MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc
SHA3-384 hash:	09bfc9467d2fe50c5d1608bc8d77861208137d098aa1a2307ab952c369fadafcedff4d2aec39dcc50ef354a72ff5f9ea
SHA1 hash:	898ee7f7a1c5bce61cfb43dc7d0cc2af1bc5fa44
MD5 hash:	bc3cbb77d2eb0de01bb4f57aa06d9f2c
humanhash:	montana-chicken-steak-emma
File name:	RFQ 26_2020.pdf.z.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	867'840 bytes
First seen:	2022-10-26 13:30:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:XOq/oCJJ4rlXUZK2iNaK/fg00lBFWXdnWN0cnG39w26lcb:+7rlXUZK1Do9gAG39w7c
Threatray	7'644 similar samples on MalwareBazaar
TLSH	T1DC057C7427AE4F0BD0EACE34A4B1D1F016665D7B796ECB86CAC06CFB38223A1590D547
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ 26_2020.pdf.z.exe

Verdict:

Malicious activity

Analysis date:

2022-10-26 13:32:01 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/3ac1c49f-1341-4999-b77c-8c7ada80e02a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/324392/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d8903558-c620-4b6d-b09f-37c16d84f943

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1098413

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-26 12:34:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 41 (53.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mg6h6ryvrez5qmffbyza45n2j3tftqrhfrw7ooatnaoyky7j5o6a._file

Verdict:

malicious

SnakeKeylogger

2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f

SnakeKeylogger

4952a1b507d5779ad9e44e2976af3b6f890fb7d9f1bb685bea255300a70cf1bf

SnakeKeylogger

5e5878e7c89a666a6f6c0f3ad414a7c3d47c85d8bab613343b531ef552127ee8

SnakeKeylogger

a9faed68a14b216b5ce314939c62695058bdddbe086042b8845aa319b098c933

SnakeKeylogger

e1db205d91abb43dcf76bca95eae329c435f225b2470f2659e7a0e12521f8fe0

SnakeKeylogger

f22041afa2bfc2b588ff3e01f3a8b866dc713c7dfb2aa142561d291f00de1c5e

SnakeKeylogger

+ 7'634 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221026-qsdcnafhcl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Gathering data

Unpacked files

SH256 hash:

5d922457df09b9ac8382b85067c66c22d7538ef391aba5e7c49322c8843690ec

MD5 hash:

cf74af5284a9afcd646a4d15c1c89067

SHA1 hash:

df3e750d593ba2918ebc64741619dc5d9c83d1bb

Link:

https://www.unpac.me/results/49082305-8591-4d0b-83f7-1a9f2a1504f6/

SH256 hash:

c433cb8ba4ed7546f62880c9983c33c18ccf5a42dae834a64d82e8c4fcdd5efd

MD5 hash:

f7f718010e122cf3d30c40483d96b344

SHA1 hash:

85ddc75a5b350e0cf6ae188d4746608ce7d0ac96

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/49082305-8591-4d0b-83f7-1a9f2a1504f6/

Parent samples :

0240f6faff8e14bcaf1113c921446538cead5eb4e39ab98e5e66068b3f3a75b3
cda24e3d3a8ba88a8d2d0dab710a930bc5ca13c1c3083971a0714fb318f8f5c8
c433cb8ba4ed7546f62880c9983c33c18ccf5a42dae834a64d82e8c4fcdd5efd
f41c73c8acf70e184c320f82246f59e3d49afce5ce4362d5574365d927f1a274
d4ad5ce4fdec7a03272de766af8b37fbc6343698b02f79b90fe082805bbee4e0
8614125f0030e7ba50feb26e4182a5a6fef974bb63ba462ffe632a4eb60401ad
f09db6345fcac734d7947e06039509442bb67ad36338f5c95cfc4db43684250b
8fc6ce85bbf1ffe09f896024dbc3ab65c3d8eb13403b67c50c448b0a688e84f2
b6abfeb2f4b5b9b41a34dd97806c12c49acc96e6f08115a7a7f9a5dd0a1db7ba
34386c8bb9b1f66f769134bea8e66f8ba8043c83ef81815a3bc6be4c2c932eeb
cf61eac87e9e32c2356e1ba7f4575a566d77d3971423fab6b152887a92ce5fd6
42dda05e1400a7a68a6909ce702427acde73c0caa30eae9d35a94202785c8fd5
f18d2d065b11a522118286f168308dc5bb012e9be93ba9b2b109947a5cca8ebc
c8621ed33fd881102eeaab471e0f5a3e5c766665262da60e69c0221707cd4ff2
174dc014b5ce03bf58ec6b7ce51e3245cad4ab121c6ca77a4081ec0baca127fd
2e111c4d9613c4d79c80bb8c172f2fb0be13ecd086c57365a44ddbc693037163
4d4d9ae7d1df32c6dbd477d6387d5570c0e8b304868aeeb68f738609f8b10518
023daf67673478dbcf9d192a79b3c7e860977540e5ecf2c276cc22dcd3853550
e2b989a7784480d0c71fcbd9842cee49fc2321b941a66ebc602467cdf685a7fb
7127b0166dbae1bd34069a99dd934345f4cf1dc01fab672070f47e22c2176bb6
f2b4cc229354335ed435a8d1f8d46f5faae4218e2482de7fcef20e6783c65e61
c56b76378b1c971bc21dfb6819a1578ef694bcaa4cf5587455edffb2f3ea72a3
1c28298d2342d343cb1e5202daac84d68787741e1e68d01a877f5658cae8615f
5714a59d68c85cc68b99965d03dc6ee4adcdb69bf1719854e0625444be18d1b7
61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc
0d2777fc2687de0946f7fcc21bda9522034cef8322b73f94cf01afb5fe70adde
5be8bcd31c0d875b15324142117e3c67088f9c0d82e0866f5fa6727d02045f86
b3835043f8dcce1db6ccc2c7001092974cb8c891858f226fac1e4fa7015348a0
04cb7f26c4b9788f2271c0a08c5c867f3a52a2079a744522b6a8027b5a53f4d0
55f050354276f1d2c5c318fd6008cdd3bd18f061182675e86dde829e50e8df71
380683938b5bfa921c1205276053d6c9627a6123c48721562058ddbf306a5257
bcfdfb5073ac28ac7605bfc46a0b8b568146c6029519e3c9ab4ed6ebf42c95aa
47ddfd857cfbfde58f7599c330823dd214cb0b7f1f10c3762ecc617e06c1be1a
65d0c541425d117d3a7cae9f870b5d3b14968066e0d1af76a6a511b4022eae28
704a40d5b442b0389975c80b40cb26a96f83fac19634aa11894797512f87329b
cb01bd4afcf3723bcedcb253313b24e4e9538721774b99bfbe949f1b7f4e52e4
f70c088856b498d1660a080b978db81ea7e4488d7013587487f840c7b84d6859
d68266d44d18118b13f34a9c7ac9fb28d607d7b34c1a3f60145bfc1147a40177

SH256 hash:

3ba16a92b2b40d38c6e5e30f882a4c60b3838611868d990b7d986eb4018c17cb

MD5 hash:

16d6f358cc62b12dc869da8a59b03eda

SHA1 hash:

5eaf3662fbd4193086df2ba7233e9652542be8a3

Link:

https://www.unpac.me/results/49082305-8591-4d0b-83f7-1a9f2a1504f6/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/49082305-8591-4d0b-83f7-1a9f2a1504f6/

SH256 hash:

84a50f917fc2d536eddc4eb283a679d8639ea5dd74961edaaa033d7f2e23eb0f

MD5 hash:

001045138ac983c32ca5f705839eb19f

SHA1 hash:

39d5159008c50a7a395385ec89a8a58fc4f3281c

Link:

https://www.unpac.me/results/49082305-8591-4d0b-83f7-1a9f2a1504f6/

SH256 hash:

61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc

MD5 hash:

bc3cbb77d2eb0de01bb4f57aa06d9f2c

SHA1 hash:

898ee7f7a1c5bce61cfb43dc7d0cc2af1bc5fa44

Link:

https://www.unpac.me/results/49082305-8591-4d0b-83f7-1a9f2a1504f6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/61bc7f47158933d830a50e320e75ba4ee659c2272c6df73813681d8563e9ebbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/324392/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample