MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06
SHA3-384 hash: fdee73ce19179df4c81cd4767bb620529ecc681f4e8c27f269a1155bd245acfa4d791ea0bee572eb056f273b442aaf16
SHA1 hash: d76a4acb3ecb8dc9dc226bcdfe98f3d89c7c6fd2
MD5 hash: fef9185943007de3c943d268fcb302f6
humanhash: magnesium-jig-magnesium-alaska
File name:Statement of Account pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:665'088 bytes
First seen:2022-11-11 03:18:02 UTC
Last seen:2022-11-11 04:40:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:iuvhjbjl2pl3xzK5ySi+51cXq0tw7HOpdjlKjgMU/:igYDzK5ZiBaqkNgx
Threatray 10'547 similar samples on MalwareBazaar
TLSH T1B0E46C1429AE5119F176AF7D1ED0F4B18BBAFF222606E42914C01F872726A3ECD9CD35
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Statement of Account pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-11-11 03:18:39 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/a92c8e5b-5738-447f-943b-a532cfe21cf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/332222/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.5579.24915.4404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636dbef07662ecf10839a77f/reports/c2099bfa-c4d4-49bf-85c4-4ee67073ed3d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f2ebbc1b-8285-4659-9c3b-f923e6419169
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1110960
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743656 Sample: Statement of Account pdf.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 13 other signatures 2->51 7 paygKr.exe 5 2->7         started        10 Statement of Account pdf.exe 6 2->10         started        process3 file4 53 Antivirus detection for dropped file 7->53 55 Multi AV Scanner detection for dropped file 7->55 57 May check the online IP address of the machine 7->57 59 Machine Learning detection for dropped file 7->59 13 paygKr.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        19 paygKr.exe 7->19         started        29 C:\Users\user\AppData\Roaming\paygKr.exe, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\tmpBC44.tmp, XML 10->31 dropped 33 C:\Users\...\Statement of Account pdf.exe.log, ASCII 10->33 dropped 61 Injects a PE file into a foreign processes 10->61 21 Statement of Account pdf.exe 15 2 10->21         started        23 schtasks.exe 1 10->23         started        signatures5 process6 dnsIp7 35 132.226.247.73, 49704, 80 UTMEMUS United States 13->35 37 checkip.dyndns.org 13->37 39 192.168.2.1 unknown unknown 13->39 63 Tries to steal Mail credentials (via file / registry access) 13->63 65 Tries to harvest and steal ftp login credentials 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 25 conhost.exe 17->25         started        41 checkip.dyndns.com 193.122.130.0, 49702, 80 ORACLE-BMC-31898US United States 21->41 43 checkip.dyndns.org 21->43 27 conhost.exe 23->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 14:20:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oz6fqoggeuhqm37ibcpc255ztctbuytleaeawfqgpenptbysbqda._file
Verdict:
malicious
Similar samples:
1bc77023e4295f4bf56e32ce4ff7a6a21d650e69552adf6b12477a519abb4eed
SnakeKeylogger
367476973b5c300f5f38c50d8de7c813ad540137c0dff4c46d333fda0fd7b706
SnakeKeylogger
967a3750a37d88db18d1a1601adbd7c844f9234742c6b1dedf1ad358118e206f
SnakeKeylogger
a4f6d6e7308496c06e3ad10e0cddbc4bc24744eb5127624b1e707b4adfa75e06
SnakeKeylogger
b52ae5cbe34be07ffafabd43bce0d88daa2b58607bb2d20267fecd85a6bc875a
SnakeKeylogger
bc7a7312a0b437df65d203117337461ac6fb0db097fe24f9e9acdb4c42480c6c
SnakeKeylogger
ccbe221a1b6dcd936a03136f1dc2741d086ae4513a903389dc789b540143ced2
SnakeKeylogger
+ 10'537 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221111-dtm72aafeq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot1644755040:AAGRTnph6BdO8-t1bJaOyVu9aeuJErmisqs/sendMessage?chat_id=1637651323
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d96d52aa-21f9-469b-906d-2208b0dd1ea1
Unpacked files
SH256 hash:
adf5132844797507cbb4e1ee8bbb22d9b4ec6db0712be4883223787db7a48022
MD5 hash:
86282acd13ba09bb961607f49b7ab868
SHA1 hash:
7fa70b4b2df403c5c00f25d4bc1e212123639739
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8bfeac3f-3b0f-4605-b241-f5f42a179bf2/
Parent samples :
ac7809299f6df99e82dde4adaabc3a5a48913c9c74f1bea07c5e3a6429eae703
603bbecc297ef3cc8ccb9c8b7497340b69599f4240ffb2723302bf4cf9e5bd2d
f893574bb0276d768d42531d27b51d546273b64c462493dc1787e646b988a6bb
e76f7a65b556163a73fb12368e9bd8eed74a1dab077ef7ef0016b2a63415d8d1
134000901cc7459ab3f5138fa0875d5e575568773b557b09206aa8ad1c61f99d
2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29
1c5933af77d575f80dc8e9a48b9ef594adab4053cca69f6838cf9bd96f8fb7fd
b201da197269f0040719bfaa75dbb960beaa80afd2a88cf0eaf6fffb00a75508
604f7fcf4a5fe22e2296b474893f6ff43ce6d0ac9dcad9c072ca40c63f7489b1
675374d30c3680c4c9323b8baa97e7419f0dfd7ed9b4f8a8f871a7f61c75c7d7
2d8db77499cedf9115b0d6f48a22543a1bdea8cd50b72f074b5d740c42e89c47
087aebbdfb77329742253993b8a9c9f8a9adb71f27941dbca560de30d84c41bf
efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760
4183c2795e2f2d7396cfad818b6b5125515b1696090b3bb3847af480ad425173
a2acce2c3d3e7b8772ae7dc3a2ad0fadfd53b58e37c091bd04961b5fd44c38ba
e9e4317a89ca227ca7a5cec8b3b1a0dc86285373ef067159f6db934ea0bda8e3
0d74f63d46e26419da4bb14b8513457ff4228655a300256055d147f6959c81f0
bdb420f8343c084ba57ab7b38eaa082f6197700180c9f0f5e5ac67e50014da98
7fba946dda2157b6113ed06e8a94e507a838001df2bab501c227490010d1dab2
8aa42907da90d0fde344aa426b76f3fa447b180870b6bfb750144cde04524175
e2b3c5b20d3f794d4030c911b6f50c32ba009cbe7d74d14879c530b1407cd112
7982f56fbeecf24db90a98a4467e7305d34557c9ad5b53dd6a5f52ece8641ad4
374006f04dcc0d09672953d3ed075ba569cecbaa1135764717bf4e6678fde42c
8399c2071ae9e9f742ef97c5e218fcc20c8787dccf867a658e328f8e2f2b7eff
fc692587b027b7079b3d977ce7d2a0ee54c7d871d396bd255a82baed734eb158
8149c65930ce8cb22dfae9e6d18506abeefd8164fa13351e034c6fc9f844308e
9c5f4f464204dee9f965c7a9649abda3cc2c374fb445937427779ad7f0a3bba9
767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06
9e5207e95ce6fafe501ea7030164023c37ac2bab285590f684d635156f1e3306
d56047b88b1cfba06f14b2bb216a34d249d852152d7cd34a6da1a1cd24750036
3b6283a00901c0709734f4d16a2fb4ad3fb93c913dbf45637664c74320c2d385
4d4be5a0fb152cb0f795f6ce36b1b3e4e69234681e36c41f3760858b4d38aa31
f7a13d11b8aee33d82ffd5a688a551b284c09bfa383b8c0159ffcb5be590dbe1
3e387ef02103719b3edb95d2e827d1bce42a66af2236d2a780bbd92fa15e07c0
4387b0fba57e249fc0d452331bc90cd3eed21bf288a56e7c447d1fa9b24adc30
015de794323aa2af01429c09f06f4e1be15cde8821788e6dc65b15c050fb9747
ce9b4ca8ce7c267993c433a2e1beffe25dc52fb167aa07519be3672b2c81f9cf
c7c4fe957dcaaa05d68315cb79441eb9159d4b4f224c4cd84d8ed8fb5d9ddfb0
9f7c7e1931a15c6306a18be0b7c6524b3fec3320517b688278856a249f04e07b
2df2f95d0b480aa7d2f86ee162298a55d7f24dbdaef2e06664ce992c35a5ab03
5257052626b2ddf18d7747e19be5425748344cc57e4b297a4d862ff5eee84e46
03fd685f6762da376a437a4c98da717c491765d6b215a01d894517abfaeaf38a
3a0b6787796ffb3c82882fff1951c0c2fd2925fc5f0d4cd2e92c0d058dfa8c10
b85aa63d88b84be274b0b6017a96d45c00e92ca0fbd3e00adbe7105f5997ec37
54f4b6fef3fb5b55f34b131be3551dfae93ff74d1946d41e8ca226d24ef6a888
a165161bb944f3bfeeeabcd2407912f651f70ca7ec558ac39f5d208854affc81
7b71dd79f9b04b7696c34eff69d3708cba187bc4b0700a18ad0ce0d1f38d4f8c
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/8bfeac3f-3b0f-4605-b241-f5f42a179bf2/
SH256 hash:
66b15e8f12ca7448aea883df64fe4455fd0d69cc4d0b298e4a05646e9ae33f5d
MD5 hash:
7ee732640cce72eab58f9f0d4310e481
SHA1 hash:
342f89ea1c6c176992d060626234a3bcc69cc836
Link:
https://www.unpac.me/results/8bfeac3f-3b0f-4605-b241-f5f42a179bf2/
SH256 hash:
767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06
MD5 hash:
fef9185943007de3c943d268fcb302f6
SHA1 hash:
d76a4acb3ecb8dc9dc226bcdfe98f3d89c7c6fd2
Link:
https://www.unpac.me/results/8bfeac3f-3b0f-4605-b241-f5f42a179bf2/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/767c5838c625/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/332222/

Comments