MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124
SHA3-384 hash: fcf273d079d2161d0bf59de3f09573426b71f2a047b20970197c41595229a8819e0a37f5ab634ea9b73ab4043cc3facc
SHA1 hash: 779e635d839eecb38aa17b5a89ae7a5549bc7d79
MD5 hash: 54e6b3143669461f4df675f32705f602
humanhash: cola-jersey-steak-oranges
File name:P0#082023.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'077'760 bytes
First seen:2023-09-20 16:55:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sQHCr/cT5J2iNtxIQ/tjwUj4m3r+hQClaHFe8MpZkD8qaCFHi4gIrDRjmfTf4SNv:y41F3904CuFe8MpCwcF6Tp
Threatray 236 similar samples on MalwareBazaar
TLSH T11635499C365079DFC957CC368AA82D64EB6025BB531FD203A0131AEDAA1DA97CF141F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71f0e8d8f4ecfc71 (3 x AgentTesla, 2 x SnakeKeylogger, 1 x PureCrypter)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P0#082023.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 16:59:52 UTC
Tags:
snake evasion keylogger
Link:
https://app.any.run/tasks/138b40cb-7523-423b-9086-bd1f944a25b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450100/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650b24240870810f01830e66/reports/10cd642c-e8c9-49d7-9b36-3c57db6de59d/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3233d8eb-4c2d-437d-8c86-cf997a07166a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311742
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1311742 Sample: P0#082023.exe Startdate: 20/09/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 9 other signatures 2->53 7 P0#082023.exe 7 2->7         started        11 OTwkQeHpILGn.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\OTwkQeHpILGn.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpF58D.tmp, XML 7->37 dropped 55 Detected unpacking (changes PE section rights) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 59 May check the online IP address of the machine 7->59 67 3 other signatures 7->67 13 P0#082023.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 OTwkQeHpILGn.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 39 checkip.dyndns.org 13->39 41 checkip.dyndns.com 193.122.130.0, 49730, 80 ORACLE-BMC-31898US United States 13->41 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        43 checkip.dyndns.org 23->43 45 132.226.8.169, 49731, 80 UTMEMUS United States 23->45 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 13:46:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pp5m3wyyohgbvk2gyatu5dupft6czo2lpsxptxzew2jtuh7xkesa._file
Verdict:
malicious
Similar samples:
2ba5d8e1c77dac550fd1b7d19174670a30da616780dbad4d386f6b9dc2121e9c
SnakeKeylogger
337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
SnakeKeylogger
38e497ba967a7027611f38d868b02f7c00405cc0cde0500ee32a61103dddd4f4
SnakeKeylogger
5c9e41c57fc02e8a6832d92888f838a455e75ce93c833f2b730376a11f0040e9
SnakeKeylogger
627dc37a4c486ebedd53d20f173b884014f2a662bb82afcfc105ecd10fe3aed5
SnakeKeylogger
80c0c7648149fdb4b41f5abc6316de36da5c3133676d4c9d68e783ba70cb46c0
SnakeKeylogger
ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
SnakeKeylogger
d7e0001b5c8e59c77d4f4cc467847498f7754d6417e7dbd592989ef73d90c5e6
SnakeKeylogger
+ 226 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230920-vfn1vahe5v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
d99645ee35080071b81c165c11567e2b8de22e2733e792e0e60a45f7f5ab2225
MD5 hash:
8cffb9dafa296eaa7e0f891acd46af43
SHA1 hash:
6b3eee647a8f0976dd2e18fcf487a2d2ff2f620d
Link:
https://www.unpac.me/results/b782e2bd-085e-42e3-9536-8f45fc237aba/
SH256 hash:
301671f7789068fbf11b7d0139acc99081af36a3cfee64dc92dc23d416170d91
MD5 hash:
ce383dd0ed8ed4f14fbbfc034036bf7b
SHA1 hash:
656f6d651741399bc8bf30a059d96e3bc345e4c6
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/b782e2bd-085e-42e3-9536-8f45fc237aba/
Parent samples :
7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124
1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
SH256 hash:
30ec0f7cc9adae9121e8bd4c6e71b7ad2fff46d0fbd8d0fff969dfdf6cac778c
MD5 hash:
ce7d3bccac24ade379cf26783021336b
SHA1 hash:
279a98251336a11b1620b9bc1ade072f65a6502b
Link:
https://www.unpac.me/results/b782e2bd-085e-42e3-9536-8f45fc237aba/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/b782e2bd-085e-42e3-9536-8f45fc237aba/
SH256 hash:
7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124
MD5 hash:
54e6b3143669461f4df675f32705f602
SHA1 hash:
779e635d839eecb38aa17b5a89ae7a5549bc7d79
Link:
https://www.unpac.me/results/b782e2bd-085e-42e3-9536-8f45fc237aba/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7bfacddb1871/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 7bfacddb1871cc1aab46c0274e8e8f2cfc2cbb4b7caef9df24b6933a1ff75124

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450100/

Comments