MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47
SHA3-384 hash: bd5cac7c237d42cd20e6ce3bb2dd05113ffaa60fcfb4733c0afd896953906b0f606ad4cb6748871faad0c8bc1fbccc55
SHA1 hash: eea5c1ac0da5a91870d650c4a2c4972193fb49af
MD5 hash: 865f99ded79010128eec0aa965c4ea58
humanhash: maryland-wisconsin-butter-mars
File name:Halkbank_Ekstre_20221004_08.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'052'672 bytes
First seen:2022-10-10 14:27:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:mnQh92iNQvAxLsV8xOnvMSgHSfYvLSNcW99y0bXpPjPgP17uvYabIFVRugptff0:Es1ToycEx6YGh98IRzcRB9
Threatray 3'185 similar samples on MalwareBazaar
TLSH T1F1254ABA3181605FD826B531C883D9B36AFB6D615212D1C765D33F6FBC490BF9A03292
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318495/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63442bf97a6f3f03619da0d2/reports/e4bb9d44-500d-4316-822c-852c1a200124/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e9b7121f-74a5-4f1f-a422-b7f9eb3c6485
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087133
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 09:07:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=no4d4noadcgasm4wf4pe3pi7qnh7tsdq2oc45c5mcrpaddndbjdq._file
Verdict:
malicious
Similar samples:
0f1b9c97ca2d11237543964ee3fd39734c0e9cc2371aed7dd49deb4409c839d2
SnakeKeylogger
4832ccbb9379c4046a7478c3cba20a47cb978f37f11ace9afe0d8adb73e17003
SnakeKeylogger
8fc6ce85bbf1ffe09f896024dbc3ab65c3d8eb13403b67c50c448b0a688e84f2
SnakeKeylogger
9187704232908ac59df2c41f8129eb02fd895817abbce1c6d961a8024ebeb092
SnakeKeylogger
de0b6160f294319b2882dbeea5e4b7e9e1ebee17c14d8af1c964b8bfc09db1ae
SnakeKeylogger
f41c73c8acf70e184c320f82246f59e3d49afce5ce4362d5574365d927f1a274
SnakeKeylogger
+ 3'175 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221010-rszrbscbe3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5751029513:AAFcCTwse8CZv3roeUkdxahSto8D8mbC1m4/sendMessage?chat_id=652475543
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c34db4ab-832f-4cbd-a99c-14d24d6934c3
Unpacked files
SH256 hash:
ed8a7b47b12201026673e0b308f26b2a9dc3554f0876ad2684fdaaf847b17e87
MD5 hash:
63d4889f48eb269ace6742c0be0003ea
SHA1 hash:
f8a5f2388619700946a1653ed8e4be02957f85db
Link:
https://www.unpac.me/results/f3871082-4f19-4d10-844c-b527c9ec13c7/
SH256 hash:
95484123bd8d09ae5cf996f5769c10560148041202c8dc231b06d994617651c5
MD5 hash:
13e9185394583ac85d22d1563c99eb68
SHA1 hash:
efea69c9724e8e454a792d5431536bb42f732d0e
Link:
https://www.unpac.me/results/f3871082-4f19-4d10-844c-b527c9ec13c7/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/f3871082-4f19-4d10-844c-b527c9ec13c7/
SH256 hash:
e8da6e4775613e2a9d2907d21e3c0084523c86eec0ce5826b3004c0c49c94a5c
MD5 hash:
e06d08b2b7b37b2cf703d6c0e4aeee06
SHA1 hash:
5319393c556d78ae9018b078e9bc05fe08d520b7
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/f3871082-4f19-4d10-844c-b527c9ec13c7/
Parent samples :
79626acc1a4ebd2993c5f10522687e95bff00496a54d7ce8377be9d1cf92e901
a55d4c3a6ff031ca6502aef0e7c59374721f9ffed5856124e583b3e433fdfb16
0c7339cf54785cd76320a0d84bf76019eb1fd5b18dfebf1d9ca7f5ee6e8e958f
6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47
2c1f0f9c197a419ea458a06bc1edd3bab8c80baa4f8bdadcfe8dbff6edb14fe8
2262bf3bc3250b4bcefab73d88c2fd44b2d2fe02e4350f42e1f9bcfcab98a867
206152e81698ba0e9c2ae22189a2502ed3a9eb6df79fbd67a830088445dbc723
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/f3871082-4f19-4d10-844c-b527c9ec13c7/
SH256 hash:
6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47
MD5 hash:
865f99ded79010128eec0aa965c4ea58
SHA1 hash:
eea5c1ac0da5a91870d650c4a2c4972193fb49af
Link:
https://www.unpac.me/results/f3871082-4f19-4d10-844c-b527c9ec13c7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6bb83e35c018/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6bb83e35c0188c0933962f1e4dbd1f834ff9c870d385ce8bac145e018da30a47

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/318495/

Comments