MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0
SHA3-384 hash:	637dace08cdfb598b2e874fb6e23d27024f98f56892074054eccfc8118539dfb1294d25106ce16563cb76073dadb2638
SHA1 hash:	6f21f997a4f810f899bfe07fbeeb231c3594b773
MD5 hash:	d5823a84e4b8e1cf3d66e71c0bfdc634
humanhash:	timing-nevada-angel-rugby
File name:	OPH21.bat
Download:	download sample
Signature	SnakeKeylogger Alert Create hunting rule
File size:	637'582 bytes
First seen:	2023-03-30 07:26:39 UTC
Last seen:	2023-03-30 07:38:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	6144:sMm4CCHM4NL26fgvQVA2QNzTlIWFLVEXeVwp9gSGmsBYnrfs:sMwg/NL26fgvQK2QN6WRVAgSGm+Ynrfs
TLSH	T144D4F8F9B260C1AAE2BB46F16D2B687421F79CAD98D0421D26BDB71C09B271111DFD0F
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c8bae6ce9c98968e (4 x SnakeKeylogger, 1 x GuLoader)
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

236

Origin country :

DE

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

OPH21.bat

Verdict:

Malicious activity

Analysis date:

2023-03-30 07:33:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6bbe53dd-7a4c-4e80-8077-4b3b0a60f467

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378709/

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Delayed reading of the file

Sending a custom TCP request

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/75713/overview

Behaviour

MalwareBazaar

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

comodo guloader overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/642539c80dc8b8a71cf78a62/reports/8db6f68a-ac0c-4f6c-9d87-426c71b330f5/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7dad641e-b5b5-44d1-bd8c-0b9cae01fca3

Joe Sandbox GuLoader, Snake Keylogger

Result

Threat name:

GuLoader, Snake Keylogger

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1205329

Signature

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected GuLoader

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-03-28 10:32:35 UTC

File Type:

PE (Exe)

Extracted files:

10

AV detection:

13 of 24 (54.17%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fqbolpwil7w67yosduwmakynp2i65p7nznj7irasorrzq7pgppaa._file

Hatching Triage snakekeylogger

Result

Malware family:

snakekeylogger

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader family:snakekeylogger collection downloader keylogger stealer

Link:

https://tria.ge/reports/230330-h94beada4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

Snake Keylogger

Snake Keylogger payload

UnpacMe 4

Unpacked files

SH256 hash:

7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

MD5 hash:

564bb0373067e1785cba7e4c24aab4bf

SHA1 hash:

7c9416a01d821b10b2eef97b80899d24014d6fc1

Link:

https://www.unpac.me/results/10ef0cbb-c981-4835-b9bd-4ee119afd0ba/

SH256 hash:

8c0da6a524382a2cf75bfb8af0687a5e29fa035d6af88b0719f0624fc7de06a9

MD5 hash:

cccb1bd55354703ea1c7019e07b8d7e4

SHA1 hash:

5ff6248090f0f3f6a1b466106c2a339e9fa20f24

Link:

https://www.unpac.me/results/10ef0cbb-c981-4835-b9bd-4ee119afd0ba/

SH256 hash:

62b3db0446750ca9fd693733eec927acc1f50012a47785343286e63b650b7621

MD5 hash:

1871af84805057b5ebc05ee46b56625d

SHA1 hash:

50e1c315ad30f5f3f300c7cd9dd0d5d626fe0167

Link:

https://www.unpac.me/results/10ef0cbb-c981-4835-b9bd-4ee119afd0ba/

SH256 hash:

2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0

MD5 hash:

d5823a84e4b8e1cf3d66e71c0bfdc634

SHA1 hash:

6f21f997a4f810f899bfe07fbeeb231c3594b773

Link:

https://www.unpac.me/results/10ef0cbb-c981-4835-b9bd-4ee119afd0ba/

VMRay GuLoader

Malware family:

GuLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c02e5bec85f/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/378709/