MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562
SHA3-384 hash: 20c1d907414b854db78675ee20d229fb5cc1ad24fe743e3b53ce10a79017526812240472000bc27b4588b542ffacfbc5
SHA1 hash: c455b3124b28390b720be35dd3dc8865b85c20a5
MD5 hash: 7c61259d514e2ceaf39cc924df1fd1ef
humanhash: asparagus-summer-paris-fifteen
File name:doc20230623514.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:579'584 bytes
First seen:2023-06-23 11:37:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:xk54/mNUAkwNuPv/FVRO5+Mxr8ef5Ka/TKFYFB8DHz:xk54/QU5wNu3NVRFMyaKX2g
Threatray 10 similar samples on MalwareBazaar
TLSH T1E2C41275766BCF22F27A03355DA2018807792D587425D60EFFEB3ECA56B33486B42923
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eaeac2b2f2e888a6 (6 x SnakeKeylogger, 1 x AgentTesla, 1 x NanoCore)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc20230623514.exe
Verdict:
Malicious activity
Analysis date:
2023-06-23 11:39:14 UTC
Tags:
evasion snake keylogger trojan blackguard
Link:
https://app.any.run/tasks/7f3ae721-a2fb-4b07-8672-f0ccd951fe63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402152/
Detection(s):
SecuriteInfo.com.Variant.Strictor.279865.30531.3007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6495841a40564677ecaf88ef/reports/8619aaa1-02fa-4b85-a0b8-ad5e943fd11e/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb2f54d2-f43b-4b3f-ac13-3205e0575882
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260405
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 893422 Sample: doc20230623514.exe Startdate: 23/06/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 doc20230623514.exe 7 2->7         started        11 bdDXvQNZvXpP.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\bdDXvQNZvXpP.exe, PE32 7->33 dropped 35 C:\Users\...\bdDXvQNZvXpP.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp52EA.tmp, XML 7->37 dropped 39 C:\Users\user\...\doc20230623514.exe.log, CSV 7->39 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 doc20230623514.exe 15 2 7->13         started        17 powershell.exe 17 7->17         started        19 schtasks.exe 1 7->19         started        25 3 other processes 7->25 63 Multi AV Scanner detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 bdDXvQNZvXpP.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 checkip.dyndns.org 13->41 43 checkip.dyndns.com 132.226.247.73, 49718, 49719, 80 UTMEMUS United States 13->43 45 192.168.2.1 unknown unknown 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 checkip.dyndns.org 21->47 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-23 07:10:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fw5vm3q5zy3ebhzpri7d73jxg7clfbvypqw4q7mjf72nbybwovra._file
Verdict:
malicious
Similar samples:
1b21c2bec0bcf3df0a9d83d5c3e708d0a9590b8a5bf85371d9a826d7bba3b457
SnakeKeylogger
3128342e14d0e3fdf92828d146cc86bc6f52520cd792b043f72e20eddb022e10
SnakeKeylogger
377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4
SnakeKeylogger
61e75e123449c092c36171ad72de1ddbce425c8a82de0704f868295fab5df3a1
SnakeKeylogger
903ea42c02e8a30f6ad63666de0748b4fd4c2758c220b39af57269d1eebebb9d
SnakeKeylogger
9ab4351395cfc81d8afabb133e442989b54696cad65e22de72d58398505762bd
SnakeKeylogger
a74174da27ad7415025fd5f70ec71f0b9d87ec0b3227b7bc7355cc0fe82269e1
SnakeKeylogger
bda1a08d1c632950d8a4980f501b78336a1f0602919365d40c62b3d2877041b4
SnakeKeylogger
c80ff12cdbd7537e9440b4337acb944b16eed326bc3552b87224da47f826fbb6
SnakeKeylogger
d53118397cd7dbd982acbf2b19245c70d8b1b5c1331acefc540d38c347865c55
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230623-nrpyysee25/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6060762419:AAGo6rQgpyf-Njpv5QeEbwFAJ4lVx_cPJSc/sendMessage?chat_id=1696657848
Unpacked files
SH256 hash:
cb9a2dd2d8237d950206a5330d72e07608128a36c22b40e83b5ff11f02884a97
MD5 hash:
7c9918d9b2e980764cd950207a1ac23f
SHA1 hash:
dae9dbdf13d7dc0d036e09b41c9246500b813e0c
Link:
https://www.unpac.me/results/16ef1320-6a1c-4daf-bcb4-a4d54f1b1614/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/16ef1320-6a1c-4daf-bcb4-a4d54f1b1614/
SH256 hash:
258837e0e3717642a66757ec5246e80bb7b6b07358cc7062c7a90683824a389e
MD5 hash:
15011277acf37c7b67dbf1de1c7f015a
SHA1 hash:
3015cb619dc908a3358f1c3ea5a532069ba8ca33
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/16ef1320-6a1c-4daf-bcb4-a4d54f1b1614/
Parent samples :
c11df3f962a103fb7d2640c2788461926d8ccda282fec1b46c35d9bec4187573
2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562
5997a10b7ec5669650d2e310bc3b65a33017c1352d91548a496f97735d5bd486
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/16ef1320-6a1c-4daf-bcb4-a4d54f1b1614/
SH256 hash:
2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562
MD5 hash:
7c61259d514e2ceaf39cc924df1fd1ef
SHA1 hash:
c455b3124b28390b720be35dd3dc8865b85c20a5
Link:
https://www.unpac.me/results/16ef1320-6a1c-4daf-bcb4-a4d54f1b1614/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2dbb566e1dce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dbb566e1dce36409f2f8a3e3fed3737c4b286b87c2dc87d892ff4d0e0367562

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/402152/

Comments