MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 12 File information Comments

SHA256 hash:	05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c
SHA3-384 hash:	da4bf09fa889a4bb1888907aa30b06b857c4558efe4b115f000b4d0f9e1c3b1e0bc7b54b252b1382223311f5bebde62d
SHA1 hash:	aed94712d9df96983873fdc1e23fb12574e225aa
MD5 hash:	872324d761f8b173becd96e2c273b2c3
humanhash:	aspen-zulu-one-bravo
File name:	OHPL PROJECT ENQUIRY 332023.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	241'079 bytes
First seen:	2023-03-03 14:24:54 UTC
Last seen:	2023-03-03 15:33:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:/Ya6VsEd85CjY6P8RQuawPMXtTZGATWkSxb7VkPPNFUGL01Ck:/YHy96TWPitjT0pkPPNFUGYok
Threatray	1'105 similar samples on MalwareBazaar
TLSH	T1BE3412247068D16BF4F147B189796B37AEB9ED2714B8830757A09F8D3671341EA0E3A3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

OHPL PROJECT ENQUIRY 332023.exe

Verdict:

Malicious activity

Analysis date:

2023-03-03 14:29:37 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/c27ffe4b-3a4f-4472-87f1-2d3eeecc10a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/371394/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/64020341bfec0852a68ec6af/reports/92a91815-6edc-4c3c-8e2f-02aab9c58452/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a47a67c-602d-4002-8d03-cdf6812682db

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1186594

Signature

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c/

Threat name:

Win32.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-03-03 11:38:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aw7mgynh67hixnctejpbl4ercbupca6fd3xf4vj7pa4vl5s62vga._file

Verdict:

malicious

SnakeKeylogger

30e7620c14c4ff2cd4c467bc26a9524f84ac84a0111b08e614cf8782964b3a66

SnakeKeylogger

3672a8eb0dd83a097ffd82461ba28956fba31e179c80f3744bcdbd52a5b77121

SnakeKeylogger

4962d546e41c81ba1eb333f5aadaba7fdb271652f2498deaac512c5c54966559

SnakeKeylogger

92ce5008c739dfea8f09903965665831a8ac4fa23c1a6060bbf26e93274e0b24

SnakeKeylogger

bc49d2a85d44b57a55063bf2f784f96d127a7ec7ad0b9f385ade2cf3d713e35b

SnakeKeylogger

c97b59069bff6b83ade497a1a63fe67ca759cc1962342eda0e36d2222e031cf4

SnakeKeylogger

ebb0272ecef9d8bf07a71b9ead8718760d27c4fdc334fe2de7a8b93237e61044

SnakeKeylogger

+ 1'095 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/230303-rraqtahg78/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5300146648:AAHnGWyIYhkCfGzD7b3SfmLZj94Y8lXxD90/sendMessage?chat_id=5116181161

Unpacked files

SH256 hash:

d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

MD5 hash:

915aa3d78cab8eb6920c2cf8ab39e6a1

SHA1 hash:

f4dc2ac541b600883e4648aafbc92f5e0b1811f0

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/f569e8bf-e867-464e-a23a-1acdcc2702da/

Parent samples :

9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c
54bae76ab64ae74ef5b97cef8aaffa2ec1254df6fea46d54c1387b6f5d5fb025
b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f
7e039e4d466d67e2e7fe4cf46aa141db13f2454161ebc86ec1dd02c33113d154
34ae82b3da999e17e5b62fae65be1827e3f6a54c599c68f1a02666772b70eb09
d4086b64b176925017dd2db176cb3754e172bcec944037e1f3ea53ce48c1303f
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
c9234000f8f576a39a7d2a957826094c1c0e37b141ef26ee2e8e36a62e09805a
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
0f629b4e11087c4e000457daa326269c1ed26198d5a5e8f963d10e0be9dd77a7
4df7854ec37d3d2d2f8b87ef3811ac4b4ea2f16c0d37329a91a4ebeca78337fb
d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6

SH256 hash:

c2b6cb2a35b51d89878150596fdbf869968983c854f726838751a41e0f40d933

MD5 hash:

4c6e4565311f53a59cc237a2ef055d4f

SHA1 hash:

1b19ffdbc51d7b62b85f90c7b9c7ac13cfb4f646

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/f569e8bf-e867-464e-a23a-1acdcc2702da/

SH256 hash:

af67229aafddcfe16e6e0f89f54a698ed59f1cdafd12ff1eba529843dc7a0e3a

MD5 hash:

c5cee20bf9214db77cda85cdf21514b4

SHA1 hash:

2c58e5785962a2a341ddd45fc5f836414f70f8da

Link:

https://www.unpac.me/results/f569e8bf-e867-464e-a23a-1acdcc2702da/

SH256 hash:

05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c

MD5 hash:

872324d761f8b173becd96e2c273b2c3

SHA1 hash:

aed94712d9df96983873fdc1e23fb12574e225aa

Link:

https://www.unpac.me/results/f569e8bf-e867-464e-a23a-1acdcc2702da/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05bec361a7f7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371394/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample