MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303
SHA3-384 hash: f0d3c208b40ecabc8aeee57416f433b5e637432ee4f2aa8f6d366085838723ba4a30ace255a121b458a94116f0c5b4df
SHA1 hash: c60dffe2eae335f1a18fa0e0beb52e556d1d893c
MD5 hash: 3fc42a4a580bed8a78c79ea2d4dcd69e
humanhash: ohio-equal-oregon-timing
File name:hareketleriniz.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:609'280 bytes
First seen:2023-04-28 11:03:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:IHydbhLrYrk9ky0CUZcvYTuEhuzZkumZHegQVttp0:ISdBv9kyjUZcvQTQZk3C
Threatray 5'331 similar samples on MalwareBazaar
TLSH T1F5D49D575065CD0FFE6AEBB091B4FF55A6F1F07324D190242BB921C9CAA9F021E8C52E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hareketleriniz.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-28 11:08:42 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/acce4fa4-4d19-4432-ab55-30e39eec8eec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385417/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/644ba82283c50e4c7d2921d2/reports/2e9f75da-56a2-4c32-9595-a937947637f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a6813f5b-57ed-4581-a5c0-b3f77626ea4b
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1222735
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 11:04:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m36doi3yby2g4ihwcwtyy5hzeuxcxfpnuikb24kymzvsxfhk4mbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b8f8615ac9193f5409cc48943cdc3e66fd58027058e594b4433ba110b94e197
SnakeKeylogger
4e62540930b121dc5eb404032401ac2b37cd86b591e14c4404610a2e59f06b6d
SnakeKeylogger
9889a91e24a729669aa276f27617f5169fd9d8f0358be427ed4e4cd9bb8e5dab
SnakeKeylogger
b8e476dcba0bdaf21e70dbad37d600ee95679afc0827aed027d8441a12068e59
SnakeKeylogger
befc3edb5d02c2d1350dfea27e2ae101704b5c18827e9dba61afe446ff371730
SnakeKeylogger
bf36b9ac0998d56e00d4fa60997ba6105f5d9ace84c3e5949fe036d0315d9019
SnakeKeylogger
cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d
SnakeKeylogger
dc9592028314f25ba440ef8629468e39714188cdd0d681e76d2e8222bec8978c
SnakeKeylogger
dce7af2c2162f2fa2be0ca63706446e0b3c4bebdf1ae8791f22cb76ca7aa375c
SnakeKeylogger
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
SnakeKeylogger
+ 5'321 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger stealer
Link:
https://tria.ge/reports/230428-m591lsfd9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5830566856:AAGWFy9uABhntGSW37Ll1sdhis_3Sq_arBM/sendMessage?chat_id=1467583453
Unpacked files
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/12146b4f-face-461a-844e-27202465d158/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/12146b4f-face-461a-844e-27202465d158/
SH256 hash:
f7a8f585d8fbfa8823084bf9441e9c59f431937408a0818c585c86a464b0c6ec
MD5 hash:
f5de3fb397f47ef504330efc977fe51c
SHA1 hash:
24398d6adefa4988a3a3cb6a9fed151dd63eaafb
Link:
https://www.unpac.me/results/12146b4f-face-461a-844e-27202465d158/
SH256 hash:
66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303
MD5 hash:
3fc42a4a580bed8a78c79ea2d4dcd69e
SHA1 hash:
c60dffe2eae335f1a18fa0e0beb52e556d1d893c
Link:
https://www.unpac.me/results/12146b4f-face-461a-844e-27202465d158/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66fc3723780e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385417/

Comments