MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c
SHA3-384 hash: e886aa807704ec79a759dd4f93ec9384a8f0b6227478677921103931c91e10d372d75f3618662f4648caf6d293cb3deb
SHA1 hash: b6e8c755d2b42dcc3de86155a26f7323bdcb4ffe
MD5 hash: 017d37014a8a11b41bd5816579ba4170
humanhash: south-chicken-green-sweet
File name:NEW BANKING DETAILS.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'313'976 bytes
First seen:2022-11-08 06:56:20 UTC
Last seen:2022-11-10 16:01:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:CAOcZOXCJF/YIOQlTgshPh6I0lYglQTQD3+L8Fh:IgJF/Yu5+lYgaG+L0h
Threatray 2'745 similar samples on MalwareBazaar
TLSH T1E155D031EF72C4A9C8759AB0DB35A706CD2B2F102D3D8BDE2394349D4631972A7DC692
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00ccd0f8f8f0c400 (6 x SnakeKeylogger, 2 x Formbook, 1 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW BANKING DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2022-11-08 06:59:14 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/f6923e99-4096-4982-bdef-97465dbe6081

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330370/
Detection(s):
Win.Dropper.Nanocore-9975596-0
Create hunting rule

Win.Dropper.Nanocore-9976456-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49974/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware nanocore overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6369fdbf1b78baadf87fa1cc/reports/6cafd20c-135b-4ee0-9a23-f12dd268c59a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e9a0e6d3-acd9-4e1a-b371-63ef3a9bf20c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1107979
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740640 Sample: NEW BANKING DETAILS.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 84 62 checkip.dyndns.org 2->62 64 checkip.dyndns.com 2->64 66 freegeoip.live 2->66 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected AntiVM autoit script 2->78 13 NEW BANKING DETAILS.exe 3 31 2->13         started        16 vuixwrjq.exe 2 1 2->16         started        19 wscript.exe 2->19         started        21 4 other processes 2->21 signatures3 80 May check the online IP address of the machine 62->80 process4 dnsIp5 60 C:\Users\user\AppData\Local\...\vuixwrjq.exe, PE32 13->60 dropped 24 wscript.exe 1 13->24         started        70 Creates autostart registry keys with suspicious values (likely registry only malware) 16->70 72 Creates multiple autostart registry keys 16->72 26 wscript.exe 16->26         started        28 vuixwrjq.exe 19->28         started        68 192.168.2.1 unknown unknown 21->68 30 wscript.exe 21->30         started        32 vuixwrjq.exe 21->32         started        34 vuixwrjq.exe 21->34         started        file6 signatures7 process8 process9 36 vuixwrjq.exe 2 5 24->36         started        40 vuixwrjq.exe 26->40         started        42 wscript.exe 28->42         started        44 vuixwrjq.exe 30->44         started        file10 58 C:\Users\user\AppData\Local\...\Update.vbs, ASCII 36->58 dropped 82 Multi AV Scanner detection for dropped file 36->82 46 wscript.exe 1 36->46         started        48 vuixwrjq.exe 42->48         started        signatures11 process12 process13 50 vuixwrjq.exe 1 46->50         started        process14 52 wscript.exe 50->52         started        process15 54 vuixwrjq.exe 52->54         started        process16 56 wscript.exe 54->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 06:57:42 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcxz36a46u4ljhrecg3jvt542lpuj3p7utcjclqwyzgsmggsfkga._file
Verdict:
unknown
Similar samples:
5c19fb2da50d67ae379047a6a30c01a418aefc98956d0d1662404742e9d84878
SnakeKeylogger
6ed9a8b54bcf003ce7c30232c4aec5b6e14dd4722238dd153e8d01a1494eca8f
SnakeKeylogger
6f08315a969035d9cca94d594b69eb041e5f302613326c537bd5cd0d471f8b1c
SnakeKeylogger
83327640b003bbdb759074d1e9925381bcb661a35b531b3d9832435ae80298ac
SnakeKeylogger
b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9
SnakeKeylogger
b4b8d49ce8ac2c756f6d65399e71a15fc46814f4aee055bcc99cbb7d1d50cd88
SnakeKeylogger
ea103cc8e05d365c5974be588279338383c416a04cad3ac3f91e44ebf4b22bc5
SnakeKeylogger
fd8d1fdc81053818002dd60fb8d7b0d8e37ee984d77760750456e1773c2c0bcc
SnakeKeylogger
+ 2'735 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence stealer
Link:
https://tria.ge/reports/221108-hqx1aaegdn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3d230b8-3d3f-421c-a2d7-de7a0526b3d8
Unpacked files
SH256 hash:
1ef877efa2f89d55238f0cdbe8626ef608e9fe68dc7c759b955d23d7c36dab97
MD5 hash:
00d9cc4f33df6936475814fe43327f59
SHA1 hash:
57b06c3521013ab66cf82080d8306d46aa17d44e
Link:
https://www.unpac.me/results/28882729-0168-45bf-a38d-bd984c3ae802/
SH256 hash:
830c810a24065ce6950503a89583c4d88ff6aa1274ee0d12354cf3ef66ef7592
MD5 hash:
bc98949a0f5be89a163a4aa98acb8e86
SHA1 hash:
0874c391dcf75e6bda6fac70b3dbafd54ecd36ef
Link:
https://www.unpac.me/results/28882729-0168-45bf-a38d-bd984c3ae802/
SH256 hash:
60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c
MD5 hash:
017d37014a8a11b41bd5816579ba4170
SHA1 hash:
b6e8c755d2b42dcc3de86155a26f7323bdcb4ffe
Link:
https://www.unpac.me/results/28882729-0168-45bf-a38d-bd984c3ae802/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330370/

Comments