MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322
SHA3-384 hash: 0f5940bbfe8a124e134b6472691451eb62808e67b177c187b0b9a6188da85074ce35ebb52bcfa1c7409603bfee51b4ad
SHA1 hash: ac41fc4d6d37548b44c2317cd361db271c02d04b
MD5 hash: 2abb2f09c2a5f2529eba741dd8e32a9f
humanhash: delta-alanine-eight-johnny
File name:MV INO HORIZON.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:739'328 bytes
First seen:2023-06-14 14:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UZhqBPH1nMf5UaaP4n3CxTAgyyRGY0CQRunsunuB4EXqXdVo:YoBpq5Lz3EAgyyRGY0tRLB44qXdV
Threatray 2'734 similar samples on MalwareBazaar
TLSH T145F4024597BD870AD6BF57F8A47495344BB2B85B2537E34F0D42B0EAAA23F214A01F13
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV INO HORIZON.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 14:30:11 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/2fd55024-84ce-4ff5-b2b7-d3da48f6c434

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398857/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2104.252.988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6489ce3842c89170f6ec4cec/reports/28c34fcd-0cf4-4b25-b876-75229fbe2d84/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca6db82b-d616-4ef8-aa46-9819bdfef1d4
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254634
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 887659 Sample: MV_INO_HORIZON.exe Startdate: 14/06/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 7 other signatures 2->57 7 MV_INO_HORIZON.exe 7 2->7         started        11 RffbiVnqkvJUb.exe 4 2->11         started        process3 file4 33 C:\Users\user\AppData\...\RffbiVnqkvJUb.exe, PE32 7->33 dropped 35 C:\...\RffbiVnqkvJUb.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp5F37.tmp, XML 7->37 dropped 39 C:\Users\user\...\MV_INO_HORIZON.exe.log, ASCII 7->39 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 MV_INO_HORIZON.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 21 RffbiVnqkvJUb.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 tehrannotary.com 136.243.52.10, 25, 49696, 49708 HETZNER-ASDE Germany 13->41 43 checkip.dyndns.org 13->43 49 2 other IPs or domains 13->49 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 checkip.dyndns.org 21->45 47 193.122.6.168, 49695, 80 ORACLE-BMC-31898US United States 21->47 29 WerFault.exe 21->29         started        31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322/
Threat name:
ByteCode-MSIL.Worm.LovGate
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 06:49:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chrfjumwhditwxfhhb4dtunz5anwoix7arxsnvztra2s2eu3mmra._file
Verdict:
malicious
Similar samples:
0335bef9440cae7dd60e617e31258a490b9598e3dfa1325bf79ca9eca5c4c720
SnakeKeylogger
46aa53a2f735bd16868e0d14cb07a54da59025c3a883146c49dc8cb9328c5f4f
SnakeKeylogger
49307d98509c8c1c1dd733bf8c19cace00412eca43bde30607cc2a156accba1b
SnakeKeylogger
5c0f9b792a93d6445bc4828d26e1a22723276efc19e6e97b8c8548c890bd0f00
SnakeKeylogger
7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0
SnakeKeylogger
837657c72effe9da508cb38d2110e6f664f239f88558948f10d265d9ff3a3f33
SnakeKeylogger
8668cd0f536fc0fb2d750d9d4ed492ac9435a32b7ade9f3e427af470bab09bf9
SnakeKeylogger
9e6406269fe3e1f7a309e3ee01e4770d6f5c7abd2dead9afc7eddfedcdb04295
SnakeKeylogger
ca6ec95e35554a39ffb8cb132f253c56781a23c7618b08f9710ffa828e6817ef
SnakeKeylogger
fe2e43ede9f445a41bd41df5d99beeaee9aad9e0684ceb148dd81c1f0e7db616
SnakeKeylogger
+ 2'724 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230614-rseq6aaa94/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/294a731a-d3a2-488c-bfb1-34bc9fac41a1/
SH256 hash:
0c01ea7472c4e61d3f7a22aa1ef493700c5bd282c9b39b5dbc8485e8fa620519
MD5 hash:
b54c633df79be2b66dd008b060f64df3
SHA1 hash:
dd36b35500c7b78a855c3cbb1e01704dca321f69
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/294a731a-d3a2-488c-bfb1-34bc9fac41a1/
Parent samples :
7c4d8756750ac99128b6467b57d9bf5f09fa790f239ae298ecb5e4764f90075a
49307d98509c8c1c1dd733bf8c19cace00412eca43bde30607cc2a156accba1b
11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322
654385028b87dbf8e7387cd76dc69099cdcc344f97dc735647d429d11f7fe95f
153d7d4dc8a4fe27256b5b320469d9bd41272cb698e600b041a23e58180f0618
SH256 hash:
d6d27ed1939b8527bfaab77b5cda589e3cdc842639958f7b4b63aed35ac7a7ab
MD5 hash:
72b601a1609673f221ca537200e6f074
SHA1 hash:
9bd391169223d5d967cbda11e237b68204cb8511
Link:
https://www.unpac.me/results/294a731a-d3a2-488c-bfb1-34bc9fac41a1/
SH256 hash:
3276b7a634144eb0a84b4c0cdeaa56f5c03837677226753afcfd29a81efb2d7c
MD5 hash:
17fcc94ebaf23bad4287ad8b28a430b6
SHA1 hash:
589868416aa11ba73a05510f9297147973a62057
Link:
https://www.unpac.me/results/294a731a-d3a2-488c-bfb1-34bc9fac41a1/
SH256 hash:
439cecbb66153763218b5e3d87816052ce87968b145ea3007e5c806ed407f730
MD5 hash:
c708bf9f5bcf0e764eacf66d8d368c8c
SHA1 hash:
05b8921429872d2d514174b5d6685ea1e3369a07
Link:
https://www.unpac.me/results/294a731a-d3a2-488c-bfb1-34bc9fac41a1/
SH256 hash:
11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322
MD5 hash:
2abb2f09c2a5f2529eba741dd8e32a9f
SHA1 hash:
ac41fc4d6d37548b44c2317cd361db271c02d04b
Link:
https://www.unpac.me/results/294a731a-d3a2-488c-bfb1-34bc9fac41a1/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11e254d19638/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11e254d19638d13b5ca7387839d1b9e81b6722ff046f26d73388352d129b6322

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398857/

Comments