MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
SHA3-384 hash: 4444d2c5ed20030acf2f9ba4852bf474b8451bc9c67536141570e31bc62c0f8c9d190176bb66c9550a306f09bdfc2706
SHA1 hash: be60259efa69bbcb776a727d225c98120ea5c620
MD5 hash: b23dbdb6ce8b1d0e3c6f185751935dd5
humanhash: magazine-enemy-kansas-fruit
File name:hesap bildirimi..exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'216'512 bytes
First seen:2022-10-03 07:50:03 UTC
Last seen:2022-10-06 17:17:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:euvHk2XK0W8aV7le/XN7OAKJTO1j9fQM0WvlzieK4HTN:YqK0W8aV7U/XN7tRiWvc
Threatray 5'481 similar samples on MalwareBazaar
TLSH T120455C91A290894AE86B06F1AC67D53026E76E9C94B4C10D4FDDBE1B77B3342305EF1E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/315968/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/633a942f5c60ccc9fcff15e7/reports/dd007091-d66b-491e-a578-a7b7176ee9e9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da992880-6c83-48dd-97ee-9fad91ee17b1
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082414
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 01:30:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlbmkckkwyipp6zyckp3lpa6m3ry5uaujtazxug5qxclwwbkdumq._file
Verdict:
malicious
Similar samples:
006248ca6292f9ca72274fc84e5cea8fc72aa2df7079e849835c232bea1b1c47
SnakeKeylogger
2107eeec59919ea8ec495701134e942d7f88d19de70b97016f1df74b16c8c90d
SnakeKeylogger
2fc9bef4467f94362f4860fa9f501640b8a0964154fe5f2d8200f3d67b825b79
SnakeKeylogger
3b84b73506255cc004a7d907f244a6c4394adea87102125d1d5d44ea4857008b
SnakeKeylogger
61ceb9bb8363e17528ed811b0886a9aa174f5b26fe8e20cf9393d4d2d9df8041
SnakeKeylogger
73de38a06d84d51fd173c71af2ef473703a3cfe94792a4e3bc383c528b7b3192
SnakeKeylogger
76e4e5a30868f044e472e3151bf5995cb972d9da5f510819c5f48a985c9b85bc
SnakeKeylogger
7a67b150e39e9a9e879083da6aba720773e8bd4b3a46729fff3a38554d27e05e
SnakeKeylogger
cb2a2ca9c34ed19856b974b65ad163f37e49ab1cbe1471a5eec1db18a6b9c722
SnakeKeylogger
+ 5'471 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221003-jn93hadhc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU/sendMessage?chat_id=5350445922
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27cd0cba-e88d-4a8c-b9b2-ab2292c66258
Unpacked files
SH256 hash:
cf63e9457af81a1c98f48956554e07e748f37f9e7acd88f5a38c48aaa1d925dc
MD5 hash:
a6a682bb0652b09f21e8bf9ed40352e7
SHA1 hash:
fa6ebb960886bf7b4f21067d019d609770433fb0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/3d96bb65-ca21-4b4a-8a05-2a74381fd0a9/
Parent samples :
94c24602a155b82d399f1fc7d998b49ff13852401458eacad8172f2baf378041
f286888db8588564fd55f45265e0e8dba3ed3bc3a028faebeab4329598aca8c0
03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34
8bbd67ae0b2c475d8e6585ab3f032e589ade4838574b9ef02f9523be14e6cb2f
2c9a5406517242f170bad2fb9d01d17e8fcb15aa50129089fae78666ac5d71d4
a4642bf9cbd641619645c6f4761ef8037b3844e948f588c8bd58e32eed70fb14
4d97061314f112ff5f64d8a7ebd5ddbd8ad6f51f0fe4c104d0db4c9d0ba8de2f
1f176fdfac20ab4ddb6978f2d9bb69dff8fb113d24dcf1cce2a2f2b422ffe435
6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
dc0440d22e5e04a348da6604a84406ae83ba0100514523bc01914c0d58a12a80
2d04f50f400321cefee5b2b580f1949716be8190bf43c7cb6b36abd33ce2964a
73a0327037d99cc1b679dd7a845323da2380535813892602400997cd7a7495d6
75bacff6d2d5eb004e04e769d940b82708b9ce976903ff7316aa19b2fe6e794d
0225ee8b379936c1ec1680d4d7d7924e86bd0d90d495f95003417c3f99d00015
bb53ea4486abfc99270b773a2b436fd58d68d1061c184098b6f1520c20899cfd
f44752101afb7338fa8d2140aa52c7e0fd174405ae84be04ba4bacbab37dbbff
7f827d0f713c56d3ea862dd32fe8a25ad442218818d24cf68f30d29e2d2833ea
8414a2b799387045388139ba2b42085b6293cfef47df716a3d6960819d990dcf
3e63d0e2399f0f8636782e175b48e954c6ec90a8df027b11a77a817bbab176ce
8122adb4b9e54516cbcbd5329f729c63e5df60401f081e38bc770df930d277d1
932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5
dfca98bd8e0eb54b1e7708da67016cff14e7de001e845afaa5c869ef5a75c0dd
43750d2354f27de904d8fec306226ed5c64b4df834912524e965aa9b95211e01
fc6b929d8045b7277b0e5db028eef63002c1f5fa952970d24a150974ed227fa8
e62512e7cf411e5f3c6b128aae7fdf86980e9c7e3b4bd4aca3e5f53b60af3237
4c68110055c5902ce7fb0b21937939ead3f5d1b3857618c4286e93653e5f2813
9d0ff50ebd77de7861b3770a71c3ddd6c9694b8c70fd2dd07aea0980f83d7247
72591e77bbafe38b00b3946db0ac4dfd559ff18a13562d6e58a9bdb10a668ae9
5184dee4018720301d37bc49fcf46eb957a4e847294902e90f34dcb277d36e2b
479d6d3179e41f5b8e6f331c099b5668dc92df52aa43790167f59f192e0d8db3
a316758201301fbb5bea1354ae7fee5f8a81e0ad449b527eb1b5c00ab475b6c0
d3169220e46eead42605fb4420da09e0c524c7a5d20b7b0d087c13c29c9de964
6c69f2907eccb9bc8715c3bbe0af8c8e55effab53abd16e5641b336f79bdc483
93efea0105183d17343bfbc418414d76c18c3fb9534a9898a8a43bfc65e20d55
7368e15e16845dd62299d43c9ecceed80ba8852a2f4ed36379337c1dd933d48a
2654c41feea51b45a2178689043103ff6b732c3dbb727b8987205a7e393017ec
bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca
a7cfc4cd3bc4c1c1069e9db79a026f0fa4e362fc3adc086a996a5cc355a64f6c
8328804519cd57938377dcc004babb2ff194ef1c2f6aa3ed5636c8c49befe960
d80650ed37463b35238a439658309270ab12dd0b360f1d6dbe9b3e27fa298929
50ca265fdfe8cf164553eab678b3d6491cc940fa0adf369aceb55a66fad1d4f9
f39c440765aab25976b17266085e6ac69a2baa05d0fc02299c36cf265efec341
2a23c0997bc444edc695a4abdbf44727e453e2a1aefe737edc550fc2d334a9c4
3987c7ba08298c6fc3d6007468e751b3b751e750ea3a0ae5b2c5e699bac97002
SH256 hash:
808b51f691d1a2b042c1db5af5c2db51e6136301f838391a87377c54810c5918
MD5 hash:
718a0a02ef3115e8bbdad0f4a4f74314
SHA1 hash:
c98b9a991a5ca351248ba942ab0e8aa7d0d90425
Link:
https://www.unpac.me/results/3d96bb65-ca21-4b4a-8a05-2a74381fd0a9/
SH256 hash:
a04c799fa302c78d04acc3b4be8ccbde2f7fa00fe515daf18a2fc7e65fad3b13
MD5 hash:
d76812ec4cbc45e1e26ed36691596f7e
SHA1 hash:
c854fe9792694fb464a0bed51c737ff61ccef736
Link:
https://www.unpac.me/results/3d96bb65-ca21-4b4a-8a05-2a74381fd0a9/
SH256 hash:
19d21a6822aaa6f29fc0a37b4afc5312ec923259e59b0635676f1324b1636a4a
MD5 hash:
18a0ef296f0032583438bd0a206549f1
SHA1 hash:
5bd9f04c09a1be25074a915ddebae69085904793
Link:
https://www.unpac.me/results/3d96bb65-ca21-4b4a-8a05-2a74381fd0a9/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/3d96bb65-ca21-4b4a-8a05-2a74381fd0a9/
SH256 hash:
6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
MD5 hash:
b23dbdb6ce8b1d0e3c6f185751935dd5
SHA1 hash:
be60259efa69bbcb776a727d225c98120ea5c620
Link:
https://www.unpac.me/results/3d96bb65-ca21-4b4a-8a05-2a74381fd0a9/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ac2c5094ab6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/315968/

Comments