MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 649f4fa64cb61e69507ded4d8d75bdb82f21148026fd1b947375491ecc225ad7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 649f4fa64cb61e69507ded4d8d75bdb82f21148026fd1b947375491ecc225ad7
SHA3-384 hash: 78f01841216532eaf227d983bcc7d607748a0d10911924fe7c1dea8ee2f47bfcf20488da851ed8a11dd8144f6bf545d0
SHA1 hash: 22f5662d663ee5a372e5b7e784989d8d63834e5a
MD5 hash: 7628d311c2c7e454acc6a1a73c89881b
humanhash: november-kentucky-solar-delta
File name:Halkbank_Ekstre_20220523_075819_154055..exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:864'256 bytes
First seen:2022-05-23 13:21:00 UTC
Last seen:2022-05-23 13:58:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BBfT+MzlOHn5KH5fSlbXVkV6PLNuBeXbK91C:6Mz4H1lTVu6PLJX+
Threatray 3'704 similar samples on MalwareBazaar
TLSH T1CB054DD1F1508CDAED6B09F1BD2AA53024E36E9C98A4810D569DBB1776F3342209FE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20220523_075819_154055..exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 00:45:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb6a9383-6b42-4576-b96e-240da20aae4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273706/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628b8a833ec49f83a6c47775/reports/261c1877-229f-466c-a1c5-a1b527393ed9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06fcd6a4-b2be-4e1e-b948-d3b6d9016a62
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999986
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/649f4fa64cb61e69507ded4d8d75bdb82f21148026fd1b947375491ecc225ad7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 05:48:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mspu7jsmwypgsud55vgy25n5xaxscfeae36rxfdtover5tbclllq._file
Verdict:
malicious
Similar samples:
10c2718857ad39e2dc165eea92a9854c528f169d0f9ccf887ee62e29ec0f208f
SnakeKeylogger
1abbde2370c16b13df70225a0c251790f64f3ba70067a30e959360da730eccae
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
347fa0ad9e11712fe0628c2454141d6fec8e995acbe7fe7461e6dbf94f2838ce
SnakeKeylogger
4f7d1f1df60c29fe9eff2e75f317a316c9ddc9afe569624a466670cf396b8d61
SnakeKeylogger
6854be3657cbb743286183f6a18048d849e9e3dd5a1ba47d1d6f2e2d05195fd5
SnakeKeylogger
b48c018d252b5974a13a65c6b67856d4f2059a90499f65037a63324e4a42001c
SnakeKeylogger
bfc2cfdeb6732fd82c5013684c3760c545b2e0a90aca8c36b3bb9049424d8f73
SnakeKeylogger
+ 3'694 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220523-qlm9aadfa5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5166529015:AAHmXMIWF4K9IarF05CZj5gCu_oVRj3zFHc/sendMessage?chat_id=5170122971
Unpacked files
SH256 hash:
23ebed8ff1f6bbc93df436e7fafcbd0580751b8b628761342b9bc8a96790a9a0
MD5 hash:
d53e3ef9fae38384b9cfbd817bd75865
SHA1 hash:
af3bf205ad4b51615901128d50cb10988496e565
Link:
https://www.unpac.me/results/dd7119a9-3f50-4d02-b442-4f46e46c5117/
Parent samples :
c5d0d97ecceb4b96d309f6ae3c27cbc2b6326837765322bd84b49d8dd30078ac
fccbc2322ff9606c918673a07b68c7638c0ae6bee46a8eeba60da6715a92a1a7
9eba2f0df8e90e0471810be36a3aae12bfbc808d226ffec823927e18d429753b
7ce5acb0ec259e4f3f3aef6a8da98c0bfdb0e34918076c88c5f9a462214bc687
689df11e9923fd90bf15c3aa52a813befe084d46c3f66a5105c5a9661b24971a
SH256 hash:
cd77d6060c8e5ca29d2ef24c2f09d770ddfadfd2a31080f043e3c1bfd8789456
MD5 hash:
fa2df175f5fe926f50700719d53cdaf8
SHA1 hash:
6859a8ebf5b1b54ef4605622f572a06699564b21
Link:
https://www.unpac.me/results/dd7119a9-3f50-4d02-b442-4f46e46c5117/
SH256 hash:
e1f124052d6fa928587916260a5010af9dbfdd3d878436a27c47c74e46fa337a
MD5 hash:
2eb7b85e429787046b682e57d459dcd7
SHA1 hash:
379e6f24c7b4f147c7fec0855596dcd9c502c7dd
Link:
https://www.unpac.me/results/dd7119a9-3f50-4d02-b442-4f46e46c5117/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/dd7119a9-3f50-4d02-b442-4f46e46c5117/
SH256 hash:
0039ab1762e02dab520456d617ca9e10a9bbbe931d545ff397d8a3ae597016c0
MD5 hash:
c208790a6cfc53e42e2b6ba51f60a43e
SHA1 hash:
ab659ab9b40fe1d77e51a2e5daf2f8ba82e0c3fd
Link:
https://www.unpac.me/results/dd7119a9-3f50-4d02-b442-4f46e46c5117/
SH256 hash:
649f4fa64cb61e69507ded4d8d75bdb82f21148026fd1b947375491ecc225ad7
MD5 hash:
7628d311c2c7e454acc6a1a73c89881b
SHA1 hash:
22f5662d663ee5a372e5b7e784989d8d63834e5a
Link:
https://www.unpac.me/results/dd7119a9-3f50-4d02-b442-4f46e46c5117/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/649f4fa64cb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/649f4fa64cb61e69507ded4d8d75bdb82f21148026fd1b947375491ecc225ad7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273706/

Comments