MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
SHA3-384 hash: c3dd4f1aaf9d4cb6101bb8e66535b27f71711778a72770087991707a980ef97c9d3d1464a48e7ff41213144e7ffe40d3
SHA1 hash: 7efb628f6b348b0f19360241f3f0661419617bc7
MD5 hash: 51505dd088beb3a3406dab4bcfc0090b
humanhash: kansas-louisiana-equal-hawaii
File name:Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:472'700 bytes
First seen:2023-02-01 15:10:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 12288:GENN+T5xYrllrU7QY62YrTNbwcD/xtDmpfJuB3:K5xolYQY62YrZ0nfs5
TLSH T112A48C2BBA44622FF4ABC6F108266A63B5356D251FE06C0F63815F5A3871263B1F570F
TrID 44.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
23.3% (.EXE) InstallShield setup (43053/19/16)
16.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
Verdict:
Malicious activity
Analysis date:
2023-02-01 15:16:46 UTC
Tags:
installer evasion trojan snake keylogger
Link:
https://app.any.run/tasks/7a028ed6-cdd0-4ee9-9416-a16037f0b039

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359096/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/63da81092d4f6d560e23f1f1/reports/5cf7caf3-02cb-401e-9868-1902efb189b8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d55d5dc1-cff6-4e87-90bb-f112601d30ef
Result
Threat name:
CryptOne, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1163653
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected CryptOne packer
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 796452 Sample: Halkbank_Ekstre_20230129_07... Startdate: 01/02/2023 Architecture: WINDOWS Score: 100 95 Snort IDS alert for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for dropped file 2->99 101 11 other signatures 2->101 11 Halkbank_Ekstre_20230129_075423_612150o.pdf..exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        process3 file4 75 halkbank_ekstre_20...23_612150o.pdf..exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->77 dropped 133 Installs a global keyboard hook 11->133 21 icsys.icn.exe 3 11->21         started        25 halkbank_ekstre_20230129_075423_612150o.pdf..exe 19 11->25         started        signatures5 process6 file7 69 C:\Windows\System\explorer.exe, PE32 21->69 dropped 117 Antivirus detection for dropped file 21->117 119 Multi AV Scanner detection for dropped file 21->119 121 Machine Learning detection for dropped file 21->121 123 3 other signatures 21->123 27 explorer.exe 3 25 21->27         started        71 C:\Users\user\AppData\Local\Temp\iauwp.exe, PE32 25->71 dropped 32 iauwp.exe 25->32         started        signatures8 process9 dnsIp10 89 vccmd01.zxq.net 51.81.194.202, 443, 49705, 49706 OVHFR United States 27->89 91 zxq.net 27->91 93 5 other IPs or domains 27->93 79 C:\Windows\System\spoolsv.exe, PE32 27->79 dropped 81 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 27->81 dropped 135 Antivirus detection for dropped file 27->135 137 System process connects to network (likely due to code injection or exploit) 27->137 139 Creates an undocumented autostart registry key 27->139 147 3 other signatures 27->147 34 spoolsv.exe 2 27->34         started        141 Detected unpacking (creates a PE file in dynamic memory) 32->141 143 May check the online IP address of the machine 32->143 145 Maps a DLL or memory area into another process 32->145 38 iauwp.exe 15 2 32->38         started        file11 signatures12 process13 dnsIp14 67 C:\Windows\System\svchost.exe, PE32 34->67 dropped 103 Antivirus detection for dropped file 34->103 105 Machine Learning detection for dropped file 34->105 107 Drops executables to the windows directory (C:\Windows) and starts them 34->107 115 2 other signatures 34->115 41 svchost.exe 3 3 34->41         started        83 checkip.dyndns.com 193.122.130.0, 49710, 80 ORACLE-BMC-31898US United States 38->83 85 checkip.dyndns.org 38->85 109 Tries to steal Mail credentials (via file / registry access) 38->109 111 Tries to harvest and steal ftp login credentials 38->111 113 Tries to harvest and steal browser information (history, passwords, etc) 38->113 file15 signatures16 process17 dnsIp18 87 192.168.2.1 unknown unknown 41->87 73 C:\Users\user\AppData\Local\stsys.exe, PE32 41->73 dropped 125 Antivirus detection for dropped file 41->125 127 Detected CryptOne packer 41->127 129 Machine Learning detection for dropped file 41->129 131 3 other signatures 41->131 46 spoolsv.exe 41->46         started        49 at.exe 41->49         started        51 at.exe 41->51         started        53 26 other processes 41->53 file19 signatures20 process21 signatures22 149 Installs a global keyboard hook 46->149 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 53->59         started        61 conhost.exe 53->61         started        63 conhost.exe 53->63         started        65 23 other processes 53->65 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2023-02-01 12:43:09 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
37 of 39 (94.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4lorqp66727genycsyq6646tmpmhqqea5p3ro2ivqqh4jlouiea._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger persistence spyware stealer upx
Link:
https://tria.ge/reports/230201-skl1yaac58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5801425382:AAG5b4PUEaqNDv5uP9ejZGeIHeuzzOD4IHY/sendMessage?chat_id=5812329204
Unpacked files
SH256 hash:
242874d1c8a36a015ba9b700b54621c3d73911f26f5c525a24ef076f3abfec51
MD5 hash:
10590cc2631941f11f861f7ba21b5806
SHA1 hash:
734b01cce755826a691b69eeb637744557adbea2
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
Parent samples :
5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b
SH256 hash:
326421d2307ec438181f32c586a648a1a36aaf9a2c7cc2407697535c5154f847
MD5 hash:
a9c770618a3d11583811d2f78505333f
SHA1 hash:
b3be70f2af3b3de5936acb2ead0f95cdeba71150
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
Parent samples :
46bfebe7ffd387d099666f45f5929e5db96cb5543b1991a29aa4c541c32f8542
8c4cee768cd1192f59d56900a165ad1541cd7c567c39ad8a4cd8bee889571b5f
f3b007849f67bec665e7d2055762802fd0d87fb1020fb7a2459306109c6ccf4f
5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
326421d2307ec438181f32c586a648a1a36aaf9a2c7cc2407697535c5154f847
4c922d132ec224cbbb1e367ed7fd10c7eb04f0d50007eae3ebe1b77866084c7b
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b
34b9ab12c430ce458e3b1236115b18ca267b7876f853aa3e353c2e4d63300b47
0cba5aa5d28e18f2fbdbe749950d645bac7037fdc138c3b75ee06120ced809ab
8050e8b876abe28d529d09660615dbef045d25037307db84c645c7ed515df089
c591ec47c2b8daa5036cb079a83f61d1e02bb9bb340723d3e6b9290f80e5f64f
e4725b74ef0918aa1d0a812227ae9bc593528841c61bfa4db312c35158d77592
15fdf335aa7b720d7ae187afe07af4de7ff71092dd06934e0f3f61b0b642bc39
bedbc46bb0550879158a1ed1a754614695bfe4bb8a86518fe75a4a087b1f329e
3cc1eefece073953c78de9ca7c56bd3bce3ebc5268cb708ed3531c00f3154c18
98536221ae4e88e5e4348cffe9d94364f4e985632eb18f59d7ff0d685ac3395a
fac3d893e2a1e4bb7bca111e12f5bc52f8fbde33d8dc16163ebc79253b19829a
0153ff636ce46ec97121df71b82e33f41f376af7417070c75d5a0b41cbba18b2
dc1fac12b351fb002bdb989e60717c36e2bd50c6c96b449fbffeb347c47622a5
9489bbf4b51b344c381683f04c60d7f6d73580af9b9e9b2b6dc395a0138f89f9
1e9975aa70df2b52041c743f18403e227dc5bef87084950bce1f101cdbdefdd0
4208a88c74cfe1d05b7d8ca52eb0de4188adfbe33eaba4c2813ead8d0e623019
5aea8925bd335299eb81aaa178cf00327ca0fc1e7ca4ffe2826a029e18b6f801
d06f8c0ba7041cb8739cbf7458c60c6c637f3159189ea668fa3df7200a4a82a6
8b05ac7b62b49b7336f6c71833e0e5b9589df9996244789ed0bb74fe2b2d4f16
e9ca300e5f48557e95213ca62c5db6b3484644a1c32f10eb5ff2c49be53c5919
005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
54492f6c2f298dd366978c41c40e603dc981e871d8fbbef854077652f787dde5
2cc05a83d9bae4890c799ba335dc05f97cae4eae5e4ca3a544db39bf12c66b04
b4b38d7d62a408e89a3c7c0157405cf65862ddb6a1fb23a931311a468d051890
e45030071efb40774095252901b94b14010a11daad0c3009e3bfe5a01c2fb869
946dd49393625df5156b51438635cb31a56ed40b440a8ccccce7b2c3cfb26a0e
8908ae87539b2b7e91a28201d9e760a9c646b89db43873ee9e0807e55c9e082b
cf236299167c0c88614c131ecdad1215151c1785aa07baa6426e6459bb3236e5
SH256 hash:
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34
MD5 hash:
82d9274bf661ed3fdb3d7e7d66efb9ba
SHA1 hash:
5f98a0699b92d2db63e4baa3c71920561bc49838
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
SH256 hash:
c6b3a4a6ea26b8f9319c7582671b6818adb57b3cbf6b224e2c6b8da3a0705b9e
MD5 hash:
d31f9e27c580cd1575827f76a0c22627
SHA1 hash:
cd1bd96d7da858f10ea3cba700cb551bab66a26d
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
SH256 hash:
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34
MD5 hash:
82d9274bf661ed3fdb3d7e7d66efb9ba
SHA1 hash:
5f98a0699b92d2db63e4baa3c71920561bc49838
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
SH256 hash:
c6b3a4a6ea26b8f9319c7582671b6818adb57b3cbf6b224e2c6b8da3a0705b9e
MD5 hash:
d31f9e27c580cd1575827f76a0c22627
SHA1 hash:
cd1bd96d7da858f10ea3cba700cb551bab66a26d
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
SH256 hash:
5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
MD5 hash:
51505dd088beb3a3406dab4bcfc0090b
SHA1 hash:
7efb628f6b348b0f19360241f3f0661419617bc7
Link:
https://www.unpac.me/results/1e659029-59bb-407e-9e66-1bff247c43e2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f16e8c1fef7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359096/

Comments