MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b
SHA3-384 hash:	48eaec2b99b37c64d8d82c857090fe6a7389bb4e78cfd6ce292fea6821c613b391474a9cf7563b682e5d41c25d36a5e3
SHA1 hash:	cc66dbda02f4214af71f0a63392ec1a7fbd514f4
MD5 hash:	afed25f3a6abfd4b3dd79f86d06d12ce
humanhash:	colorado-diet-pizza-bacon
File name:	Halkbank_Ekstre_20221101_08.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	583'680 bytes
First seen:	2022-11-01 08:37:11 UTC
Last seen:	2022-11-01 09:22:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:RwhuJ+Qvhzps7e/POJA63Ulo3JGGup+8A8Iz3f:CuJts7YSUQGGCXA8Ibf
Threatray	7'457 similar samples on MalwareBazaar
TLSH	T1FCC423273126C9F6F5760BF9462B62D13BF0A849B922C62D08C632CD14767CFA715A73
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Halkbank_Ekstre_20221101_08.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-11-01 08:43:06 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/69f56b9b-16d5-44f3-a495-0451f14e4506

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/326749/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.46086.31718.25273.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6360daef736e9d884f0dc154/reports/8265ecfa-8f2c-45dc-9175-5a4b0d200d84/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d30afcc-08f0-4ef3-8792-0a8bd639d658

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1102407

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-11-01 07:58:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=baoyifmd3pns3ca567rky7isoasrq2aoli2kmi4m33rkxltwrbnq._file

Verdict:

malicious

SnakeKeylogger

0983653ed943e88580b04dc228483a8661c89a282fa0f01e097fd238b4631427

SnakeKeylogger

4a758929930ecf0a804975bf90cdf639baacff62dc03692b358021bcd2f76735

SnakeKeylogger

5f0e11a7c976f6f3e9edc18e95741e59c0ab321698008aafa5c274b6b7776da8

SnakeKeylogger

c9089b729c04a9c07067163df4e244a66e9ecf8122510f5d93aa9f2c1142039a

SnakeKeylogger

dfca98bd8e0eb54b1e7708da67016cff14e7de001e845afaa5c869ef5a75c0dd

SnakeKeylogger

+ 7'447 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221101-kjqczaafdn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5582701255:AAG6EwFmBC6AWDB7ijWIdb3jOpyBEYRlBgU/sendMessage?chat_id=1856108848

Gathering data

Unpacked files

SH256 hash:

15d73a776fe344c81d89f8c1403a88694e798a4698997b7e71ff8cd285043e5e

MD5 hash:

30f4d7c4a68786ee7add65357696b171

SHA1 hash:

f1dc5ea4551456140bda5f1be92ea156260cab2f

Link:

https://www.unpac.me/results/e6bf1e9a-34f4-4827-8338-93d7d2a7824a/

SH256 hash:

52321ff38a14228d150a9c535fde53b591e55f9fdb09470634a8334d55dc0b27

MD5 hash:

93124af7472c04887074aab79d489a6e

SHA1 hash:

c4b429682cb84c0a7145667713dfce2f88b96afb

Link:

https://www.unpac.me/results/e6bf1e9a-34f4-4827-8338-93d7d2a7824a/

SH256 hash:

48dce2631822613e7ceb0ff9100ea0584132cdad07a32467a8c5df90c76b87f2

MD5 hash:

156e9142d2df0ef51b311e0443b50e9a

SHA1 hash:

4f542b57a462526b16f3d9d857b28f792c24ae78

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/e6bf1e9a-34f4-4827-8338-93d7d2a7824a/

Parent samples :

6b010af0223bd5f11bfc896701e2151a2feee5e48127367f2f760d5110af4857
2eb68d9acd4f3bf8816e682b1c87234e909cd8f1d53bc4d6df8a0acb74daea52
ae5aa180e80601126d73c2da070cd4fc5d041d4cbd66566d01569fd1ad33738b
beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab
fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f
e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef
50109664df17c305d63866d276484eff9131d9fb4bbb091275f07d940e7435b5
8e88b06d2325abd6c323cac3064f6ca4f81e4fee843b04efc255a3105f82e507
4a7c732e04071421b16fceefad0a2a2c046d8d59b2ece54f50f89645b4eac10d
081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/e6bf1e9a-34f4-4827-8338-93d7d2a7824a/

SH256 hash:

9046f50bd5c81df9aceda9c5061f0949fee928045c839af6638f16cfd27a5314

MD5 hash:

79d6c38091ee9171640ad9289aea9472

SHA1 hash:

34baf660e0a5f2fd8a4d16506ab18b2e44716ac4

Link:

https://www.unpac.me/results/e6bf1e9a-34f4-4827-8338-93d7d2a7824a/

SH256 hash:

081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b

MD5 hash:

afed25f3a6abfd4b3dd79f86d06d12ce

SHA1 hash:

cc66dbda02f4214af71f0a63392ec1a7fbd514f4

Link:

https://www.unpac.me/results/e6bf1e9a-34f4-4827-8338-93d7d2a7824a/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/081d841583db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326749/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample