MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 505126b89f524502a353b1df4131d78ad1c55d564ab7301f8a0a48c30f296900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 505126b89f524502a353b1df4131d78ad1c55d564ab7301f8a0a48c30f296900
SHA3-384 hash: 31ca37d5b463bcb8af4c421fe2e3c87496b04a9f529de46be0a8584c7680face7f43a5c6eb3d5ea322a8133686a23006
SHA1 hash: a0b177a26b16bfca986ccd7380bd422c694f5ae1
MD5 hash: eee891fafbb051b97a47916f2c3937c3
humanhash: beryllium-princess-sodium-fillet
File name:sixa5HYPpxwx34V.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:988'672 bytes
First seen:2022-03-24 18:24:52 UTC
Last seen:2022-03-24 20:16:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:D9i/g5NCnvYq9CHB6C497JD3xloX42HETmojn:D9m4NCvY3Y97JD3Xtx
Threatray 2'944 similar samples on MalwareBazaar
TLSH T16825125BB7DDC907CC2E83B1049B9A1117712F8BD823D6897CC817EA2757B86460DACB
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257280/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1269.15842.5253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
bladabindi control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/623cb7870cd58dbd92e8f6d0/reports/746aa2a3-e531-4489-80dd-acb2a8551e17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e5b000a-757b-4034-a352-30b8d556b683
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964166
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596648 Sample: sixa5HYPpxwx34V.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 11 other signatures 2->43 7 sixa5HYPpxwx34V.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\qcSQzUJQBs.exe, PE32 7->23 dropped 25 C:\Users\...\qcSQzUJQBs.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpFE98.tmp, XML 7->27 dropped 29 C:\Users\user\...\sixa5HYPpxwx34V.exe.log, ASCII 7->29 dropped 45 May check the online IP address of the machine 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Adds a directory exclusion to Windows Defender 7->49 11 sixa5HYPpxwx34V.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 checkip.dyndns.org 11->31 33 checkip.dyndns.com 132.226.8.169, 49774, 80 UTMEMUS United States 11->33 35 freegeoip.app 188.114.97.7, 443, 49775 CLOUDFLARENETUS European Union 11->35 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/505126b89f524502a353b1df4131d78ad1c55d564ab7301f8a0a48c30f296900/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 18:25:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbisnoe7kjcqfi2twhpucmoxrli4kxkwjk3tah4kbjemgdzjneaa._file
Verdict:
malicious
Similar samples:
2a7d77404a47a368e29147ecd69687338c3e0ebefb137d459b28ed0305420620
SnakeKeylogger
58437cda785ef34cb516d8377e55dffd6b623b0fdde44c8abda2eaff114bd391
SnakeKeylogger
6066fc47ea6bbe1a4697b2d14e537e244cde2df01a94f57d343f6e846b4e87c9
SnakeKeylogger
60804f34560c2299a26d553803a72a8e5bd1dbb260a55e0b7d22a529998fb541
SnakeKeylogger
81d5d914a49e58d34c9ee74256ea3ec53be8df0205cb383d7d565c88dd69ecc9
SnakeKeylogger
896a286c062e2559312f6de4edd5cbc07967fdb6df4d1cb4f8900bebc702f44d
SnakeKeylogger
8bddd4f39064efc528b46e8c6c8965d282fd535ca9e4b54082219b8ee1ec096c
SnakeKeylogger
a2c7d9292c12cdc454cfbfd6dfbee89dae1a347795f0df591250e0db18e43468
SnakeKeylogger
+ 2'934 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220324-w2nsmscfa8/
Unpacked files
SH256 hash:
41362f2e14876a5cfb1d88de7870c4fcda16b3c437cf6506380087dd32a48ba0
MD5 hash:
c87473e01b2f477e57dc2b707b878b4c
SHA1 hash:
ebd8bcb492a4ee29451c213f70b9626debda0e7d
Link:
https://www.unpac.me/results/14728231-db38-4954-bb76-10f291567180/
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/14728231-db38-4954-bb76-10f291567180/
SH256 hash:
6e38030725fe4760292c5a95fd51c1ddf88c63e827d134b59356e6174f2c7cbc
MD5 hash:
b8d048119e2c5857733714f98523aa4d
SHA1 hash:
5a0c7232b7a1634c64b6482c7ceaa2f51a5f0b43
Link:
https://www.unpac.me/results/14728231-db38-4954-bb76-10f291567180/
SH256 hash:
8ac99d53854bf40b2c4a18e89932d919efc059775756cc09bf5b5ac4224f778f
MD5 hash:
f2027389a0156682fd8cbf266b0a8198
SHA1 hash:
1982486fc2f88c4b2f65200e32913a3dd01b2a50
Link:
https://www.unpac.me/results/14728231-db38-4954-bb76-10f291567180/
SH256 hash:
505126b89f524502a353b1df4131d78ad1c55d564ab7301f8a0a48c30f296900
MD5 hash:
eee891fafbb051b97a47916f2c3937c3
SHA1 hash:
a0b177a26b16bfca986ccd7380bd422c694f5ae1
Link:
https://www.unpac.me/results/14728231-db38-4954-bb76-10f291567180/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/505126b89f524502a353b1df4131d78ad1c55d564ab7301f8a0a48c30f296900

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257280/

Comments