MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc
SHA3-384 hash: f9a28e8494eb6c0c2ee91784bdf900c53d2040da883bd5527287858c5f87781d61f9f3387fd4bb4a4bb4bd556ae96305
SHA1 hash: b0bf844433d4d82def08546b4cb9e5cc7ec9c781
MD5 hash: 4ea31410ac33c28737ab90a3d07cabb0
humanhash: white-uranus-london-sodium
File name:Shipping Documents.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:661'504 bytes
First seen:2023-04-19 16:02:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ug+Hoi1Hy7pMRIuxPMRM57y/cne2qRiI6yKzkH7Y:TsH8OITRM5Oy1y
Threatray 240 similar samples on MalwareBazaar
TLSH T187E4BD1E31639F16C16EE7F610A858712BB06283776DD27DACC703CB9ABAF01168535B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 16:10:13 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/1a9b9566-ddc5-4e1a-b41a-d8f86b99e5f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383427/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
60%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/644010b67a31c790ffdbe0dd/reports/fc0c74a9-15cd-4191-8023-09e8e65a7905/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ac52883-2a9a-45e6-8363-ad6aef99efda
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217345
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850283 Sample: Shipping_Documents.pdf.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 7 Shipping_Documents.pdf.exe 7 2->7         started        11 rnbQUiSrWaBEIa.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\rnbQUiSrWaBEIa.exe, PE32 7->35 dropped 37 C:\...\rnbQUiSrWaBEIa.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpDC46.tmp, XML 7->39 dropped 41 C:\Users\...\Shipping_Documents.pdf.exe.log, ASCII 7->41 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 Shipping_Documents.pdf.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 23 rnbQUiSrWaBEIa.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 132.226.247.73, 49694, 49696, 80 UTMEMUS United States 13->43 45 checkip.dyndns.org 13->45 49 2 other IPs or domains 13->49 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 checkip.dyndns.org 23->47 71 Tries to steal Mail credentials (via file / registry access) 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 14:01:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
99
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhzhpec56epguicqusbozvhsotsnzcq72putnxk7htclnomedx6a._file
Verdict:
malicious
Similar samples:
1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
SnakeKeylogger
5a9397f2ec2a6609708ad1bbbff41e1d6d099d863d0714003d35070be9786edd
SnakeKeylogger
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
SnakeKeylogger
88c2df27f12c638e7ebd866f6e27b9284e1dd90e07c611a2a581426a9ff9bed5
SnakeKeylogger
ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
SnakeKeylogger
bd7cf632807ea761e4decacfe700f54df5729f05ee1a5d3c6ff9117bc3245e1e
SnakeKeylogger
c80bb9c44bf2a708e03c98522b23bd53a96f627c9c4f26bbc4d761b5d885a537
SnakeKeylogger
d298c16cc5f3bc92be81294b9d7b4b23d1be22742956b824dac7dc109dde7e35
SnakeKeylogger
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
SnakeKeylogger
f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227
SnakeKeylogger
+ 230 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230419-tgtr2sde8v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077
Unpacked files
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/2b417ed8-02f8-44e5-84d9-8476b17df661/
SH256 hash:
6848ebf8bf08f1384d5bd430d32fd5f5dfd18db22e080ae131e2d3a760a2457c
MD5 hash:
27f9610bb5f125cfa81a120de2af1371
SHA1 hash:
9212f4a8fb7a2695a99dad25994430a70fd3be2e
Link:
https://www.unpac.me/results/2b417ed8-02f8-44e5-84d9-8476b17df661/
SH256 hash:
b7a96333a6c25856272fe11630d560a2657e17adfe291f3fd0a0124d5b7cfaaf
MD5 hash:
be431dba0ba422997a0e3d2cb30e7f8a
SHA1 hash:
4de5a3f0c52abdf440d80bf6d5faa3f0220209fc
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2b417ed8-02f8-44e5-84d9-8476b17df661/
Parent samples :
ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc
b7a96333a6c25856272fe11630d560a2657e17adfe291f3fd0a0124d5b7cfaaf
21777e7d8c275e5e9fc22a08172bfd5b9872340f46523df83bf2dd7a4b611dd2
ae5276221d11792a6242379a4111aa92c79256724b593408e8a02b585279b94e
a44320330ed902d953b355c6f795742ff5f0c0f0548ded9cb2e5edfd7e255502
fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a
de567e5c1f4968bfb083ffcb111e1d0613780a47c58767af65fbd90c27507b4b
SH256 hash:
ab05a8f29b77d488999a917fe1244cd4fc58b1f8d137d75cfaaa66c600a13592
MD5 hash:
e3533abff2b45ac0c7dc6f815a9e25c0
SHA1 hash:
33b3bbfa627eadfedc6411091fe46306ef43575e
Link:
https://www.unpac.me/results/2b417ed8-02f8-44e5-84d9-8476b17df661/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/2b417ed8-02f8-44e5-84d9-8476b17df661/
SH256 hash:
39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc
MD5 hash:
4ea31410ac33c28737ab90a3d07cabb0
SHA1 hash:
b0bf844433d4d82def08546b4cb9e5cc7ec9c781
Link:
https://www.unpac.me/results/2b417ed8-02f8-44e5-84d9-8476b17df661/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39f277905df1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383427/

Comments