MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258
SHA3-384 hash: d4a34d7d15a971397f9ba464c23534be277ec31f2bdfaf508aa485369f873890c2456885541927b4928355a0b097a599
SHA1 hash: 4ea00af031bff59b6a392f9f690c0e065dd74349
MD5 hash: 5f4601659afd2a6fe52fdf2ea5b722f5
humanhash: ten-neptune-floor-sodium
File name:rdeliverynotepackinglistPDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:886'784 bytes
First seen:2023-03-06 15:08:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:skC2iNawENb3cOQ7HZLN0x5PFoWQIbnyT5cPeRAFBXbhpc7hMrShfqLn4Jvy:E1Qwe3cOQDeNbvnyT5m07hJe
Threatray 181 similar samples on MalwareBazaar
TLSH T164159E9132B0D473F5CB017560297ACC2C7CB153B6D4E24B6A7B7AC09605AFBF698E12
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rdeliverynotepackinglistPDF.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 15:11:10 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/57cc59ed-7990-4633-8cd8-87a02a29d42b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372046/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6406021166e79c93ba0e40f3/reports/e8ab85b4-5346-47af-8ab5-389ded7ec040/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ed9c456-a235-421e-b1ce-fdfccd07fe52
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188007
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820883 Sample: rdeliverynotepackinglistPDF.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 rdeliverynotepackinglistPDF.exe 7 2->7         started        11 hscjljolI.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\hscjljolI.exe, PE32 7->31 dropped 33 C:\Users\...\hscjljolI.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp51D7.tmp, XML 7->35 dropped 37 C:\...\rdeliverynotepackinglistPDF.exe.log, ASCII 7->37 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 rdeliverynotepackinglistPDF.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 hscjljolI.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 132.226.247.73, 49701, 80 UTMEMUS United States 13->39 41 checkip.dyndns.org 13->41 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 193.122.130.0, 49702, 80 ORACLE-BMC-31898US United States 21->43 45 checkip.dyndns.org 21->45 47 192.168.2.1 unknown unknown 21->47 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 15:09:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdwakis7jt647p6mrhjxv3l3lx242myra4mbqvfvxpejrnkmgjma._file
Verdict:
malicious
Similar samples:
0bc4886cebbde3d4a932203fa8596540269e0c92bb20cf2f8250f063c43798b8
SnakeKeylogger
10c31b0a152c71ab736a8b867e081dfcbebaf8b9e00e342e10d06fe9cc5c0ab1
SnakeKeylogger
1362682524ed6524e23b955c9f0394be0f4bfc7b668928947da05239878fe75d
SnakeKeylogger
59849ade722e0ac68e1105fb13ad623c8cf5b5e44fe325e5239f470195bfe7f9
SnakeKeylogger
7ce6cf0e5a6d6633a5a6aef7d6ae9fe05e4ee2fffe4e7d4a2e5f7cf2562b07a1
SnakeKeylogger
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
SnakeKeylogger
896363cb6c5505b48615777ce409a415de259e7277888afc1bceae8afbf3b03c
SnakeKeylogger
96438df4cd911e468ec9fdad3922c0c3e223c7c6e0524f01420b920b3ed642ed
SnakeKeylogger
a631939d37aa8e744a50d1580552456788a574ab4f9233261ad0453baec0755a
SnakeKeylogger
f3927a993fa7a545f2ccbce547e0b7cd6e1c3e728b05ea5ad5d0afd1600d34f4
SnakeKeylogger
+ 171 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230306-sjfgrsch89/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5387999448:AAENk6Reb2hxJqqD2rN6fIet7kanu0isfWg/sendMessage?chat_id=1413074050
Unpacked files
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/053d2100-92a3-46e3-9819-dd20796d5825/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/053d2100-92a3-46e3-9819-dd20796d5825/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
98aed468bd59fc88b5224869970f09525074ef1b3436b13ef9d2054219826f53
MD5 hash:
241ce5887ad1b7171af716a338000f25
SHA1 hash:
6f4f6ef7d8ccee264febeb3f45fbe91068b8c86d
Link:
https://www.unpac.me/results/053d2100-92a3-46e3-9819-dd20796d5825/
SH256 hash:
5e878633358943e58cad7c8bcdcdf294c807666a3aaceb9fd213388b427c718c
MD5 hash:
01bce7c480193af1f10db4fecd5a554a
SHA1 hash:
51a44665d2f01e917448e3c0bced2c8b7508e09a
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/053d2100-92a3-46e3-9819-dd20796d5825/
Parent samples :
e913e55e115acb32ee4cfbfb736cc45502aaea55886927d9add126c95838f0bb
c08b5752c52a82173d3342011730b79837d6e4c4eb659c1badb96c57cd4c997a
30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258
f2919d54bbf74198eb4bf4c43f7cbd394acff9af2e57f7b7ba9e59fd6a57f79c
f0340563a032ae166df2813554e957f99b08ad93af72bd4df6976fef51c58e62
f696cf27f040cb96782232e31aeb05f705c9eb8451c2f2394c93582cf605b69e
5ffb244711e8ec708e7de260f6ca122591ee5859c51a770ca5bfc37563920fcb
4d833b054ab8a92e1342bf015ae2348b5c88d8b5281a7bda7b5ef21e67926ad7
SH256 hash:
19ecf1d9b5031f548107d130e87bca971682d73f6cc8c33f137fb9348c1712a7
MD5 hash:
f942c54d643e33899896a095a6ce5f51
SHA1 hash:
052a697a05ffeb5b57a8b967627acb49e84bf5d0
Link:
https://www.unpac.me/results/053d2100-92a3-46e3-9819-dd20796d5825/
SH256 hash:
30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258
MD5 hash:
5f4601659afd2a6fe52fdf2ea5b722f5
SHA1 hash:
4ea00af031bff59b6a392f9f690c0e065dd74349
Link:
https://www.unpac.me/results/053d2100-92a3-46e3-9819-dd20796d5825/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30ec05225f4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 30ec05225f4cfdcfbfcc89d37aed7b5df5cd331107181854b5bbc898b54c3258

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372046/

Comments