MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb
SHA3-384 hash: 861b99ec3df0e1e4722807d61dd2a1d1cb16898eee34bce4817105af194cc9fb2f2cd9e5647fcc1d9853fd90361ff46f
SHA1 hash: 9365385fa86a34cf621a7add4a3a0b119e860f28
MD5 hash: cd020073e8cf77061a01eb95105c7757
humanhash: dakota-vegan-utah-nine
File name:EDQM 0080527850.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:971'264 bytes
First seen:2023-04-08 13:14:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:W1QhklU0YNGeZnv5uLkXBazCamCbXzzJF3:We0YNjZv5uLkxazCamCb7
Threatray 95 similar samples on MalwareBazaar
TLSH T11125AEC46AC58BD0C037B075B04ACAF3C7D2092AD099DAF138D7658A95D2E525CF68EF
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EDQM 0080527850.exe
Verdict:
Malicious activity
Analysis date:
2023-04-08 13:17:14 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/c58134ee-ebba-4f63-b6fa-7fc31261d598

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380889/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643168ddbf68c1790afb000a/reports/ca08e000-ad2e-4bb0-ba5c-140646209269/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/07c6691d-5499-48f3-a3f9-7ac769cb5ae9
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210570
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 843486 Sample: EDQM_0080527850.exe Startdate: 08/04/2023 Architecture: WINDOWS Score: 100 34 checkip.dyndns.org 2->34 36 checkip.dyndns.com 2->36 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 7 other signatures 2->48 8 EDQM_0080527850.exe 7 2->8         started        12 gBhIbOUqtkkm.exe 2 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\gBhIbOUqtkkm.exe, PE32 8->26 dropped 28 C:\Users\...\gBhIbOUqtkkm.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmpAACD.tmp, XML 8->30 dropped 32 C:\Users\user\...DQM_0080527850.exe.log, ASCII 8->32 dropped 50 May check the online IP address of the machine 8->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 8->52 54 Adds a directory exclusion to Windows Defender 8->54 56 Injects a PE file into a foreign processes 8->56 14 EDQM_0080527850.exe 15 2 8->14         started        18 powershell.exe 17 8->18         started        20 schtasks.exe 1 8->20         started        58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 signatures6 process7 dnsIp8 38 checkip.dyndns.com 193.122.6.168, 49699, 80 ORACLE-BMC-31898US United States 14->38 40 checkip.dyndns.org 14->40 62 Tries to steal Mail credentials (via file / registry access) 14->62 64 Tries to harvest and steal ftp login credentials 14->64 66 Tries to harvest and steal browser information (history, passwords, etc) 14->66 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-07 17:18:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nakp3j36zdnwiju2tjnym533dwdxbdgozolonz3cwpg4jejjic5q._file
Verdict:
malicious
Similar samples:
16e5b2307f57c405eeb692bc1d64d4141b47f463961408eb2668a3fb9c447ee6
SnakeKeylogger
1bf64774f61263239f047cc53aa4547004ae333c534563d05c0e82fa2824eeb2
SnakeKeylogger
20c98ec48a5ee8e4c51f806712ad69bdda873da9ae3c4d2fba764bcc3b899c6f
SnakeKeylogger
560d725c51733509f17d4a1b647cb5cfea3f400cfcc9cbab82da116419db1297
SnakeKeylogger
639eef62ddbf109ec8d92cb3ef3d48f93e1fff28fdf2d89feeba0fd3d61779a0
SnakeKeylogger
6a6930904ed46de39b2d039cfbfb4249ca73081043d2cf79ff7d4d7703154ba8
SnakeKeylogger
7a59016d956677cd8e7e13efcc21f7ee7fc04fc0485e8cdc164a7ac160749521
SnakeKeylogger
ccb3662491d30e18ac08fddd73eb21d47971f9875e898803bc3fc33cfe3d0d96
SnakeKeylogger
f0e160fc8c0dacffdd789b3a91933fd9c3d629077d25e29a4f69217220689374
SnakeKeylogger
fdb92c62f94ffa5a8e8c9196783e198490990cbdde77bc84c1c342b6a165d59b
SnakeKeylogger
+ 85 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230408-qg8dnadd79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5616959587:AAExtOpZFeIG_Fr6GGD2wxulyGXrUhSr8vU/sendMessage?chat_id=2095430248
Unpacked files
SH256 hash:
b39e3493a1c80e36f9983986bd9eb93a4065a2e68b36ddcbb92994b1ab64ca29
MD5 hash:
dd3bd46d5d3d780c3389c824ef62d696
SHA1 hash:
620d01a22ad8489f1ccdd787e94f6e89287681c1
Link:
https://www.unpac.me/results/8ca3b44e-8049-4566-bf10-232cc9ae4036/
SH256 hash:
d0284e4cd27a97845d8d4bb45fa7dc7b0d5b7301ef5a082d250ac5e63fe1e130
MD5 hash:
d609c54e9934152bfac5d1145ef5383c
SHA1 hash:
2c4711c46581af86f12622afd766d26137a7b2ec
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8ca3b44e-8049-4566-bf10-232cc9ae4036/
Parent samples :
98aec31af0a8a5abc9d25b32efbb5b4cd5b54d2a2810e196c00ea77d9969b12b
7ce06c4227d8b111e23ea4af903379bef4211205ff6a6a582aa7c74149ec8b47
341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874
6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb
bffea4bf5d2cda8c23b02e73e1a5cc9a43da3816c7193f23db798e4982916c66
SH256 hash:
3289947f3622a27cb2a9596e76094efc8a0c0c9dfc1dcba394a8d0a1ec6c04a3
MD5 hash:
df4dda4980949ea2d430743d93af3600
SHA1 hash:
947c24bb61cefed149e48a65bcc053f14aff314d
Link:
https://www.unpac.me/results/8ca3b44e-8049-4566-bf10-232cc9ae4036/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/8ca3b44e-8049-4566-bf10-232cc9ae4036/
SH256 hash:
ae09f69ae1f8064255a4cc374070d4a882a3abba00639ee1c206eed3f2982e98
MD5 hash:
c75f4fc5f57dcfda371b334c7baa78b0
SHA1 hash:
608bea0ef153549552916b3089ac2b7334b07464
Link:
https://www.unpac.me/results/8ca3b44e-8049-4566-bf10-232cc9ae4036/
SH256 hash:
6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb
MD5 hash:
cd020073e8cf77061a01eb95105c7757
SHA1 hash:
9365385fa86a34cf621a7add4a3a0b119e860f28
Link:
https://www.unpac.me/results/8ca3b44e-8049-4566-bf10-232cc9ae4036/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6814fda77ec8db64269a9a5b86777b1d87708ccecb96e6e762b3cdc4912940bb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380889/

Comments