MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660
SHA3-384 hash: 169608355c7008d22a5a953849e7df4a920083c8729632f833b9f8ff1a6121997ceda48f3551672f48de4d4a1f1e14c5
SHA1 hash: 515ded0d557d7bb2bebdd15718215fd4d131948b
MD5 hash: fe0a79e3672c7186d9d8e4fa3fb9e8c9
humanhash: crazy-spaghetti-coffee-zebra
File name:234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'687'744 bytes
First seen:2023-05-09 13:35:47 UTC
Last seen:2023-05-09 13:37:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep 24576:5TbBv5rUCkJzcONuXvfG+k+EAunyTozjvKOidwt2M4KXGCpmTuqaS5kldkPWmDP:zBrk1+Xnv+AdTojvMwtzKCA7aPMPvDP
TLSH T1A9751301BAD29472D0720D734636AB2AE93D7E602FB189CF23D0575ACE315D1EB317A6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a2a9d8f88a88c9c0 (11 x SnakeKeylogger, 4 x RedLineStealer, 4 x AgentTesla)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660
Verdict:
Malicious activity
Analysis date:
2023-05-09 13:35:56 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/bbad6be3-d96a-4609-a1ef-a4f0bbf640d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387850/
Detection(s):
Sanesecurity.Rogue.0hr.20230428-1634.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83203/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm autoit greyware hacktool keylogger overlay packed packed setupapi.dll shdocvw.dll shell32.dll snake snakekeylogger stealer
Link:
https://www.filescan.io/uploads/645a4c438399e8849cbcaa2c/reports/a734f6af-8724-4724-86a4-bfed9ba39f94/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/194b90fc-97f4-4945-bf24-11223486bb97
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229230
Signature
Antivirus detection for dropped file
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM autoit script
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862214 Sample: es95ePCEuT.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 6 other signatures 2->91 12 es95ePCEuT.exe 35 2->12         started        16 cswqqmdt.pif 2->16         started        18 cswqqmdt.pif 2->18         started        20 cswqqmdt.pif 2->20         started        process3 file4 75 C:\jhmp\cswqqmdt.pif, PE32 12->75 dropped 77 C:\jhmp\coachfunddraising.exe, PE32 12->77 dropped 103 Drops PE files with a suspicious file extension 12->103 105 Starts an encoded Visual Basic Script (VBE) 12->105 22 coachfunddraising.exe 15 2 12->22         started        26 wscript.exe 1 12->26         started        107 Creates autostart registry keys with suspicious values (likely registry only malware) 16->107 28 wscript.exe 16->28         started        30 wscript.exe 18->30         started        32 wscript.exe 20->32         started        signatures5 process6 dnsIp7 79 checkip.dyndns.com 158.101.44.242, 49705, 80 ORACLE-BMC-31898US United States 22->79 81 checkip.dyndns.org 22->81 95 Antivirus detection for dropped file 22->95 97 Multi AV Scanner detection for dropped file 22->97 99 May check the online IP address of the machine 22->99 101 Machine Learning detection for dropped file 22->101 34 WerFault.exe 24 9 22->34         started        36 cswqqmdt.pif 4 4 26->36         started        39 cswqqmdt.pif 26->39         started        41 cswqqmdt.pif 28->41         started        83 192.168.2.1 unknown unknown 30->83 43 cswqqmdt.pif 30->43         started        45 cswqqmdt.pif 32->45         started        signatures8 process9 signatures10 93 Multi AV Scanner detection for dropped file 36->93 47 wscript.exe 1 36->47         started        49 wscript.exe 39->49         started        51 wscript.exe 41->51         started        53 wscript.exe 45->53         started        process11 process12 55 cswqqmdt.pif 1 47->55         started        57 cswqqmdt.pif 49->57         started        59 cswqqmdt.pif 51->59         started        process13 61 wscript.exe 55->61         started        63 wscript.exe 57->63         started        65 wscript.exe 59->65         started        process14 67 cswqqmdt.pif 61->67         started        69 cswqqmdt.pif 63->69         started        71 cswqqmdt.pif 65->71         started        process15 73 wscript.exe 67->73         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660/
Threat name:
ByteCode-MSIL.Infostealer.Mintluks
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 08:55:09 UTC
File Type:
PE (Exe)
Extracted files:
509
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=enhx3dwvxvvlapsdgjhd33qea3dsob26om2fjdl6rovy4gcqazqa._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230509-qv8lksaa4z/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
4007bdcb88f2b606b546e2a37a1116217ab82bf761615e238be8aae330cf0caa
MD5 hash:
6362eddcd88874eca0058bbf73154e6c
SHA1 hash:
552a6dcdceff63f96a8aa824872d1646ee0f86e6
Link:
https://www.unpac.me/results/3d458e67-bf2a-4e00-93d2-60dcff80e50b/
SH256 hash:
84f118f12fd1021e0e2bbdcb1e55340a12b54c92a9419fc6b3c199419a08c317
MD5 hash:
05169549546cc217d862cf9f33106bae
SHA1 hash:
f05f088d76e914557eee19ae5d54faa077db84f8
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/3d458e67-bf2a-4e00-93d2-60dcff80e50b/
Parent samples :
e7b7bc74d5e2ba6337eaf26386a8c2aca2d151aeaa0d6f57ad9b89405b167464
234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660
SH256 hash:
234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660
MD5 hash:
fe0a79e3672c7186d9d8e4fa3fb9e8c9
SHA1 hash:
515ded0d557d7bb2bebdd15718215fd4d131948b
Link:
https://www.unpac.me/results/3d458e67-bf2a-4e00-93d2-60dcff80e50b/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/234f7d8ed5bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/234f7d8ed5bd6ab03e43324e3dee0406c727075e7334548d7e8bab8e18500660

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387850/

Comments