MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
SHA3-384 hash: 62bb2445a151a5d40f4fb63182aa3600cfde3945a31d7f267ee8183ed0e351906adab05c38545bc2ce47538662a236ff
SHA1 hash: d6dd62b127b856cdb1d3beb9c7c4beb722deedd1
MD5 hash: 991db15c5c2d3e4309efdf07f102f95e
humanhash: undress-early-winter-alanine
File name:bWvmkyv4OpHFRlv.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:558'592 bytes
First seen:2023-05-16 10:42:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RYCv5qNEkrh8GUrZAgWhHpM36kiNISjea5BsIFqm4o:Toa3frmgoM36RISjeIzio
Threatray 1'264 similar samples on MalwareBazaar
TLSH T112C4D070609E8780E01FCBB165B8FC72037274F3A9D9C9751B3991C8CE26F546E89A5B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bWvmkyv4OpHFRlv.exe
Verdict:
Malicious activity
Analysis date:
2023-05-16 10:45:26 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/54a9d80d-1e6c-4853-ba26-0b8d481ffcb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390384/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21535.2187.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64635e365d03a85ad80d203a/reports/0eb1b0d9-bcaf-4600-9a0e-b17269700474/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8e86e38-0cdb-46ff-9a57-4dfbd5a59710
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1234376
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 867359 Sample: bWvmkyv4OpHFRlv.exe Startdate: 16/05/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 7 other signatures 2->57 7 bWvmkyv4OpHFRlv.exe 7 2->7         started        11 oJPvBr.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\oJPvBr.exe, PE32 7->35 dropped 37 C:\Users\user\...\oJPvBr.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpE007.tmp, XML 7->39 dropped 41 C:\Users\user\...\bWvmkyv4OpHFRlv.exe.log, ASCII 7->41 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 bWvmkyv4OpHFRlv.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        21 bWvmkyv4OpHFRlv.exe 7->21         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 23 oJPvBr.exe 14 2 11->23         started        25 schtasks.exe 1 11->25         started        27 oJPvBr.exe 11->27         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 158.101.44.242, 49695, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        47 checkip.dyndns.org 23->47 49 132.226.247.73, 49696, 80 UTMEMUS United States 23->49 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal ftp login credentials 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 33 conhost.exe 25->33         started        signatures8 75 May check the online IP address of the machine 47->75 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 10:43:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abpldwg7gehtbdu2zgoerdveculu7wnp6p6iouixwbloknoqqjyq._file
Verdict:
malicious
Similar samples:
125ab5d56c8bc8e55483764a4fb9ad34ea9a74543e7b3a245c308703e5ee1d40
SnakeKeylogger
14105392349904938a9d2e42e5eaf8a401d2b832c89f14fb79440a7126525d57
SnakeKeylogger
1828a6afda383a1f6f48f9bab91e7f0d648fcef99f959b406618847c168e5325
SnakeKeylogger
535d74b24a5ffb30a283e855cbfdfb3509e9c94c4f97baa2f62197b221cce54f
SnakeKeylogger
92d153f7f41fa901887ec1494773140e4ef9b41378f2ec05deeb0ad8ec3f5d16
SnakeKeylogger
c7d2461a20a6687bef74bfc784219676af232262762a102ae4f11765d2324210
SnakeKeylogger
e8f4a945cb876f35ab40ee024ba58f486969bbb9834803b140a62dac6e040599
SnakeKeylogger
e9ca300e5f48557e95213ca62c5db6b3484644a1c32f10eb5ff2c49be53c5919
SnakeKeylogger
efe80cf748bd25110797151a16a29b956213cc00a85716dae6e6008d648725dc
SnakeKeylogger
fab58afbd986a4fb766f06edadc553c09b6422d1a54100f8ef1aa589f28f32f6
SnakeKeylogger
+ 1'254 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230516-mr866aac75/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5801425382:AAG5b4PUEaqNDv5uP9ejZGeIHeuzzOD4IHY/sendMessage?chat_id=5812329204
Unpacked files
SH256 hash:
326421d2307ec438181f32c586a648a1a36aaf9a2c7cc2407697535c5154f847
MD5 hash:
a9c770618a3d11583811d2f78505333f
SHA1 hash:
b3be70f2af3b3de5936acb2ead0f95cdeba71150
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/91d89656-73af-4b76-ba10-0164718fcedd/
Parent samples :
46bfebe7ffd387d099666f45f5929e5db96cb5543b1991a29aa4c541c32f8542
8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f
f3b007849f67bec665e7d2055762802fd0d87fb1020fb7a2459306109c6ccf4f
5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
326421d2307ec438181f32c586a648a1a36aaf9a2c7cc2407697535c5154f847
4c922d132ec224cbbb1e367ed7fd10c7eb04f0d50007eae3ebe1b77866084c7b
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b
34b9ab12c430ce458e3b1236115b18ca267b7876f853aa3e353c2e4d63300b47
0cba5aa5d28e18f2fbdbe749950d645bac7037fdc138c3b75ee06120ced809ab
8050e8b876abe28d529d09660615dbef045d25037307db84c645c7ed515df089
c591ec47c2b8daa5036cb079a83f61d1e02bb9bb340723d3e6b9290f80e5f64f
e4725b74ef0918aa1d0a812227ae9bc593528841c61bfa4db312c35158d77592
15fdf335aa7b720d7ae187afe07af4de7ff71092dd06934e0f3f61b0b642bc39
bedbc46bb0550879158a1ed1a754614695bfe4bb8a86518fe75a4a087b1f329e
3cc1eefece073953c78de9ca7c56bd3bce3ebc5268cb708ed3531c00f3154c18
98536221ae4e88e5e4348cffe9d94364f4e985632eb18f59d7ff0d685ac3395a
fac3d893e2a1e4bb7bca111e12f5bc52f8fbde33d8dc16163ebc79253b19829a
0153ff636ce46ec97121df71b82e33f41f376af7417070c75d5a0b41cbba18b2
dc1fac12b351fb002bdb989e60717c36e2bd50c6c96b449fbffeb347c47622a5
9489bbf4b51b344c381683f04c60d7f6d73580af9b9e9b2b6dc395a0138f89f9
1e9975aa70df2b52041c743f18403e227dc5bef87084950bce1f101cdbdefdd0
4208a88c74cfe1d05b7d8ca52eb0de4188adfbe33eaba4c2813ead8d0e623019
5aea8925bd335299eb81aaa178cf00327ca0fc1e7ca4ffe2826a029e18b6f801
d06f8c0ba7041cb8739cbf7458c60c6c637f3159189ea668fa3df7200a4a82a6
8b05ac7b62b49b7336f6c71833e0e5b9589df9996244789ed0bb74fe2b2d4f16
e9ca300e5f48557e95213ca62c5db6b3484644a1c32f10eb5ff2c49be53c5919
005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
54492f6c2f298dd366978c41c40e603dc981e871d8fbbef854077652f787dde5
2cc05a83d9bae4890c799ba335dc05f97cae4eae5e4ca3a544db39bf12c66b04
b4b38d7d62a408e89a3c7c0157405cf65862ddb6a1fb23a931311a468d051890
e45030071efb40774095252901b94b14010a11daad0c3009e3bfe5a01c2fb869
946dd49393625df5156b51438635cb31a56ed40b440a8ccccce7b2c3cfb26a0e
8908ae87539b2b7e91a28201d9e760a9c646b89db43873ee9e0807e55c9e082b
cf236299167c0c88614c131ecdad1215151c1785aa07baa6426e6459bb3236e5
SH256 hash:
d54fc563edfef9023e7a9a0ebe0ef151c691b83b6dea8b2b8959dd3ff2b1230f
MD5 hash:
d54deb2a714debd5da9b16e88bd1272e
SHA1 hash:
9ea9b671961c82ee2352f47de8585b78b1d8002a
Link:
https://www.unpac.me/results/91d89656-73af-4b76-ba10-0164718fcedd/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/91d89656-73af-4b76-ba10-0164718fcedd/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
c0293411f0c45c0a7518bb8d50eb27e93fff30bc2346d9b707786acd9729bbd4
MD5 hash:
2a53c21432be57d6084f7405ad3aba6c
SHA1 hash:
8b78b085d10c137cae29a5487d229744519f6c7c
Link:
https://www.unpac.me/results/91d89656-73af-4b76-ba10-0164718fcedd/
SH256 hash:
a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438
MD5 hash:
dfca41d2838170cb07ef445bb7d9c987
SHA1 hash:
7622672bed23f065cafdf2a17879ebf5926aba8b
Link:
https://www.unpac.me/results/91d89656-73af-4b76-ba10-0164718fcedd/
SH256 hash:
005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
MD5 hash:
991db15c5c2d3e4309efdf07f102f95e
SHA1 hash:
d6dd62b127b856cdb1d3beb9c7c4beb722deedd1
Link:
https://www.unpac.me/results/91d89656-73af-4b76-ba10-0164718fcedd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390384/

Comments