MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6
SHA3-384 hash: 4b277a975f705d8f540a43ce3a8624bc6a28e5d191cf950362d48a6488753986b8ea8d8d49fb10d512dc3de65468b7a2
SHA1 hash: 9b86109510ff43bcad502d89497e0fdf7812e83e
MD5 hash: 5bf2e95d5f8e1d3803270e2281b3ecef
humanhash: zulu-king-fillet-alabama
File name:eTfneS4zTZnJUHw.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:702'464 bytes
First seen:2023-02-01 14:29:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:hSQAVVu8EkvQt2Lypq+rbXZlUBHbreSoWeh3ih9H1Adf:4VU8HvQALyfbZuBneSoBYTedf
Threatray 10'065 similar samples on MalwareBazaar
TLSH T1F9E40159C365CAF6D6A803FE05B010941B72269AF51DEB0C0EAFA3DC4897309D5693EF
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b1b1b17964989c06 (31 x SnakeKeylogger, 4 x AgentTesla, 3 x XWorm)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eTfneS4zTZnJUHw.exe
Verdict:
Malicious activity
Analysis date:
2023-02-01 14:39:35 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/1ca1b7c3-66f8-46d8-908f-330fdf97c4ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/359029/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63da777296add6d1cf496c50/reports/2ae408cb-67b4-4e19-9d36-12a08c18fcbe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1dffd0b-edf0-42fc-b37c-2e0ac54b4405
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1163863
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 796632 Sample: eTfneS4zTZnJUHw.exe Startdate: 02/02/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 8 other signatures 2->61 8 eTfneS4zTZnJUHw.exe 7 2->8         started        12 GuiFGlGuPvJ.exe 5 2->12         started        process3 file4 39 C:\Users\user\AppData\...behaviorgraphuiFGlGuPvJ.exe, PE32 8->39 dropped 41 C:\Users\...behaviorgraphuiFGlGuPvJ.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmp4CE6.tmp, XML 8->43 dropped 45 C:\Users\user\...\eTfneS4zTZnJUHw.exe.log, ASCII 8->45 dropped 63 May check the online IP address of the machine 8->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 67 Adds a directory exclusion to Windows Defender 8->67 14 eTfneS4zTZnJUHw.exe 18 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 73 Injects a PE file into a foreign processes 12->73 22 GuiFGlGuPvJ.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures5 process6 dnsIp7 47 checkip.dyndns.com 158.101.44.242, 49715, 80 ORACLE-BMC-31898US United States 14->47 49 checkip.dyndns.org 14->49 77 Moves itself to temp directory 14->77 79 Tries to steal Mail credentials (via file / registry access) 14->79 81 Tries to harvest and steal ftp login credentials 14->81 83 3 other signatures 14->83 26 reg.exe 1 1 14->26         started        29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        51 193.122.6.168, 49719, 80 ORACLE-BMC-31898US United States 22->51 53 checkip.dyndns.org 22->53 33 WerFault.exe 22->33         started        35 conhost.exe 24->35         started        signatures8 process9 signatures10 75 Disables the Windows registry editor (regedit) 26->75 37 conhost.exe 26->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-01 14:30:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ms44m3ixsd37tjrdm3d3xtljjfa7hh5imb3zstynouxxbsipk23a._file
Verdict:
malicious
Similar samples:
0d1b2fea0d5ddb060f0354f282e7fcce69fc48b55e94195f01b1ed374cf4329e
SnakeKeylogger
0f112e801121e55950a1594cc465fc16f77f67c7915b6c6831513e8168e35187
SnakeKeylogger
196135e36e7b2a6c13b68f0e22bbebbf93f9b4925911adaa72d775629d74dfcf
SnakeKeylogger
56d6ec04e6da2da0b7350720d5df69809fe2ea24dfac850ebd8f7ae89159f689
SnakeKeylogger
596335a72eac53fb62a52fc1671472c15055323287bc6e7c675f99d31562710f
SnakeKeylogger
5b5a5e8c97ff516d8161fe13a09ca8fb3fefbd8655da980058cfe8db3b4644c2
SnakeKeylogger
915c681cf24ce5aa5ac24cbe3d9fe1106966ff7467c16a3e7b002e80034da8c9
SnakeKeylogger
bd127d2fca96dd36a12bb1d5b635707b36333276e305aa2dc422340f457ecbb9
SnakeKeylogger
dcff2f1adb183112521e7b484dc2fff1bf98316fcc38f4c06eb0e39c416fa3dc
SnakeKeylogger
f1c29ad039fe4402c9eb8bf2ece05fd3365df7638c2db41a444ddea55a256e64
SnakeKeylogger
+ 10'055 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/230201-rt6ahaaa69/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537
Unpacked files
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/15f20d62-ec5e-47b5-aeaf-b0b5b35054af/
SH256 hash:
30f99742f9f5f7e941f28beeef66f774526209cfbcfb5328065e0c68b990f3c1
MD5 hash:
1e2f3fb4b9eae2bde9b5c250d558f095
SHA1 hash:
f30fe77b179ff7623308c6d8e6f03b6e090ce56e
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/15f20d62-ec5e-47b5-aeaf-b0b5b35054af/
Parent samples :
bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e
2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6
4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd
SH256 hash:
59ab83bdc0e2f903d24716aea8bcfff62045a329bac26ae893205d70e25d51e6
MD5 hash:
26a4d83c2d668801c3a9bbf0ababd1ca
SHA1 hash:
8473977a45d693e67f670e5cc7c9e7985fc35dbf
Link:
https://www.unpac.me/results/15f20d62-ec5e-47b5-aeaf-b0b5b35054af/
SH256 hash:
2bfa3bd31ee9f0cde841d3c5b57062b3cef590fb9bbcc1c60f5be18da46eaff6
MD5 hash:
a05ded58bb79586888c2bcc7ec2e9a15
SHA1 hash:
24026b39308a1f8a40f78f2160ad48ecf75bd443
Link:
https://www.unpac.me/results/15f20d62-ec5e-47b5-aeaf-b0b5b35054af/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/15f20d62-ec5e-47b5-aeaf-b0b5b35054af/
SH256 hash:
64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6
MD5 hash:
5bf2e95d5f8e1d3803270e2281b3ecef
SHA1 hash:
9b86109510ff43bcad502d89497e0fdf7812e83e
Link:
https://www.unpac.me/results/15f20d62-ec5e-47b5-aeaf-b0b5b35054af/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64b9c66d1790/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359029/

Comments