MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82
SHA3-384 hash:	4289212cdbdb14d6aefce59f852f8d1ee2aceb4299d53e03bba83c294c6823028890d4b8cb3a20f7447874560066d2f4
SHA1 hash:	79e24c6f76464478bd88c45b0d0dd50296d5fd07
MD5 hash:	0c6c529ac402229837a07c0d09d4b841
humanhash:	washington-zebra-angel-november
File name:	fatura_25148.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	571'392 bytes
First seen:	2023-05-16 21:00:43 UTC
Last seen:	2023-05-16 21:40:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:PYMbsEvycCJULPWzt7dfzWrrl1K7GPy9hXwCI8rpYeCBfPc7e51SLK1kF0mpk3A:PYov5+UzAWrrl1fyrXwb8QQe1kF0Ik3
Threatray	1'321 similar samples on MalwareBazaar
TLSH	T1D6C4D070909EC690E01B87F165B8FC72023134F3ADE5D9351B59A2C4CE67F58AE889DB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	b1b1b17964989c06 (31 x SnakeKeylogger, 4 x AgentTesla, 3 x XWorm)
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fatura_25148.exe

Verdict:

Malicious activity

Analysis date:

2023-05-16 21:06:43 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/210ff949-8137-433b-8b54-b2fe73d419d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/390567/

Detection(s):

SecuriteInfo.com.Variant.Strictor.277576.14395.12444.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6463ef0e2fe8bc4707a9a973/reports/bf44e7b6-78c9-4c61-abe2-5dbc154123c5/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3f10fa9-7815-45cc-bf07-8fadd2d986b1

Result

Threat name:

Snake Keylogger, StormKitty

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1234852

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-16 10:15:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mesc2nzmem2zibuw3p3np2uf7pmvxums2qfc4nd7v5b5ts6qjsba._file

Verdict:

malicious

SnakeKeylogger

0555b2be69a7f5ef1a4b3948af343d22ddf3d5e1b21be20f8f9b9151c04d2a6c

SnakeKeylogger

3483bcc8e4d439c0883bd94044e95f23c4b674c0472af8e695594e00bbbf9dbf

SnakeKeylogger

5d9bb423fe6b1cb4fa77edde15ac108d779750606fe6dc904c3190af91b4af75

SnakeKeylogger

9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de

SnakeKeylogger

be1588c97b371b5b329c2ac781d083829b8d93ba95dee3dc9778a772c5d5edc2

SnakeKeylogger

db5a4b5c89e2984ac0be6e61a93dcd9ab7bb42d81ca6083b4388ae962ec6ea27

SnakeKeylogger

f23f7ede6683e9e571279757d2a2c25493d07b2a98ab653685b4dbe93e3d1b2d

SnakeKeylogger

fab58afbd986a4fb766f06edadc553c09b6422d1a54100f8ef1aa589f28f32f6

SnakeKeylogger

fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f

SnakeKeylogger

+ 1'311 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:snakekeylogger family:stormkitty collection keylogger spyware stealer

Link:

https://tria.ge/reports/230516-ztvg1abf9w/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5900175150:AAEOWcHfBC8E-MpCblgzLaTu6oAl9xGi2Nc/sendMessage?chat_id=6236888590

Unpacked files

SH256 hash:

6a623b074bc8c42649f6acc302752e403d9b838a6537519572cde41e78203264

MD5 hash:

05952b24438758a4a33299130b1fd811

SHA1 hash:

d1b06feb102d3b1d22976b15e147e0fd22752451

Link:

https://www.unpac.me/results/9bf6241d-e116-4de6-8488-dbd2fd62f779/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/9bf6241d-e116-4de6-8488-dbd2fd62f779/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438

MD5 hash:

dfca41d2838170cb07ef445bb7d9c987

SHA1 hash:

7622672bed23f065cafdf2a17879ebf5926aba8b

Link:

https://www.unpac.me/results/9bf6241d-e116-4de6-8488-dbd2fd62f779/

SH256 hash:

c678d246a9bffcde7a88ea1d0eec2ccb36182b8e7655f69019cebecc6691c706

MD5 hash:

5a65c04ab4adbc2b2ba03698e0b90c5a

SHA1 hash:

1d19f8df5c1d9c3c59367834380f954e7a191648

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/9bf6241d-e116-4de6-8488-dbd2fd62f779/

Parent samples :

61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82
aec1fac2d6bb7c644aa0d34bc37c4a95517fe4f903b99b433f195bed50efbe67
0f79d5a95f0a777647c8f37dac2111cc426b2a3da30d7edaced49e980e0910a6

SH256 hash:

fbec0ef52fa7bdcbc2bf0356ec0c64d2755968a07df3dd0d176937cce112bede

MD5 hash:

28bacebf49b3f97c17d7928f37c6694c

SHA1 hash:

087133cd1b465f9d391b2fe40461cef7917f6c29

Link:

https://www.unpac.me/results/9bf6241d-e116-4de6-8488-dbd2fd62f779/

SH256 hash:

61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82

MD5 hash:

0c6c529ac402229837a07c0d09d4b841

SHA1 hash:

79e24c6f76464478bd88c45b0d0dd50296d5fd07

Link:

https://www.unpac.me/results/9bf6241d-e116-4de6-8488-dbd2fd62f779/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/61242d372c23/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/61242d372c2335940696dbf6d7ea85fbd95bd192d40a2e347faf43d9cbd04c82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/390567/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample