MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce
SHA3-384 hash: c81e60b04dbc2d0b0374decd8e71620ebbbc2529dfc6d56ae46ea1dea7106e7efc57fadf99d62696b33633fe416993b5
SHA1 hash: 968b5efca650e7c9ae4915fce62f8775bbcd6d34
MD5 hash: b6680766630014655fa9c668f078ca03
humanhash: victor-oscar-coffee-kentucky
File name:acJQXe9N285gkR0.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:690'176 bytes
First seen:2023-04-03 12:22:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:Z5CBWKdq1FbwwJLwrSJPkEhtb0cSJKCDhkBIA5u5tyA///SULId9Ww9:6frpblcFCDqm/Pz//Sv9
Threatray 21 similar samples on MalwareBazaar
TLSH T173E42209301CE726CA2D8BF79412912417B8FA675553D7BE2CDE18EF9A12B08C985DCF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acJQXe9N285gkR0.exe
Verdict:
Malicious activity
Analysis date:
2023-04-03 12:23:29 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/91a78ff2-5aff-40e3-ac85-52fbb994a07d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379607/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1941.10485.9977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642ac52fc56b2da73aca8455/reports/effee86d-afc3-402e-8ed2-c637a5093c3a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bd5b8c4-e84b-4737-a176-2ddd8459b3d2
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207506
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840425 Sample: acJQXe9N285gkR0.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 acJQXe9N285gkR0.exe 7 2->7         started        11 vmoRqI.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\vmoRqI.exe, PE32 7->33 dropped 35 C:\Users\user\...\vmoRqI.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp706D.tmp, XML 7->37 dropped 39 C:\Users\user\...\acJQXe9N285gkR0.exe.log, ASCII 7->39 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 MSBuild.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 MSBuild.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 MSBuild.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 193.122.130.0, 49696, 80 ORACLE-BMC-31898US United States 13->41 43 checkip.dyndns.org 13->43 65 May check the online IP address of the machine 13->65 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        45 132.226.8.169, 49697, 80 UTMEMUS United States 21->45 47 checkip.dyndns.org 21->47 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 12:23:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nb4omzrvkb7gnid6o6744gbjig5tcnklvw6o4lgbuaj5fh2mzxha._file
Verdict:
malicious
Similar samples:
1035c0af69138d45af1e8a10682c5fe707ac7e4334ea1517744da7ac67dad711
SnakeKeylogger
1f4ba3e37b0bb7a99563ad72e2314d7b3d1a0af6810576c2155facff5cda4944
SnakeKeylogger
653acedbfd1cc43d370d69f63265a58ac180689929c376ffa72fa0d3410b4cca
SnakeKeylogger
68d4adb3846e92a85cef8d51f130b2cb8631ce5e7395fc9cd18dfcffe40a5271
SnakeKeylogger
69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29
SnakeKeylogger
9072096046bf04b2f07da98d57dea07374aeb85294ba21404dd81176839737e6
SnakeKeylogger
9c9e8b1e8e1abce02b30be300191b7424c10e0bec236fd9000e5b641c9ffc8ae
SnakeKeylogger
af6fb4c1ccf63b051ee34879d049105a0cc2226cb6f0f03c2d1efa7a67c62a16
SnakeKeylogger
d79b67e9e7380e870103acd7b29951d0a4cb5f6da18c28a21070463aad65be45
SnakeKeylogger
f218cb48273b179ab9c039a0422797a4f1a567cf893c12ce3e6d8b5bc0932b0c
SnakeKeylogger
+ 11 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/230403-pkgvfaef29/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6135137739:AAFjsqBSr9VlPdgQTBvFdtfoQPynWPqK2XY/sendMessage?chat_id=5618853041
Unpacked files
SH256 hash:
f6d0b01f1185fe26d59b0e90b87fcff4b43771b5358622b47b2d9eba16c4710b
MD5 hash:
d9e6a87ce2f1c18a0c550bb9b411eb2a
SHA1 hash:
ceb50704b2d05ae15bbb902e5d71461dccf35e73
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2308567d-9444-43bf-8514-3f633f91a030/
SH256 hash:
eda7b1f9e050f1bd5a55c30079191202ec06979e275a3f84bdc12430c17e89a6
MD5 hash:
cfea11a80b9b331d9b1d3112cf3637ee
SHA1 hash:
9a99e7a7d31e7c5956daa9e39cc64a656561bc2f
Link:
https://www.unpac.me/results/2308567d-9444-43bf-8514-3f633f91a030/
SH256 hash:
8e3e9ed96d034e9f8ee6b479a30e97c8122238481fb172b44c4a5c342798f2d9
MD5 hash:
bc424de85f3576200eb3eedd62c1a52e
SHA1 hash:
81de475929cfc89e6f7fe6e7fcba168cb4cee543
Link:
https://www.unpac.me/results/2308567d-9444-43bf-8514-3f633f91a030/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/2308567d-9444-43bf-8514-3f633f91a030/
SH256 hash:
3b27c3d09ed2a19079a5d8c55ec28aaa4a6ed80135711bc58138be16b7e4aea6
MD5 hash:
6f143fb49fdcec9e2bcc2c04f7b36d63
SHA1 hash:
0106c8430a1a09d591376317b0c7d34fa3d4da9d
Link:
https://www.unpac.me/results/2308567d-9444-43bf-8514-3f633f91a030/
SH256 hash:
6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce
MD5 hash:
b6680766630014655fa9c668f078ca03
SHA1 hash:
968b5efca650e7c9ae4915fce62f8775bbcd6d34
Link:
https://www.unpac.me/results/2308567d-9444-43bf-8514-3f633f91a030/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6878e6663550/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379607/

Comments