MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220
SHA3-384 hash: 3a620d30fa93a0cd0d8e8fb43ee915d7df3b2d0f81f72a3588ef17a12847ad7ed9ff4b58bc5d8c74153e2008a6616ce6
SHA1 hash: 731a7119bbc275889499ff2b7fd056ec01b381f7
MD5 hash: 8019195a617005bc20d1d02f6fa22831
humanhash: sweet-salami-shade-cardinal
File name:M9SwqYTfy7VKIGA.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:907'264 bytes
First seen:2023-03-12 17:32:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:H6b4FlLKHFjcs1KKm1O5iMaV5rm8BjiJbh2oYr55Z78AhQ3rfmYUqlmNfo+ArZJF:aQKmIic8eY5Z78AharVUqlTZ70KD
Threatray 105 similar samples on MalwareBazaar
TLSH T1D615AD441361AA7ACBB7A7BFF5612D242378685DEEBCD6480D4930DB089DFB04481BDB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
M9SwqYTfy7VKIGA.exe
Verdict:
Malicious activity
Analysis date:
2023-03-12 17:40:53 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/600e9cfe-a4e7-40f6-a58d-7ce8035e305a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373737/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerberus packed
Link:
https://www.filescan.io/uploads/640e0cd2d1a098efbc62fe46/reports/71878478-024a-49c6-81df-ab8add2e4cf8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be5c075a-748b-4fb8-b91a-a6a89e609aa6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192032
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824908 Sample: M9SwqYTfy7VKIGA.exe Startdate: 12/03/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 M9SwqYTfy7VKIGA.exe 7 2->7         started        11 pRpOxaisjLkP.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\pRpOxaisjLkP.exe, PE32 7->31 dropped 33 C:\Users\...\pRpOxaisjLkP.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp5A8F.tmp, XML 7->35 dropped 37 C:\Users\user\...\M9SwqYTfy7VKIGA.exe.log, ASCII 7->37 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Writes to foreign memory regions 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 13 MSBuild.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Allocates memory in foreign processes 11->69 21 MSBuild.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 158.101.44.242, 49685, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 43 192.168.2.1 unknown unknown 13->43 71 May check the online IP address of the machine 13->71 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 132.226.247.73, 49686, 80 UTMEMUS United States 21->45 47 checkip.dyndns.org 21->47 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal ftp login credentials 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-10 17:43:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itah3ezwy3ayzzbme2t67isx5reoe26i5jtqytbkvwibn42quiqa._file
Verdict:
malicious
Similar samples:
0bc4886cebbde3d4a932203fa8596540269e0c92bb20cf2f8250f063c43798b8
SnakeKeylogger
37b2ddfa8c9df304a83297c03f7cfb27ea096408a990b5611cedde715cf56eab
SnakeKeylogger
385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f
SnakeKeylogger
534c9a9fa4838e6f01ba0efc8bb323c0d5d09095d7c0f95a0c70bb69473250eb
SnakeKeylogger
6960c8a08fff5fa174f6f8e39ac8fc2a678a5a918b109b2e8d5c90460515e666
SnakeKeylogger
777e815415d8a5c55a3ddf78e28d4a50a5517f3938219c197c6e7c60a2f256a1
SnakeKeylogger
8d62706d58e8f761f2d007135b1e6c1a604ef6244157c430bea21f7a96ec182e
SnakeKeylogger
b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
SnakeKeylogger
c80241ea11e21a083fc390af690cc0e6b2ee1ef91df4aaed6c44b10a753a1230
SnakeKeylogger
+ 95 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/230312-v4x9esef94/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6153811580:AAFDLNZoT-HelPNUs1JOyE22nWD-iLH7QKY/sendMessage?chat_id=5582419717
Unpacked files
SH256 hash:
0d574fed013e5b2ef4eae2630dd17fc7f469dbc3ce3807dfd03f5b644876af98
MD5 hash:
7e3bec2e73300b3b0f4d86bb843373c5
SHA1 hash:
faf0048c1eab78c3a7e37b391e84d822eb3b9468
Link:
https://www.unpac.me/results/17fb19ca-39dc-4e3d-8f65-354cc09e70ae/
SH256 hash:
c234684a33231d86ca3a0c6459d4fc982bfd2516807b0022d9094868d2111719
MD5 hash:
33846e3d38c36db71b091f1d26d97491
SHA1 hash:
a92e54e4016e792bd11828e92c66684f69309ea2
Link:
https://www.unpac.me/results/17fb19ca-39dc-4e3d-8f65-354cc09e70ae/
SH256 hash:
16993cc3cca685ec8c8ed3c2acdcdc70377d4cd15972d1b1c5316f40ae3530b1
MD5 hash:
db0fb6c68944e133bc465887606e7531
SHA1 hash:
9bd8f0c046a8148799761c08f630396b8a3989a4
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/17fb19ca-39dc-4e3d-8f65-354cc09e70ae/
Parent samples :
ddf0772c851138bd086ac7f40fb3737fe3d5293ba7123bdc6639489eb4d5829e
60cc2470b3941fd1e6020904750d3f030ac65a70670c722dcc241506224d146a
94f4d10281466392575cab05f1fb78cd0e6aef1c8c8db3dbf4f657a47f971a9c
16993cc3cca685ec8c8ed3c2acdcdc70377d4cd15972d1b1c5316f40ae3530b1
e059262525ff67d92d0b95de8398c6a3687f66b4da7b6733f4aa54c44dc42039
bea81785cb10732b0885f27edf800c491a051fde3a62e6ba21aab2c64d96a37f
534c9a9fa4838e6f01ba0efc8bb323c0d5d09095d7c0f95a0c70bb69473250eb
427551d4a93e3a0a611a5dd47ed64e062f1ca0db987afd28f2ccd86e3ea1c0ba
7465ebf31275971c5df2f8f6b41cbd9660e940ad02e1937c99f80756fa1d33c4
44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220
SH256 hash:
61d53f8ee6510298795385d13efde9330eb06c50dba4896d5257ea7eb4b74297
MD5 hash:
7d7738081f78c3d08e55e92db927f047
SHA1 hash:
849df607bdac4d46fd75b16f64b9cf067ab27d8f
Link:
https://www.unpac.me/results/17fb19ca-39dc-4e3d-8f65-354cc09e70ae/
SH256 hash:
83a84cc73c781c2157e0e0da7e156962cf9039b0022894aec5bd9ad5d664f2ff
MD5 hash:
3456b61d0660c897e02c11c5db394c8f
SHA1 hash:
5f8c69851206d02c52cdb5dd945cb46b92032bb4
Link:
https://www.unpac.me/results/17fb19ca-39dc-4e3d-8f65-354cc09e70ae/
SH256 hash:
44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220
MD5 hash:
8019195a617005bc20d1d02f6fa22831
SHA1 hash:
731a7119bbc275889499ff2b7fd056ec01b381f7
Link:
https://www.unpac.me/results/17fb19ca-39dc-4e3d-8f65-354cc09e70ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/44c07d9336c6c18ce42c26a7efa257ec48e26bc8ea670c4c2aad9016f350a220

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373737/

Comments