MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843
SHA3-384 hash: d822e6d1d50156781500dd3677d3d0ffdd24544716cb67c5e1f13b8d2f86bee61e80aa58d838d55371a010ca13a63158
SHA1 hash: 378864464877cf5ab3a3aa6992feb34112d0128d
MD5 hash: 24d8c2564ccd1741eec5719cd13796ff
humanhash: pluto-montana-skylark-two
File name:TABEKA BV NEW ORDER.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'618'432 bytes
First seen:2022-05-04 13:50:06 UTC
Last seen:2022-05-04 15:40:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:cC0PdUPEUcoLWttcjWv38n3bg4/Lw0w+gcREFGHqy5DZDmFQts0noPIKtfYk9vWM:mVUPEbpttcSf8n3bZLK+AFUoBhQ
Threatray 2'630 similar samples on MalwareBazaar
TLSH T19475294F6F0A8545DC54D375DFB62B523767EBBE9C814312A3867229C26B3AC1E602C3
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TABEKA BV NEW ORDER.exe
Verdict:
No threats detected
Analysis date:
2022-05-04 16:15:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f1e6f73-d7e1-4fff-a443-c5bb0f257d5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268633/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated
Link:
https://www.filescan.io/uploads/627284c80d3e2bd52d289a28/reports/244a5797-e217-4dff-8cbd-acc911745595/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ed1e35ad-2ed7-4c9c-a178-6aa9eddff105
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/987796
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843/
Threat name:
ByteCode-MSIL.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-04 13:51:12 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
15
AV detection:
8 of 42 (19.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjwm343slvz63kxxcfo2wvx6qbgebgxj5skvzeas6fwnmo65dbbq._file
Verdict:
malicious
Similar samples:
068a5a6741c0bf5326cdce7e406c5273340ad1c9f4371fadeb88bf794f1d91e6
SnakeKeylogger
4c9059aa76dfa2f817a4bf9cbf18e9f36d9235b6d6eb91af99c99eb68109afe5
SnakeKeylogger
6af08cff583e8520d50beb435bf93e133b4dea697fa65e12df39c134b67177bd
SnakeKeylogger
74d6ce17a5ef1abd3c1c2bf8b9cc472bc8f3816299a06498cc7266c8f479beae
SnakeKeylogger
9213771d3c5189ae487f47c552a34856d2298ed22aac305bc5f29c03212312ea
SnakeKeylogger
9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01
SnakeKeylogger
a750c87300b171417adbf5ae69054d2b70073004238216f6e09df4666488f28c
SnakeKeylogger
d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051
SnakeKeylogger
f366cb892570b264ce73bd7c818ee214f0e5f00dc008a4dac5fa5cdc095ddab7
SnakeKeylogger
+ 2'620 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220504-q5s9msgfhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5336865726:AAFldw6ldPqCHxYer8zB8WwmZVR7XynDkMo/sendMessage?chat_id=5178395696
Unpacked files
SH256 hash:
526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843
MD5 hash:
24d8c2564ccd1741eec5719cd13796ff
SHA1 hash:
378864464877cf5ab3a3aa6992feb34112d0128d
Link:
https://www.unpac.me/results/dd93bf4e-f9fd-4114-a7cb-d28351cecbfe/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/526ccdf3725d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

ace fad061721eba6fa4c81d06f8db3663a6ce4d1a508cb3f08d4eecd022af846562

SnakeKeylogger

Executable exe 526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/268633/
  
Dropped by
SHA256 fad061721eba6fa4c81d06f8db3663a6ce4d1a508cb3f08d4eecd022af846562
  
Dropped by
MD5 c2f14b0a3d61b53df73ed711327b36ec
  
Dropped by
SHA256 fd91cf0f5c8ee1f7a741d3b220cd4dc58a2aa808042aca5dccf13723d1383fce
  
Dropped by
MD5 e41ffbee6515bad0182878d526482f8b

Comments