MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6121c5bbafe4f3afba5ca58695f5951e99c5d638362fc9536e32a249c16f6442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6121c5bbafe4f3afba5ca58695f5951e99c5d638362fc9536e32a249c16f6442
SHA3-384 hash: c83504dc39866c0ff64bf9c4a71750f0e4dac280bac682f8e513a7593550bc19879faeb4d63e69ffd5a32d24842dabd9
SHA1 hash: 83af4612bbcc7f72aa094847b1eb1680d5d95926
MD5 hash: 42a3b27df3ba1849780e526c42de50ab
humanhash: cold-cup-delaware-enemy
File name:SecuriteInfo.com.Win32.DropperX-gen.6556.5302
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:6'656 bytes
First seen:2022-12-03 00:51:07 UTC
Last seen:2022-12-07 17:22:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 96:wOaINHv03Lgcwh46MYKFIW2FL/dUrqGQkkeru9w3GnUODL:RaK0q+6mhwD5GceUwv0
Threatray 10'745 similar samples on MalwareBazaar
TLSH T1FFD11915AB948777EDA68773ACF353810378E700DD43CBBE4CC8961E88497690B11A74
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.6556.5302
Verdict:
Malicious activity
Analysis date:
2022-12-03 00:52:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa6f7c9e-79d0-49f1-bf3e-06fdca072598

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342104/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.6556.5302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/638a9db49a505ad9423cb971/reports/5af3d94d-fb9d-4335-a070-53c65372c5ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c777675e-c69b-4ebb-aed1-4b5cdfd63c22
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126905
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 759629 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 7 other signatures 2->56 7 SecuriteInfo.com.Win32.DropperX-gen.6556.5302.exe 16 7 2->7         started        12 Uhrff.exe 14 3 2->12         started        14 Uhrff.exe 3 2->14         started        process3 dnsIp4 42 185.246.220.210, 49697, 49701, 49702 LVLT-10753US Germany 7->42 32 C:\Users\user\AppData\Roaming\...\Uhrff.exe, PE32 7->32 dropped 34 C:\Users\user\...\Uhrff.exe:Zone.Identifier, ASCII 7->34 dropped 36 SecuriteInfo.com.W...n.6556.5302.exe.log, ASCII 7->36 dropped 58 May check the online IP address of the machine 7->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->60 62 Encrypted powershell cmdline option found 7->62 16 SecuriteInfo.com.Win32.DropperX-gen.6556.5302.exe 2 7->16         started        20 powershell.exe 16 7->20         started        64 Machine Learning detection for dropped file 12->64 22 powershell.exe 12->22         started        24 powershell.exe 14->24         started        file5 signatures6 process7 dnsIp8 38 checkip.dyndns.com 132.226.247.73, 49700, 80 UTMEMUS United States 16->38 40 checkip.dyndns.org 16->40 44 Tries to steal Mail credentials (via file / registry access) 16->44 46 Tries to harvest and steal ftp login credentials 16->46 48 Tries to harvest and steal browser information (history, passwords, etc) 16->48 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6121c5bbafe4f3afba5ca58695f5951e99c5d638362fc9536e32a249c16f6442/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-12-03 00:52:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=meq4lo5p4tz27os4uwdjl5mvd2m4lvrygyx4su3ogkretqlpmrba._file
Verdict:
malicious
Similar samples:
0ca4084b3032011f18ada96a4d6365a17c26ba745e8d4df2d4b246529e186eb4
SnakeKeylogger
4b0e274d733c1292ace31c3b7436eb20989cc308ef92b902df2d9020280fce50
SnakeKeylogger
5f01277eb7aa0580f6c084ed456dc42c06a2d0a1be268fb2ec650c82c752afde
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
b7dbc97b8a087264217178dbff138d86940c1da6ae255a47cf98f0fa86d767e0
SnakeKeylogger
f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24
SnakeKeylogger
f709023c031ce094c86c0f260226c388d59cf346e88b733b65c284378ca6f003
SnakeKeylogger
+ 10'735 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/221203-a73yvsdh6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e1b35f9f-f3ab-4620-b92f-a5206be31679
Unpacked files
SH256 hash:
6121c5bbafe4f3afba5ca58695f5951e99c5d638362fc9536e32a249c16f6442
MD5 hash:
42a3b27df3ba1849780e526c42de50ab
SHA1 hash:
83af4612bbcc7f72aa094847b1eb1680d5d95926
Link:
https://www.unpac.me/results/890e2d78-4077-4fed-ac62-0471a796aeea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6121c5bbafe4f3afba5ca58695f5951e99c5d638362fc9536e32a249c16f6442

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342104/

Comments