MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
SHA3-384 hash: 0538be4a543548f5c1571fe29aac03d200498b99a61f031abe9b928542d12c58d1c8a4d26a8562d71ad3c8d5fc1a3925
SHA1 hash: bad74af969ac10b199ea64d653cb64d955b45768
MD5 hash: 2342890d94990def4cf4552015a5404f
humanhash: mars-foxtrot-fourteen-kansas
File name:20230125 09052394 Hesap Ozeti.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:857'088 bytes
First seen:2023-01-25 20:30:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YPr8kyGy+ysyQzjkATGdsQbM6pEh47DyHQPJoL2SGGqCBu99cdMtEwcU3gZ+:I8kyGyOyQzlGptDuoJoLyDCB96AAgZ
Threatray 8'876 similar samples on MalwareBazaar
TLSH T16105CE40B2B8EB42EEA48FF5101195A147B22E2BFF24F3645D8272E71673B847E50D97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b1b1b17964989c06 (31 x SnakeKeylogger, 4 x AgentTesla, 3 x XWorm)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20230125 09052394 Hesap Ozeti.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 20:41:04 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/ac2d92d2-5dfb-4124-ba3a-32a017f5409d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356847/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Enabling the 'hidden' option for analyzed file
Moving of the original file
Blocking the System Restore
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for cmd.exe command interpreter
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d191881c9cbf7d6252b529/reports/bdf9442f-9cd7-42ac-a065-028f24e08c4a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4509573a-8849-4e18-9d78-c9ef2e0fc46a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159167
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791905 Sample: 20230125 09052394 Hesap Ozeti.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 13 other signatures 2->63 8 20230125 09052394 Hesap Ozeti.exe 7 2->8         started        12 BvBWjF.exe 5 2->12         started        process3 file4 43 C:\Users\user\AppData\Roaming\BvBWjF.exe, PE32 8->43 dropped 45 C:\Users\user\...\BvBWjF.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmpF873.tmp, XML 8->47 dropped 49 C:\...\20230125 09052394 Hesap Ozeti.exe.log, ASCII 8->49 dropped 65 Adds a directory exclusion to Windows Defender 8->65 14 20230125 09052394 Hesap Ozeti.exe 18 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        28 2 other processes 8->28 67 Antivirus detection for dropped file 12->67 69 Multi AV Scanner detection for dropped file 12->69 71 May check the online IP address of the machine 12->71 73 Machine Learning detection for dropped file 12->73 22 BvBWjF.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        26 BvBWjF.exe 12->26         started        signatures5 process6 dnsIp7 51 checkip.dyndns.com 132.226.247.73, 49712, 49716, 80 UTMEMUS United States 14->51 53 checkip.dyndns.org 14->53 77 Moves itself to temp directory 14->77 79 Tries to steal Mail credentials (via file / registry access) 14->79 81 Tries to harvest and steal ftp login credentials 14->81 83 3 other signatures 14->83 30 reg.exe 1 1 14->30         started        33 conhost.exe 18->33         started        35 conhost.exe 20->35         started        55 checkip.dyndns.org 22->55 37 WerFault.exe 22->37         started        39 conhost.exe 24->39         started        signatures8 process9 signatures10 75 Disables the Windows registry editor (regedit) 30->75 41 conhost.exe 30->41         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 20:31:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f532bcbkd6vgwbalwf6sxrr2likuqnounlpn3gbtt25glgmxizkq._file
Verdict:
malicious
Similar samples:
2b00e652ffa3e4930797d32ac541d7b14563de78aed4d47c6e3eb4126a3159b0
SnakeKeylogger
2ba7b33e4ca8e5aa551570f76844426ad636593eb2590aa9344d7488577e93d3
SnakeKeylogger
36c5431ac4e2225c82fe6d34d6a84ff736718e89ad28e52c943b2da5c8ea978f
SnakeKeylogger
4b73919f41ea4a5bfe12da3709ca5562eef550dff276edf28a525753279f11fc
SnakeKeylogger
7d1c91342282f5a34d6035a539fa1b3f0ae9e62182cb749c1269807b2deea2be
SnakeKeylogger
9b5ec4049e14aa89f83aa1e7268533d5560664710c1de74c4f866d07381880d1
SnakeKeylogger
a5c5fff9f5fb5557c0be28962dd29a09b3691eeab05cb2970718d877b2559b97
SnakeKeylogger
efb60e1e37e9f3508f738f1b01476321d02674165691667e33b6b41365b9218f
SnakeKeylogger
+ 8'866 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/230125-zap36saf66/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537
Unpacked files
SH256 hash:
30f99742f9f5f7e941f28beeef66f774526209cfbcfb5328065e0c68b990f3c1
MD5 hash:
1e2f3fb4b9eae2bde9b5c250d558f095
SHA1 hash:
f30fe77b179ff7623308c6d8e6f03b6e090ce56e
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/57584839-e7aa-4c3a-9d66-6460c2da036d/
Parent samples :
bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e
2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6
4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd
SH256 hash:
3394576314a79a8eb5895ca0ab5ea0d5094c09d8efc2dd665c525be48e4cf7c2
MD5 hash:
ded5ff515cfe0ec3a3fb33c759ae319e
SHA1 hash:
b4a5725280e9f47c8b1c42bfef3421307bd2bfd0
Link:
https://www.unpac.me/results/57584839-e7aa-4c3a-9d66-6460c2da036d/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/57584839-e7aa-4c3a-9d66-6460c2da036d/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/57584839-e7aa-4c3a-9d66-6460c2da036d/
SH256 hash:
a323b955a9093b81cd251a5658f688670becea23b6e2e8d360ab51f6f953206a
MD5 hash:
9fb0197565f68988ffe1b43378f219cf
SHA1 hash:
1c931ff4e46d0743dd57abb9813312d1ddc3ec84
Link:
https://www.unpac.me/results/57584839-e7aa-4c3a-9d66-6460c2da036d/
SH256 hash:
2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
MD5 hash:
2342890d94990def4cf4552015a5404f
SHA1 hash:
bad74af969ac10b199ea64d653cb64d955b45768
Link:
https://www.unpac.me/results/57584839-e7aa-4c3a-9d66-6460c2da036d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f77a0882a1f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356847/

Comments