MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3
SHA3-384 hash: 2769687e41bce88208069a631bd3a43946bcf7f669f68d6f66e44d77004cd76301522587c4de02df16bca3ff1a6f258f
SHA1 hash: d25ccbc3d5530c506fd4a395e8e29a5186f52a2e
MD5 hash: 9dc3162ee9d9473e7d253c63e5e04acd
humanhash: kitten-september-charlie-massachusetts
File name:Operaciones de Cuenta.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:637'983 bytes
First seen:2023-03-30 07:37:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:sMm4CCHM4NL26fgvXDgkgcHHIA9kk+fQ5YhCwJQgARZ91F3hwIgWVTa:sMwg/NL26fgvXhHxUH7JTARZ9/RwIgsa
TLSH T1B1D4F7F9B264C1AAE3BB46F16D2B686420F7ACAD98D0421D26BDB71C09B171111DFD0F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8bae6ce9c98968e (4 x SnakeKeylogger, 1 x GuLoader)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Operaciones de Cuenta.bat
Verdict:
Malicious activity
Analysis date:
2023-03-30 07:44:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01b90814-a50d-401d-ac71-4766fcf63e41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378738/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75725/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64253c5b54ddd532608469f6/reports/c94ca0b5-8744-44bd-96c9-a5c0c1788920/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ccf00aa-9d11-4804-b632-b9f8e3d191d1
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204926
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 837843 Sample: Operaciones_de_Cuenta.bat.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 34 checkip.dyndns.org 2->34 36 checkip.dyndns.com 2->36 38 3 other IPs or domains 2->38 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected GuLoader 2->50 52 3 other signatures 2->52 8 Operaciones_de_Cuenta.bat.exe 2 38 2->8         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\AdvSplash.dll, PE32 8->30 dropped 32 api-ms-win-core-errorhandling-l1-1-0.dll, PE32 8->32 dropped 54 Writes to foreign memory regions 8->54 56 Tries to detect Any.run 8->56 12 CasPol.exe 15 11 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        signatures6 process7 dnsIp8 40 checkip.dyndns.com 193.122.130.0, 49842, 80 ORACLE-BMC-31898US United States 12->40 42 drive.google.com 142.250.184.206, 443, 49840 GOOGLEUS United States 12->42 44 googlehosted.l.googleusercontent.com 142.250.186.129, 443, 49841 GOOGLEUS United States 12->44 58 Tries to steal Mail credentials (via file / registry access) 12->58 60 Tries to harvest and steal ftp login credentials 12->60 62 Tries to harvest and steal browser information (history, passwords, etc) 12->62 64 Tries to detect Any.run 12->64 20 WerFault.exe 20 16 12->20         started        22 WerFault.exe 2 16 12->22         started        24 WerFault.exe 16 12->24         started        26 conhost.exe 12->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dg6hpg63ggqhbu5relrmlbkhmskynnkiczk2klnywpgk3wkyx3jq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:snakekeylogger collection downloader keylogger stealer
Link:
https://tria.ge/reports/230330-jgeb9ada7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/bb309cb6-1706-4b7a-8c7b-159078cf1e68/
SH256 hash:
8c0da6a524382a2cf75bfb8af0687a5e29fa035d6af88b0719f0624fc7de06a9
MD5 hash:
cccb1bd55354703ea1c7019e07b8d7e4
SHA1 hash:
5ff6248090f0f3f6a1b466106c2a339e9fa20f24
Link:
https://www.unpac.me/results/bb309cb6-1706-4b7a-8c7b-159078cf1e68/
SH256 hash:
62b3db0446750ca9fd693733eec927acc1f50012a47785343286e63b650b7621
MD5 hash:
1871af84805057b5ebc05ee46b56625d
SHA1 hash:
50e1c315ad30f5f3f300c7cd9dd0d5d626fe0167
Link:
https://www.unpac.me/results/bb309cb6-1706-4b7a-8c7b-159078cf1e68/
SH256 hash:
19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3
MD5 hash:
9dc3162ee9d9473e7d253c63e5e04acd
SHA1 hash:
d25ccbc3d5530c506fd4a395e8e29a5186f52a2e
Link:
https://www.unpac.me/results/bb309cb6-1706-4b7a-8c7b-159078cf1e68/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19bc779bdb31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378738/

Comments