MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166
SHA3-384 hash: 1ca3a6b0f156c6a628c2fadafea87fe497609b19e527a82e8fdee2a0d571cee36e77d97b1ceb99ea120be0b4b9e36063
SHA1 hash: 537325274165d6c30d923d070d1aa077ce2d8d09
MD5 hash: 720945f18dd98a6d3cb0a176d21dd124
humanhash: lithium-black-monkey-oregon
File name:Hesap Hareketleri 16-07-2023.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:548'744 bytes
First seen:2023-07-18 06:17:57 UTC
Last seen:2023-07-19 06:00:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XZ+qnwSg/ECh9jKTvk4XRyJbIXj/alrDymiYXF:sqnzg/xgydgjylX9iYXF
Threatray 5'350 similar samples on MalwareBazaar
TLSH T1A3C4BE3126E49F60E4BDDB76923545904BF1BD06EB61D20E7EEA31C71AB2F810273726
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 68d892e8e1bccc70 (1 x njrat, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesap Hareketleri 16-07-2023.exe
Verdict:
Malicious activity
Analysis date:
2023-07-18 06:19:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df39bbdb-0273-4bdf-847d-b981dc7955a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423213/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.18382.27680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/64b62e9d46e64860de102012/reports/5612456d-af55-4dc9-81bc-4cf2adcf8147/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37c33029-efac-4515-be62-89fa32b29b8c
Result
Threat name:
DarkTortilla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274866
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DarkTortilla Crypter
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274866 Sample: Hesap_Hareketleri_16-07-2023.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 5 other signatures 2->44 7 Hesap_Hareketleri_16-07-2023.exe 3 2->7         started        process3 file4 30 C:\...\Hesap_Hareketleri_16-07-2023.exe.log, ASCII 7->30 dropped 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->46 11 cmd.exe 1 7->11         started        14 cmd.exe 3 7->14         started        signatures5 process6 file7 48 Uses ping.exe to sleep 11->48 50 Uses ping.exe to check the status of other devices and networks 11->50 17 PING.EXE 1 11->17         started        20 conhost.exe 11->20         started        22 reg.exe 1 1 11->22         started        32 C:\Users\user\AppData\Roaming\System.exe, PE32 14->32 dropped 24 conhost.exe 14->24         started        26 PING.EXE 1 14->26         started        28 PING.EXE 1 14->28         started        signatures8 process9 dnsIp10 34 127.0.0.1 unknown unknown 17->34 36 192.168.2.1 unknown unknown 17->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 04:15:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njvfroihcavkovrtuui5r3k7vwfytktdp5g57nznr5glbwixkfta._file
Verdict:
malicious
Similar samples:
269112122917fb39eb97b3e5b00dce49486adaf1d1417dabdbb0bf0edb52aa09
SnakeKeylogger
2f0c79ee01767d02ed23922dd9d7c12715c971029fc61466629c79908385d85b
SnakeKeylogger
3105a7886bb62b4a95672ed5a801e8063dfba87139195dfc5a7cfe32f3b4edf2
SnakeKeylogger
3dedd91d5d734fdea8fa04714e99b1fdcac4c06626ad2e10aa825e71fc18c3c3
SnakeKeylogger
45a15ea41879782dd9c2991c24691c58a76031392677e65e95ec5ed987e99d13
SnakeKeylogger
552719d9dda2789ec880ab52ba8c7e695b631d6fab6d56474b4b6a4f8fe4c21e
SnakeKeylogger
5d6c03383955c4784c08bcc14b863537f7fb451fd94a1fe7706b84576fb3819b
SnakeKeylogger
6e6f28265a65efc29248f1bc10513f4c2320edba637d87f8341df71fa113dcd3
SnakeKeylogger
cb36a9a864f65b7618d6c24999a3096f343a460b65a4f1472bc9b08d0b922c78
SnakeKeylogger
+ 5'340 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230718-g2lkysge97/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
5a65b67198819239e73ec5f3f9b6d2500d1532634706a242a738539c4a6ca043
MD5 hash:
1edf27c103e08161d7bbd18153db8f4c
SHA1 hash:
c9cd12888f625c136d6d71bbb99db34e76ef802a
Link:
https://www.unpac.me/results/bca0d9c6-8cf3-429b-b520-a06d271cbb0f/
SH256 hash:
753f470c8a987dc26efc0c804f48249358e3c0440b7d0dd17244ae77ffe2c3db
MD5 hash:
0c337b4ade00b54b752df594cfe4ea79
SHA1 hash:
1c1c59438b05a7fef78b31077f0d8a221bcd7576
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/bca0d9c6-8cf3-429b-b520-a06d271cbb0f/
Parent samples :
6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166
5958de331a0caeb250569736c1e1d2634f0ed18526488f4ea55e7731b879c077
753f470c8a987dc26efc0c804f48249358e3c0440b7d0dd17244ae77ffe2c3db
SH256 hash:
6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166
MD5 hash:
720945f18dd98a6d3cb0a176d21dd124
SHA1 hash:
537325274165d6c30d923d070d1aa077ce2d8d09
Link:
https://www.unpac.me/results/bca0d9c6-8cf3-429b-b520-a06d271cbb0f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a6a58b90710/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6a6a58b907102aa75633a511d8ed5fad8b89aa637f4ddfb72d8f4cb0d9175166

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/423213/

Comments