MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71
SHA3-384 hash: 036c04a2d53443fccb510bffdd7f63b4764cf1927448be1986017db13ea883bc355a9eee151e7a9bc8baf6b3f7cfb2ad
SHA1 hash: be460a7ef5629ec7495cd82e0e1d913f1d5f156c
MD5 hash: 52b1ce5bab6e78df745af4f05e88c2a2
humanhash: happy-leopard-pluto-colorado
File name:Signed_PO_73654009.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:732'672 bytes
First seen:2023-05-05 11:26:56 UTC
Last seen:2023-05-13 22:57:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:vU11KDjJ4qR6uORZsUJqu0hq1tb6j7UbvYbJZtGGgMSKcYX851Jsoml107MBlx:sPKDjJv6uOR+UJ131ty7UDSJZEGgXPY/
Threatray 751 similar samples on MalwareBazaar
TLSH T1BCF4E12137B9B7A1ECF683FC6208A4016FB47D6053B6D6E84DC6E0C95159B08FB60B97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed_PO_73654009.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 11:34:56 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/0dc6f083-ab41-4ffb-9245-93543b87bf14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386826/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66860473.14356.30323.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6454e81503145f701ea2b201/reports/96fc5c75-bfff-44c6-99da-7441ddfb10ea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d64389f-82f5-4255-819e-195760353a26
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226835
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 859801 Sample: Signed_PO_73654009.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 9 other signatures 2->57 7 Signed_PO_73654009.exe 7 2->7         started        11 CaXqaXNbykeXs.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\CaXqaXNbykeXs.exe, PE32 7->33 dropped 35 C:\...\CaXqaXNbykeXs.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmpB07.tmp, XML 7->37 dropped 39 C:\Users\user\...\Signed_PO_73654009.exe.log, ASCII 7->39 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 Signed_PO_73654009.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 CaXqaXNbykeXs.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 CaXqaXNbykeXs.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 132.226.8.169, 49692, 80 UTMEMUS United States 13->41 43 checkip.dyndns.org 13->43 45 api.telegram.org 149.154.167.220, 443, 49693, 49695 TELEGRAMRU United Kingdom 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 158.101.44.242, 49694, 80 ORACLE-BMC-31898US United States 21->47 49 checkip.dyndns.org 21->49 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-04 15:08:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbzfx7mhcbyofztlbm3sswx7ixwkphmamppn7bmxh6dxiiipfzyq._file
Verdict:
malicious
Similar samples:
2d6c9ac070f5bb55d66de498da4a8c26d377eb79d7917d03af6d3608e350ac08
SnakeKeylogger
72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
SnakeKeylogger
87ec8dcb44c20195f72ea0d6d2ac3572a9241bb1e0c7f770d8d13e65a4cf9155
SnakeKeylogger
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
SnakeKeylogger
a150a0e7dcd71a30b911d577b58895caba94c325e415915a1d60ff64be0bd733
SnakeKeylogger
d0f80693d3549f105e2db006994180bb647006072a107571c0f408fc187d1621
SnakeKeylogger
d9fcc1602122022a5c2ad597168eed6137a55b2356d767f5a877083c99989561
SnakeKeylogger
e94f95707bc1ee3c1516cce43846a594acf5a1024ae7a76cb34afe5639fe95b5
SnakeKeylogger
+ 741 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230505-nkhajahg98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5923227859:AAEYo__DCK9GpHPQHPaQXx_5mU4DPDQb_xs/sendMessage?chat_id=1965959123
Unpacked files
SH256 hash:
e94c47d5f7c6c5789eb1f1d5330ad36bc8c35721a80921965751c93eb7760229
MD5 hash:
9570af6f4e9fb2afbe0077b62436188e
SHA1 hash:
e70fd893b4771277d43875e5d58a1ae8e4639651
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/676b844d-73f2-4feb-a491-d9b9f0cbdb70/
Parent samples :
799ad2554344216d192896a517536862c2435f054182bb8e468f6dd9f15f3e33
ab463de3b695c5e6a4f163c156ad7ef4949a728481711627de738b6a9d84d1f3
88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71
d18cf7fcde053ba33105a836de182859fbfc493eb5185bbaddee1133b9063509
20fb89955cb329bf5597f90a7510f92a33ab31d05c21e1374a52e89dde377a91
3db10778e1d0ccc415a6ad057180e3ef8025d2f9ccfa77a14f37369189526955
9e5f01fcd9e6ad2a133b43fc012dd7f72fa09e87dbc8d5f98c2a6325e843affa
SH256 hash:
ef7122a98eca35c197740b6d6e1905c446a9d65fd1580f8fb3274d85151e5245
MD5 hash:
f4ff5b1b1dc7d2cc8c440f83bce82f8b
SHA1 hash:
e15b4dd8354139fbfefc4c63bfde8311da9f226f
Link:
https://www.unpac.me/results/676b844d-73f2-4feb-a491-d9b9f0cbdb70/
SH256 hash:
007a649940da8c67891149af7084de00c15e61b02ee5990325d39d76d99eccf7
MD5 hash:
9ef257598f1e43edcadf029426112373
SHA1 hash:
b20305d65cd9d8d30c3f550c8825eb02475ebd4c
Link:
https://www.unpac.me/results/676b844d-73f2-4feb-a491-d9b9f0cbdb70/
SH256 hash:
077cba78a96dccae745ad6b2a5427e90b96c0cbb8f3118ba626512343757318b
MD5 hash:
e015fe3b922b99119d3b075962889d32
SHA1 hash:
a2d8a50211df874cddf4d3de2fc444aa0ff33e01
Link:
https://www.unpac.me/results/676b844d-73f2-4feb-a491-d9b9f0cbdb70/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/676b844d-73f2-4feb-a491-d9b9f0cbdb70/
SH256 hash:
88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71
MD5 hash:
52b1ce5bab6e78df745af4f05e88c2a2
SHA1 hash:
be460a7ef5629ec7495cd82e0e1d913f1d5f156c
Link:
https://www.unpac.me/results/676b844d-73f2-4feb-a491-d9b9f0cbdb70/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88725bfd8710/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386826/

Comments