MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd
SHA3-384 hash: 8c4342a2586b80693e814a9ae52a3ae61ef8ae5b83f6213f8aaf14bee62512accb6cc756d3e73db3a685a8a117f4dd1e
SHA1 hash: 6bdae2059f62c19acb31b92b4e1e5acb5fc5e5f3
MD5 hash: a896834df12927012e557284dbd8f037
humanhash: virginia-july-river-oklahoma
File name:zmk2cH9YvualFtD.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:768'512 bytes
First seen:2023-02-06 14:28:34 UTC
Last seen:2023-02-06 16:40:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:4pkGPAFTi1UtNrrc5Cz5uHzCFppZAFxAYrCAcXnyXx6q16ahRZ5G:6AFTi1U346QHd51NMS5G
Threatray 7'860 similar samples on MalwareBazaar
TLSH T194F42310E2AAD320C8BEAAF2BFA8B1F4033852147861CA1C4DF863DDD69175DDD647D6
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b1b1b17964989c06 (31 x SnakeKeylogger, 4 x AgentTesla, 3 x XWorm)
Reporter 0xToxin
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zmk2cH9YvualFtD.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 14:32:03 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/85dfb912-b787-45b0-8390-5dfef7a4a03a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360909/
Detection(s):
SecuriteInfo.com.Variant.Strictor.277576.13978.11070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e10eb1905a5ac3b9098d96/reports/634fcff2-57f5-44b3-b040-9514ff574d69/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78a8ba1f-35e7-45ab-b8c5-b5634bf4b3f6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166925
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799695 Sample: zmk2cH9YvualFtD.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 6 other signatures 2->61 8 zmk2cH9YvualFtD.exe 7 2->8         started        12 SemwdizTOo.exe 5 2->12         started        process3 file4 41 C:\Users\user\AppData\...\SemwdizTOo.exe, PE32 8->41 dropped 43 C:\Users\...\SemwdizTOo.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmp6197.tmp, XML 8->45 dropped 47 C:\Users\user\...\zmk2cH9YvualFtD.exe.log, ASCII 8->47 dropped 63 May check the online IP address of the machine 8->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 67 Adds a directory exclusion to Windows Defender 8->67 14 zmk2cH9YvualFtD.exe 18 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        22 zmk2cH9YvualFtD.exe 8->22         started        69 Multi AV Scanner detection for dropped file 12->69 71 Injects a PE file into a foreign processes 12->71 24 SemwdizTOo.exe 12->24         started        26 schtasks.exe 1 12->26         started        signatures5 process6 dnsIp7 49 checkip.dyndns.com 193.122.6.168, 49714, 49725, 80 ORACLE-BMC-31898US United States 14->49 51 checkip.dyndns.org 14->51 75 Moves itself to temp directory 14->75 77 Tries to steal Mail credentials (via file / registry access) 14->77 79 Tries to harvest and steal ftp login credentials 14->79 81 3 other signatures 14->81 28 reg.exe 1 1 14->28         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        53 checkip.dyndns.org 24->53 35 WerFault.exe 24->35         started        37 conhost.exe 26->37         started        signatures8 process9 signatures10 73 Disables the Windows registry editor (regedit) 28->73 39 conhost.exe 28->39         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 14:29:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7boqinh47lsgy6lyynb7mpnljgndqdmbgzxssy2yjhpf7ltwt6q._file
Verdict:
malicious
Similar samples:
01e097ed2c9f9790ce81a7652863d1f6b9ff0c94c0e017513c44d3ac259975e9
SnakeKeylogger
4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203
SnakeKeylogger
5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac
SnakeKeylogger
7bae7aaf9c9a23aab4dcd3053c91b7114cb81cc192d3a601bf5ac8c271c8880a
SnakeKeylogger
7c14babb0cc8533a8773ec590088334e4ef61d581b5f8915ff1b419d8b60c2bf
SnakeKeylogger
99e69a797b5bc14f55127bc7100aabb37683008fd89043a116c83f5255a1e6d1
SnakeKeylogger
dc0e4f762dfa9989cee78a01c3186d710365695141ec8ea246e5bee245d2944b
SnakeKeylogger
ddf0772c851138bd086ac7f40fb3737fe3d5293ba7123bdc6639489eb4d5829e
SnakeKeylogger
dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851
SnakeKeylogger
e6ff190aadcc151301512fe98aedf9320e6db49f889f0412f02d5d77d291e809
SnakeKeylogger
+ 7'850 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/230206-rtkc2aec89/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537
Unpacked files
SH256 hash:
024bada6ce781c0deb12cf6ddd0d537be74afa85669ce0cf15cb1ead6776c663
MD5 hash:
797e6e9df576cb7df0c253ab09b6eac1
SHA1 hash:
faf32a3dd876488149e520777fcd55a57ff00cc2
Link:
https://www.unpac.me/results/01155b2f-1b94-44d0-91c9-75f95320a8e4/
SH256 hash:
30f99742f9f5f7e941f28beeef66f774526209cfbcfb5328065e0c68b990f3c1
MD5 hash:
1e2f3fb4b9eae2bde9b5c250d558f095
SHA1 hash:
f30fe77b179ff7623308c6d8e6f03b6e090ce56e
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/01155b2f-1b94-44d0-91c9-75f95320a8e4/
Parent samples :
bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e
2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6
4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/01155b2f-1b94-44d0-91c9-75f95320a8e4/
SH256 hash:
0da74f3796016590ce09db0ba914694fefae332dd2629d36753197e7299a07a2
MD5 hash:
17f44492c3ae900854d8c4cdf3b88ef2
SHA1 hash:
e94fb3e9ffdc7d29c16495b6ded990bb1eb8fa44
Link:
https://www.unpac.me/results/01155b2f-1b94-44d0-91c9-75f95320a8e4/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/01155b2f-1b94-44d0-91c9-75f95320a8e4/
SH256 hash:
4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd
MD5 hash:
a896834df12927012e557284dbd8f037
SHA1 hash:
6bdae2059f62c19acb31b92b4e1e5acb5fc5e5f3
Link:
https://www.unpac.me/results/01155b2f-1b94-44d0-91c9-75f95320a8e4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4fc2e821a7e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360909/

Comments