MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9
SHA3-384 hash: 2147d4648664df5259d965bfe6d7f6dddd3bd8f63df3b3e1d8ba07aaf500e4c188cc39b0a480b68acde11dcaac9666ca
SHA1 hash: 5a615f862aaf6f8a17aa33b2f687909a6f9f0ab4
MD5 hash: e17602e8561e5da8a321f44610fd119b
humanhash: stairway-steak-island-juliet
File name:e17602e8561e5da8a321f44610fd119b.hta
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:52'101 bytes
First seen:2024-08-10 07:24:47 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 192:4YfXToTvWlaJTGTlRtyLR8Nt8zMtJ8TZQ:fssalq7tyLR8NtPteG
TLSH T1433333DEAF47CC1ED7028B11E9CD72D9C3AD8F4BE017117C811166465F12A86C5C3A98
Reporter abuse_ch
Tags:hta SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b715d0aa5b40be0a9ff0be
Tags:
Discovery Execution Exploit Generic Network Stealth Trojan Html
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9/results/dashboard
Payload URLs
URL
File name
http://192.3.176.138/107/sahost.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66b715cfb1392db6bab1da59/reports/3c34bf81-1a46-4c0c-8c51-a0e99bf147df/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, HTMLPhisher, Snake Keylog
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490955
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Detected Cobalt Strike Beacon
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490955 Sample: 1enkJkLfUr.hta Startdate: 10/08/2024 Architecture: WINDOWS Score: 100 66 reallyfreegeoip.org 2->66 68 checkip.dyndns.org 2->68 70 2 other IPs or domains 2->70 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 104 15 other signatures 2->104 11 mshta.exe 1 2->11         started        14 WeENKtk.exe 2->14         started        signatures3 102 Tries to detect the country of the analysis system (by using the IP) 66->102 process4 signatures5 114 Suspicious command line found 11->114 116 PowerShell case anomaly found 11->116 16 cmd.exe 1 11->16         started        118 Multi AV Scanner detection for dropped file 14->118 120 Machine Learning detection for dropped file 14->120 122 Injects a PE file into a foreign processes 14->122 19 WeENKtk.exe 14->19         started        21 schtasks.exe 14->21         started        process6 signatures7 78 Detected Cobalt Strike Beacon 16->78 80 Suspicious powershell command line found 16->80 82 PowerShell case anomaly found 16->82 23 powershell.exe 45 16->23         started        28 conhost.exe 16->28         started        84 Tries to steal Mail credentials (via file / registry access) 19->84 86 Tries to harvest and steal browser information (history, passwords, etc) 19->86 30 conhost.exe 21->30         started        process8 dnsIp9 76 192.3.176.138, 49706, 80 AS-COLOCROSSINGUS United States 23->76 60 C:\Users\user\AppData\Roaming\sahost.exe, PE32 23->60 dropped 62 C:\Users\user\AppData\Local\...\sahost[1].exe, PE32 23->62 dropped 64 C:\Users\user\AppData\...\11yy5a01.cmdline, Unicode 23->64 dropped 110 Loading BitLocker PowerShell Module 23->110 112 Powershell drops PE file 23->112 32 sahost.exe 6 23->32         started        36 csc.exe 3 23->36         started        file10 signatures11 process12 file13 54 C:\Users\user\AppData\Roaming\WeENKtk.exe, PE32 32->54 dropped 56 C:\Users\user\AppData\Local\...\tmp569F.tmp, XML 32->56 dropped 88 Multi AV Scanner detection for dropped file 32->88 90 Detected Cobalt Strike Beacon 32->90 92 Machine Learning detection for dropped file 32->92 94 3 other signatures 32->94 38 sahost.exe 15 2 32->38         started        42 powershell.exe 23 32->42         started        44 schtasks.exe 1 32->44         started        58 C:\Users\user\AppData\Local\...\11yy5a01.dll, PE32 36->58 dropped 46 cvtres.exe 1 36->46         started        signatures14 process15 dnsIp16 72 reallyfreegeoip.org 188.114.97.3, 443, 49708, 49709 CLOUDFLARENETUS European Union 38->72 74 checkip.dyndns.com 193.122.6.168, 49707, 49710, 49713 ORACLE-BMC-31898US United States 38->74 106 Tries to steal Mail credentials (via file / registry access) 38->106 108 Loading BitLocker PowerShell Module 42->108 48 conhost.exe 42->48         started        50 WmiPrvSE.exe 42->50         started        52 conhost.exe 44->52         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2024-08-08 20:11:00 UTC
File Type:
Text
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5vgmdhit5xklo7fgkjb3xckuf542pzfesvciyouxytfzhttfc4q._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection credential_access defense_evasion discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/240810-h8y1asvdpc/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Credentials from Password Stores: Credentials from Web Browsers
Snake Keylogger
Snake Keylogger payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

HTML Application (hta) hta 6f6a660ce89f6ea5bbe532921ddc4aa17bcd3f2524aa2461d4be265c9e7328b9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3097119/
  
Delivery method
Distributed via web download

Comments