MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3dfb1674daa417cb203423b8bcca979b47c97dc71aba3e0dffb995a11b63e33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	f3dfb1674daa417cb203423b8bcca979b47c97dc71aba3e0dffb995a11b63e33
SHA3-384 hash:	4405f8f77f8f67879a45d69867fdf3292ebc0812459560b8dc40ce859635f360614557bed136adf05bdbc84354497689
SHA1 hash:	02e6b17391b3ec901b33964e9bae087e39e0d126
MD5 hash:	60a8ab38ccc6c6d4b2d181bbf3e60cd3
humanhash:	cardinal-hotel-bravo-fourteen
File name:	SOA_16.06.21.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	880'128 bytes
First seen:	2021-06-16 12:52:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:V0hUrb+oWhlm4S4F3M9yAujiraMyRkAdYqb3suwKnjS0D5bU1GS+hhc+i:yEb+oyWPfeMyV6qbFBjbbUZO7i
Threatray	72 similar samples on MalwareBazaar
TLSH	2815D3303FB963D6E47ADAA145AAB847CDED61FA260DC8CD1C5007C157326CB4AF2D29
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SOA_16.06.21.exe

Verdict:

Malicious activity

Analysis date:

2021-06-16 12:54:48 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/010630ea-85a7-4da8-a82e-989e9bf0747c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Artemis60A8AB38CCC6.11306.6771.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/698e043b-58cf-4d90-a559-a0558ce6173f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/803024

Signature

Found malware configuration

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected AntiVM3

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3dfb1674daa417cb203423b8bcca979b47c97dc71aba3e0dffb995a11b63e33/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2021-06-16 12:47:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6pp3cz2nvjaxzmqdii5yxtfjpg2hzf64ogv2hyg77omvuenwhyzq._file

Verdict:

unknown

SnakeKeylogger

011ed51cc9d788dd0fdb9f1f2ba5ed659503ef771efd4f7f8dd58a9fa07681b3

SnakeKeylogger

252c620181e163a91bee650ce34198009aa4d720ed304bd3a65a897a3df43201

SnakeKeylogger

44fb7ff08e6bc4483494c6cab4d7d54e2ebc532fcea926d41aa8559a0ba9908d

SnakeKeylogger

9d11436281afddffffef2b40d3ee19bedf126bd446c0f207f1d306fc4bad5921

SnakeKeylogger

9f84e0df85d12809aa9087e9003eae18d53e15d168c5721372f1e4102374b676

SnakeKeylogger

adcc2671f1168261ceace2da6f28a79e0b3bc2f774fac1d79f4628f494951d24

SnakeKeylogger

cb7316ea8d004dc3665c2668d2a9338bd163a41f75b2a925f6af5e853c09282d

SnakeKeylogger

f35ea943961db78e81a0f568f05afac9500ec4f093aa4bb543fe25ca1722f59c

SnakeKeylogger

f39b9e8c4a9aa6d8cd9f069e8a8ee81a3f666e07071f2b4673aa42633026736c

SnakeKeylogger

+ 62 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210616-897s5nr2gj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

2e19d8ba1522ce2860868d1e3b28a6d601a36ca91a538f96cb525c11f17f7810

MD5 hash:

be02e60a56f391efeae578b2419228d2

SHA1 hash:

9862aece142ccda592eec4a2634029ee54f2d392

Link:

https://www.unpac.me/results/b9249674-0717-40bc-b2d5-9bfe7c074d99/

SH256 hash:

f3dfb1674daa417cb203423b8bcca979b47c97dc71aba3e0dffb995a11b63e33

MD5 hash:

60a8ab38ccc6c6d4b2d181bbf3e60cd3

SHA1 hash:

02e6b17391b3ec901b33964e9bae087e39e0d126

Link:

https://www.unpac.me/results/b9249674-0717-40bc-b2d5-9bfe7c074d99/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/f3dfb1674daa417cb203423b8bcca979b47c97dc71aba3e0dffb995a11b63e33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample