MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef
SHA3-384 hash: b7a4591692f1320fca6d18dce5910cef5d24511f5a6ec9361ecddedf5b4a789c39ebd680871c614983ab5ef2d347b4d4
SHA1 hash: bed77ada64b77184047eff265b75bd71f8136f41
MD5 hash: d0fea0443b598ea2060e7ad1fb4c5b8e
humanhash: sixteen-video-maine-hamper
File name:Kkoetzuo.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:763'392 bytes
First seen:2023-07-19 06:22:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:SNnRIRp4ejE8krkBs5Omc1sth2pC+Fnsga0GcxgE/2:KYJkrkY41sthGGc1/
Threatray 5'622 similar samples on MalwareBazaar
TLSH T192F4A413B687CAA3F288173ED59B0C088761C98B722BD71B7ADE33A565433B6BC45507
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 86bae286e6d2cce4 (5 x SnakeKeylogger, 1 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Kkoetzuo.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 06:28:28 UTC
Tags:
snake evasion keylogger trojan
Link:
https://app.any.run/tasks/9386f785-5ab9-46a3-a149-28d87a78830d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424475/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.27345.16153.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin replace
Link:
https://www.filescan.io/uploads/64b781482ad0f7418d6a27c2/reports/e7310c33-f977-4540-b531-4e5b76427417/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c72fa3b2-a672-4a7e-934b-c8aac00c6877
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275741
Signature
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275741 Sample: Kkoetzuo.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 6 Kkoetzuo.exe 15 5 2->6         started        11 Ctdmdkcctf.exe 14 2 2->11         started        13 Ctdmdkcctf.exe 2 2->13         started        process3 dnsIp4 23 cdn.discordapp.com 162.159.130.233, 443, 49706 CLOUDFLARENETUS United States 6->23 19 C:\Users\user\AppData\...\Ctdmdkcctf.exe, PE32+ 6->19 dropped 21 C:\Users\user\AppData\...\Kkoetzuo.exe.log, CSV 6->21 dropped 49 Writes to foreign memory regions 6->49 51 Modifies the context of a thread in another process (thread injection) 6->51 53 Injects a PE file into a foreign processes 6->53 15 MSBuild.exe 14 2 6->15         started        25 162.159.135.233, 443, 49709 CLOUDFLARENETUS United States 11->25 27 162.159.134.233, 443, 49710 CLOUDFLARENETUS United States 13->27 file5 signatures6 process7 dnsIp8 29 checkip.dyndns.org 15->29 31 checkip.dyndns.com 132.226.247.73, 49707, 80 UTMEMUS United States 15->31 33 2 other IPs or domains 15->33 35 May check the online IP address of the machine 15->35 37 Tries to steal Mail credentials (via file / registry access) 15->37 39 Tries to harvest and steal browser information (history, passwords, etc) 15->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 05:40:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
7
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nckpmi653ub6hpszwz4fyimwft3rnbvccxrnw2hyh5rbwanpu7xq._file
Verdict:
malicious
Similar samples:
1e32754c58c05364d4948c25cb1a1bc6ca99e63353dd5980b52ba3d5cc02fd6c
SnakeKeylogger
1fff1da5f372277d993db5314aa2839be27cd3b241360a4d94832e319cfa26f8
SnakeKeylogger
32710d6d01f3d637eea39e90247dce8e2007bd9acb91c685713c7f0a1df5ed76
SnakeKeylogger
509ab6d6f1089879e023ce06a093219765d41c19e2f6252f5ae7bd276483733d
SnakeKeylogger
5cefb605e30bd3bcfc7eea4859ab2433a28c65ba1c195eea4a36406eff3939c5
SnakeKeylogger
735d68ae6995dc7bf164853989cbe9b1bc3c1ee94802f78256e7c2e389fcfc04
SnakeKeylogger
73e288b96b3f5a85046fc0ad2d5864b65c01d1f673943f0b35179af4ce39eff5
SnakeKeylogger
85558abd2b8c7a64ebb96f8c5bdd4e18f93fdd3a9c124df63d4be671eee7871c
SnakeKeylogger
d8b4e8db1b7868e011d7cb64b5035a2b47d96998a1e932d9ad459167fefda416
SnakeKeylogger
+ 5'612 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger discovery keylogger persistence stealer
Link:
https://tria.ge/reports/230719-g5gq6sgb79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Creates a large amount of network flows
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6223040934:AAFZR7-nJPBtNtKiKjjFvb-144WYhjW9KHY/sendMessage?chat_id=6373691592
Unpacked files
SH256 hash:
6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef
MD5 hash:
d0fea0443b598ea2060e7ad1fb4c5b8e
SHA1 hash:
bed77ada64b77184047eff265b75bd71f8136f41
Link:
https://www.unpac.me/results/0d6264d8-5a44-4de3-8585-fd26fa16fba2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6894f623dddd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/424475/

Comments