MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
SHA3-384 hash: 647e148d5aab079f8d9411ae5adc482be8b846f671786a2ae788cfa203a344423b12ce28aa32354b5cc8ced0a0843319
SHA1 hash: cb9f7357d8edc9787425840d90ac17b27d35c00d
MD5 hash: 6e1473042fe16e2bc644c6f78610b802
humanhash: eighteen-spring-lithium-single
File name:SyZJctWTToOCTeX.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:553'472 bytes
First seen:2023-04-11 13:12:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:w5AyYFenCjDaTh3do37pqwd3sIZUM0kgpyx:kDnCjiNapCIZFO
Threatray 11 similar samples on MalwareBazaar
TLSH T153C4F0DDDAB1DBA2E0590BF0C04C58441778A156A361ED988DDA13EB8672F6ED0C83F7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7ad8ba9ab8b8b882 (9 x SnakeKeylogger, 3 x AgentTesla, 1 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SyZJctWTToOCTeX.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 13:20:18 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/69cfebef-47e5-41a2-99e5-aabebb592905

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381496/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64355cdff0b95b71d79e0960/reports/f4a80a61-c499-4844-ad16-535a042614c5/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b5b19d0-6bac-4da2-b6cb-8996e679a85b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211820
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 844738 Sample: SyZJctWTToOCTeX.exe Startdate: 11/04/2023 Architecture: WINDOWS Score: 100 44 checkip.dyndns.org 2->44 46 checkip.dyndns.com 2->46 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 7 other signatures 2->62 8 SyZJctWTToOCTeX.exe 7 2->8         started        12 DFncxZSaZVZ.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\DFncxZSaZVZ.exe, PE32 8->36 dropped 38 C:\Users\...\DFncxZSaZVZ.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpC6A9.tmp, XML 8->40 dropped 42 C:\Users\user\...\SyZJctWTToOCTeX.exe.log, ASCII 8->42 dropped 64 May check the online IP address of the machine 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 SyZJctWTToOCTeX.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 22 DFncxZSaZVZ.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        26 DFncxZSaZVZ.exe 12->26         started        signatures6 process7 dnsIp8 48 checkip.dyndns.com 158.101.44.242, 49700, 49701, 80 ORACLE-BMC-31898US United States 14->48 50 checkip.dyndns.org 14->50 52 192.168.2.1 unknown unknown 14->52 76 Tries to steal Mail credentials (via file / registry access) 14->76 78 Tries to harvest and steal ftp login credentials 14->78 80 Tries to harvest and steal browser information (history, passwords, etc) 14->80 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        54 checkip.dyndns.org 22->54 32 WerFault.exe 22->32         started        34 conhost.exe 24->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 08:55:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iquhimvd2brqndotcgotvcjzrjcmctwdmqiwgzmv2wy6ahox2hga._file
Verdict:
malicious
Similar samples:
0442d940427ea6e7f9d614bb83ca56d539bed99c4307b7a6f13c35d73c002ef6
SnakeKeylogger
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
SnakeKeylogger
3767034cddc1a47d2ca81f77f185af6a8228d6864c822f2e1e46672260ecbef2
SnakeKeylogger
578873c16060e04fcfe43f9c9c04d2779a09a7566b3b4e97c1b18d87ac381057
SnakeKeylogger
73d18d7b6bd92fa3e85db713d39f932c483c0317607b93a2b31845d4e703a6a2
SnakeKeylogger
8a7ad0ac9a02dffbfd56debb206f3ab221974ef81540861409ffc412873d3da6
SnakeKeylogger
d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
SnakeKeylogger
d9714cc1bedd6d2bc845fe08c8328c5f3d20fd4280339e8135309fa3e7958b95
SnakeKeylogger
e2c40dfbb54a5fe183a97cb7be58ee20969e9f0f7744df829f2b02619fc529e2
SnakeKeylogger
e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a
SnakeKeylogger
+ 1 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230411-qf259aec2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537
Unpacked files
SH256 hash:
8712f61497f06dfe26844f563da1f0a3c52b15fb0f3b292a7d54cbc7d3a3df8b
MD5 hash:
9cb816f08acedaad3a99eeb9219fa2a6
SHA1 hash:
e09fd724afcc6f7f00f50ff34f6842279f367708
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/46649136-e697-47f3-a793-dc524ce40544/
Parent samples :
ec794c2c6e1500128470f52a2c27062417b08630af23db55410e61155934fcfa
44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
SH256 hash:
65b3610ef93c75487a09692a44b808e694b3d967ed5e9669fc5e30379a319f8e
MD5 hash:
f92a2ec73989ef06589a642dbde4065a
SHA1 hash:
45bab51a0efe269820add6309e500e434488dc5d
Link:
https://www.unpac.me/results/46649136-e697-47f3-a793-dc524ce40544/
SH256 hash:
f781c8f18c62a9a618f2394ac1a762f80dc906f7bbd2cc6062a5572c36c2e2d8
MD5 hash:
af71957d43b5f7e1c916341017430abc
SHA1 hash:
ba33755ff167a1f88327e4292ee81063873a12a3
Link:
https://www.unpac.me/results/46649136-e697-47f3-a793-dc524ce40544/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/46649136-e697-47f3-a793-dc524ce40544/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/46649136-e697-47f3-a793-dc524ce40544/
SH256 hash:
44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
MD5 hash:
6e1473042fe16e2bc644c6f78610b802
SHA1 hash:
cb9f7357d8edc9787425840d90ac17b27d35c00d
Link:
https://www.unpac.me/results/46649136-e697-47f3-a793-dc524ce40544/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44287432a3d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381496/

Comments