc) 12->85 31 conhost.exe 16->31         started        33 schtasks.exe 16->33         started        35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        57 checkip.dyndns.org 22->57 59 checkip.dyndns.com 132.226.247.73, 49761, 80 UTMEMUS United States 22->59 61 freegeoip.app 172.67.188.154, 443, 49763, 49810 CLOUDFLARENETUS United States 22->61 87 May check the online IP address of the machine 22->87 47 C:\Users\user\AppData\Roaming\mork\mork.exe, PE32 24->47 dropped 49 C:\Users\user\...\mork.exe:Zone.Identifier, ASCII 24->49 dropped 39 conhost.exe 24->39         started        89 Uses schtasks.exe or at.exe to add and modify task schedules 27->89 41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 schtasks.exe 1 29->45         started        file7 signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 17:24:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
193ac87ce3fbdcbc7def7776cac94b2548c0eabcfa179f701b96f65d9cfe7631
SnakeKeylogger
67a070a61c8d94294f7b4eb0b4d7978a8b3dd8b5f72f63ad84aa116f95cfa996
SnakeKeylogger
9afeb5862b218ce5c8b9ea67600fa9af8a1f531715d601045a131093ce6dd13f
SnakeKeylogger
a3d0ee9ab32fdffc523f8cf03690664dcfc980c4061365d9577452715d1ac6b4
SnakeKeylogger
c2ba54cb48c0dda45316d446406221e5cdb331bf6147d956071e41727502be2f
SnakeKeylogger
ee2e455231053433cc4d8718e0fb69e0f11d9875c5d1d3b3eebba4426148fb6d
SnakeKeylogger
f127b8885114903eac8725e5477e22ec9b73f3190aad5acf248af5871f02bd81
SnakeKeylogger
ff8c96889acbf40646676632e44a50c37f1abd7828a34c19ec7462d7b2175af0
SnakeKeylogger
+ 2'842 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/211227-vyqbmabecn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Uses the VBS compiler for execution
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e73cbad592cbb3b155a9b4f2f7097133ed54f9355252528ccc529b14d648c758
MD5 hash:
36d0aa0d5fa1e9941dc8a58193016803
SHA1 hash:
c8293ce06f7786514379dd5504cb1154d49d7b19
Link:
https://www.unpac.me/results/97c8b086-d442-40b5-8878-8d5cfd2d4a8a/
SH256 hash:
df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f
MD5 hash:
a795d9b44255617250be22ccd818670e
SHA1 hash:
a0368e137b1ed4c4a442fd99f71582a3b5ae8413
Link:
https://www.unpac.me/results/97c8b086-d442-40b5-8878-8d5cfd2d4a8a/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/df43d7dbdd79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe df43d7dbdd797f22a5b47418e2365accd97fda7a6ea6ae82c8701eb59ff0717f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1925571/
Cape
Cape
https://www.capesandbox.com/analysis/216583/

Comments


Avatar
zbet commented on 2021-12-27 17:23:42 UTC

url : hxxp://3.120.146.69/bgq/DFL-60110228713.exe