MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
SHA3-384 hash: 9865d66aebf1db5aed27b97376fcd01d4ddf012358d807ef07121d909861d25ed01941cc490db14aa3dadb7c2cd114d8
SHA1 hash: 6920b5e389e83aa688a1e11faddf232dcd227fe2
MD5 hash: 729d63ad50dbea9a1e1b4da8e7fb2003
humanhash: violet-fifteen-maine-indigo
File name:gtt1EJtSPWs5hfX.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:656'384 bytes
First seen:2023-03-30 06:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:XeJ/sIWuRehpimOMt+3CCSiUCxtAHYR4HdPomry3dMDnSrd2YXjokfi:uUPimXiKAt+HdPo92nSh2Iokf
TLSH T1B0D4015436ECC51AC968427A81E4C2F113B9CCC9EA69C7270FCEBD87B3CE34A5525297
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 646466eaf6726264 (9 x Loki, 9 x AgentTesla, 8 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gtt1EJtSPWs5hfX.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 06:47:37 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/9bd95d66-9188-4407-b7d2-24e96abfd89e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378668/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64252eff688c0e6397b3a29b/reports/215c81d5-825b-4cc4-9dbc-10b5e9764dfa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fea462b-5447-48a3-b8f3-1f7704dc4a18
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204914
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 837833 Sample: gtt1EJtSPWs5hfX.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 gtt1EJtSPWs5hfX.exe 7 2->7         started        11 ScrpzjxEiARoJ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\ScrpzjxEiARoJ.exe, PE32 7->35 dropped 37 C:\...\ScrpzjxEiARoJ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpAA88.tmp, XML 7->39 dropped 41 C:\Users\user\...\gtt1EJtSPWs5hfX.exe.log, CSV 7->41 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 gtt1EJtSPWs5hfX.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        21 gtt1EJtSPWs5hfX.exe 7->21         started        65 Multi AV Scanner detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 23 ScrpzjxEiARoJ.exe 14 2 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 132.226.247.73, 49693, 49694, 80 UTMEMUS United States 13->43 45 checkip.dyndns.org 13->45 47 192.168.2.1 unknown unknown 13->47 69 Tries to steal Mail credentials (via file / registry access) 13->69 71 Tries to harvest and steal ftp login credentials 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        49 checkip.dyndns.org 23->49 31 WerFault.exe 3 10 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 06:41:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ft3lssamrr5d5hwp3jvcrowe6shqdhjv65oytbd4r34gnlxszsma._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230330-hfrqhsbc52/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6094595254:AAHm5DV1HkFQ1Wlz87nCZ7yt4M_2BynwYWw/sendMessage?chat_id=5582419717
Unpacked files
SH256 hash:
3e0d37643bb30ec0bb5cdbfa9117b8ca1dadaaa87d83aa676501109e8249a3cb
MD5 hash:
da5421424c36042a2e7fd67f97bd8c1d
SHA1 hash:
f6422c2efa54430bd2c1c2cf29187e0473e36eb4
Link:
https://www.unpac.me/results/58fdd7bd-5042-4ce2-a5e0-8c042b53bd03/
SH256 hash:
2b6b7d281c9460209ebe0cf90598a66337f7e314ba996b020a5c54493809ff3f
MD5 hash:
f089331fba14ef8c1c269112eadc7862
SHA1 hash:
d1d768b24105b12fc9b8a08272c123124285ab9d
Link:
https://www.unpac.me/results/58fdd7bd-5042-4ce2-a5e0-8c042b53bd03/
SH256 hash:
8b65ae9c53a9730545936c945af22ddbf7b83e9c6485e97b24490299264e97eb
MD5 hash:
c5207503e649e4e2f5e09d58a65a55a5
SHA1 hash:
c7e96192166289b1efbc2fd6ffb4ae877085aae2
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/58fdd7bd-5042-4ce2-a5e0-8c042b53bd03/
Parent samples :
33351fc9d35b21e9cba9a840886ad40fe046c4f23010850f2f14b5cd89cc440a
49724ca3085da5a272e1d71db0fa8568fba58e7c2afb279ec038dbbaee65953f
3fd2b3c66c8673586d4573c3cd434c65be4e4eae0fad1ee19989ad6e94408109
0ed333ca8332a025c80a3824fee4a5e66ad39e1a66c9a8f9fbf18ce9d9c49b1f
89f3250563d9548740f1682f4f79b7b515e8af4e09a63a868ea53cf59cb90f1a
2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
3f532c71983108b99522f1a36b7f02c8b026181bc90acd813a7d4b506969873b
SH256 hash:
37338cb30426713e0ae1837dd52563712e8916f7c249e944b6a043cb2c6bc90d
MD5 hash:
d545995144062a99c77ae22c2bff71a8
SHA1 hash:
52be6225353e4c0037a84476bb015685c2b69287
Link:
https://www.unpac.me/results/58fdd7bd-5042-4ce2-a5e0-8c042b53bd03/
SH256 hash:
ba626dcd083321f29cee9386874881ab3ebf2a883858873ff64d72990768e045
MD5 hash:
91f49ed71615610e87689c7154609dcd
SHA1 hash:
1a881529aa9d214fcad001054c8ce39b2dbb57e7
Link:
https://www.unpac.me/results/58fdd7bd-5042-4ce2-a5e0-8c042b53bd03/
SH256 hash:
2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
MD5 hash:
729d63ad50dbea9a1e1b4da8e7fb2003
SHA1 hash:
6920b5e389e83aa688a1e11faddf232dcd227fe2
Link:
https://www.unpac.me/results/58fdd7bd-5042-4ce2-a5e0-8c042b53bd03/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2cf6b9480c8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378668/

Comments