MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423
SHA3-384 hash: f6178072ec1fa7e48061cc0a0dbff8d68b24e565682662fabe675c017b0907508a0559647ff77fc0dc2596d0a4913ca3
SHA1 hash: 27629d34786f67e20c31e4ab3ee88276fc8e51a4
MD5 hash: c4e2b85e0285bd6fc888c326a4724ba8
humanhash: juliet-florida-zebra-emma
File name:PRICE OFFER_01321.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:715'776 bytes
First seen:2022-07-05 12:01:15 UTC
Last seen:2022-07-05 13:03:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:jCygdMGZOBePSVM+qpwsGkJroK2CzvGRXe+wh6LG44s8dUYFwIrLQ9DpDydj:qe9BZZSwsL6Kvzp+e6LG44sN
Threatray 5'763 similar samples on MalwareBazaar
TLSH T1D7E4BD9C725075DFC82BCE76C9942C60EA61647B430BD247A45326E89A0DBDBDF182F3
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 70f0c4d2d2c4f070 (11 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.11509.1831.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c4288122ab9d0aa0fef930/reports/fbbb1fe0-9a4d-4784-897d-f04e4d2d535d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1be488e5-1edd-42ff-b6a3-a55abf60e01b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024775
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 657270 Sample: PRICE OFFER_01321.exe Startdate: 05/07/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 14 other signatures 2->48 7 PRICE OFFER_01321.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\...28DQkzFEuerWbZz.exe, PE32 7->28 dropped 30 C:\...30DQkzFEuerWbZz.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp83A6.tmp, XML 7->32 dropped 34 C:\Users\user\...\PRICE OFFER_01321.exe.log, ASCII 7->34 dropped 50 Adds a directory exclusion to Windows Defender 7->50 11 PRICE OFFER_01321.exe 15 2 7->11         started        14 powershell.exe 25 7->14         started        16 powershell.exe 24 7->16         started        18 schtasks.exe 1 7->18         started        signatures5 process6 dnsIp7 36 checkip.dyndns.org 11->36 38 checkip.dyndns.com 132.226.247.73, 49782, 80 UTMEMUS United States 11->38 40 4 other IPs or domains 11->40 20 WerFault.exe 11->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 12:02:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7gmksyxgxtikcgm7wwyh4mkeyrgev6bko3rjwgp67im77uqkqrq._file
Verdict:
malicious
Similar samples:
1d1288c2ce2893c49f8b5415034de067a2d68ccddc08fe89f8711e568d777505
SnakeKeylogger
33a19ea1c739df9fbb3a9f8d81efb67050339afc59e44c611f98ccdd66cc37fa
SnakeKeylogger
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
SnakeKeylogger
4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119
SnakeKeylogger
51470b54c5f205002945f7a1977dcc11ffc35436335247181445d5afb9988740
SnakeKeylogger
5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c
SnakeKeylogger
68b354e2ae79d93e08d41a48c6a49a74c880f4baafa6309646b086d4af2abe4c
SnakeKeylogger
7d302f9d3565d5968f1500d01a8e6ea2b8440a318858a24a6abbe24fbf5c2214
SnakeKeylogger
9fa87d09a940bbc228fd02a5d41f562988e32d2c76a7f86437285b6e19d4513a
SnakeKeylogger
c24fe8f2829486059e49a179960a0ea6414ed4ef3af24a2597a9ce720b81bc43
SnakeKeylogger
+ 5'753 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger spyware stealer
Link:
https://tria.ge/reports/220705-n7fp8aagf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5340115384:AAFLNLUoDjoCsDoiMMlkY81rG-_Kb9LOEBc/sendMessage?chat_id=5316464344
Unpacked files
SH256 hash:
da5c63d4523d9d56c3c88094beda844d5982464cd54c3664285d109f16a96bb3
MD5 hash:
c76291aa437e11e4d4b8c7ad2c4618f3
SHA1 hash:
d9c83dfcb0d37a96a14a85504e75e507757180ee
Link:
https://www.unpac.me/results/102d2b30-17df-42c9-acd7-331b77d2707a/
SH256 hash:
233d46e163172a21fe98f9a074af3137980e8d195b0fc3b7c80d8ec7287b75a1
MD5 hash:
094cc0990a8423ee1a4bb1636a470e4b
SHA1 hash:
9c5c31ef9c2b5cc77239b2c090b11216ace81765
Link:
https://www.unpac.me/results/102d2b30-17df-42c9-acd7-331b77d2707a/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/102d2b30-17df-42c9-acd7-331b77d2707a/
SH256 hash:
94582dbe3ed61db45f1ef9da5cd39e10a18e68425c50fa269dfe1ce5277f137d
MD5 hash:
e07e19db7d698a78fd97a899a1ac19ac
SHA1 hash:
0199fdda32671bcb9706ca699b685384239cb48f
Link:
https://www.unpac.me/results/102d2b30-17df-42c9-acd7-331b77d2707a/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/102d2b30-17df-42c9-acd7-331b77d2707a/
SH256 hash:
6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423
MD5 hash:
c4e2b85e0285bd6fc888c326a4724ba8
SHA1 hash:
27629d34786f67e20c31e4ab3ee88276fc8e51a4
Link:
https://www.unpac.me/results/102d2b30-17df-42c9-acd7-331b77d2707a/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fccc54b1735/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments