MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab
SHA3-384 hash: 65aa7dc7fec541e7f663b2f6ac9d07ce4de1cb14579cda132366ad8b0c2bb8825543fd18c46cc3431d911951edb515cc
SHA1 hash: d8626d47187f986d43d04a67c604f6fe4af9a611
MD5 hash: 02d8ada86da94c3ddb808f073ca3b776
humanhash: california-pasta-butter-echo
File name:PcJfA8N9ndC6qku.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:833'536 bytes
First seen:2023-05-11 18:31:17 UTC
Last seen:2023-05-13 22:54:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Ylu9BWqZfOtnygJCjK4ym97zs6eMnJzvdCyBOl1aYR6cUBKE:YI9BWIqnAeA97VNzlrBODaYOB7
Threatray 1'096 similar samples on MalwareBazaar
TLSH T1A1058C3D22DA5C26C31673FA8958C5E103356F10AEABD22A26BE30CC8D71B93ED5554F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9d9e1969696b0646 (9 x SnakeKeylogger, 8 x AgentTesla, 4 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PcJfA8N9ndC6qku.exe
Verdict:
Malicious activity
Analysis date:
2023-05-11 18:41:48 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/d0d572e3-d815-466d-99db-1a291837d1e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388483/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645d34a46ca51c8cc34aaaf0/reports/ea88db88-e953-4066-a470-8f73b3516b4b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eeccf960-6c6f-4897-a612-ddd4e79e9856
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1231172
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 864154 Sample: PcJfA8N9ndC6qku.exe Startdate: 11/05/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 9 other signatures 2->59 7 PcJfA8N9ndC6qku.exe 7 2->7         started        11 zHmaHiUQzuaZ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\zHmaHiUQzuaZ.exe, PE32 7->35 dropped 37 C:\Users\...\zHmaHiUQzuaZ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp6C5B.tmp, XML 7->39 dropped 41 C:\Users\user\...\PcJfA8N9ndC6qku.exe.log, ASCII 7->41 dropped 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 PcJfA8N9ndC6qku.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 17 7->19         started        21 schtasks.exe 1 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 23 zHmaHiUQzuaZ.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 193.122.6.168, 49706, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 51 2 other IPs or domains 13->51 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 158.101.44.242, 49708, 80 ORACLE-BMC-31898US United States 23->47 49 checkip.dyndns.org 23->49 73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 14:11:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruvfhpmjwjmtlywy3emv62mc4pp2ymk3rv32qvv6zr6rvlspm2vq._file
Verdict:
malicious
Similar samples:
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
SnakeKeylogger
57979ca3e646ecfcf45221a35642d69c66d753e9961468e65e66670c4f7513a6
SnakeKeylogger
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
SnakeKeylogger
9925d40e552d694f23587880808c8f53cb41ff2ef2fc5112f37aeaab7d1c6241
SnakeKeylogger
a5ee311c1782356ae8fd1e5fc6f6a2cdde6dd79ebc5c80a02c36b3327ba3ac7d
SnakeKeylogger
aba99ac623b8f43f53873ee48dbf2f18f7206ae2041821e660b79505a3743ead
SnakeKeylogger
efe80cf748bd25110797151a16a29b956213cc00a85716dae6e6008d648725dc
SnakeKeylogger
+ 1'086 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230511-w6mfdabd5s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5861540471:AAFXCiZSJXtn5JonLHiv4xaz5kAYhSl9Ymg/sendMessage?chat_id=5010941489
Unpacked files
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/d63aef3d-5f0b-4208-b980-25bfa1844459/
SH256 hash:
89c028bf7d4a34e4e5b95511a23d9a815453f4f1d23135553c67a0fc2836cf87
MD5 hash:
6c79c340403c822e1de80fc9c36560ee
SHA1 hash:
b5399076e77c84e04c8582bba4a7b2c7b00714be
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/d63aef3d-5f0b-4208-b980-25bfa1844459/
Parent samples :
8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab
15e2b1d8d7ec96acece7e015ec8588bec907b02945c8e20e59c1e84c039bae69
SH256 hash:
f11b22647fadae363bc768a89e63b96c1fe0b1fa73350e25ade6600f52ddd9e6
MD5 hash:
5fddfaf7c05df599ebc67a66663538e5
SHA1 hash:
8dbf683ffee75c7e6f42cd625179647f795bcb8f
Link:
https://www.unpac.me/results/d63aef3d-5f0b-4208-b980-25bfa1844459/
SH256 hash:
ce06090867331d2a4441ec67313e3fb5fbaa93730742795ee232818be4840731
MD5 hash:
be81ddb68ddc14ea0414642ddf45e4fe
SHA1 hash:
5c71bb2fecb501168c9dfbdc8a42c683c6692049
Link:
https://www.unpac.me/results/d63aef3d-5f0b-4208-b980-25bfa1844459/
SH256 hash:
d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218
MD5 hash:
e5d93dadd08b8bc727e4f4853c6881ba
SHA1 hash:
27e0e057d33f01586193b0cbf06561c2863951f4
Link:
https://www.unpac.me/results/d63aef3d-5f0b-4208-b980-25bfa1844459/
SH256 hash:
8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab
MD5 hash:
02d8ada86da94c3ddb808f073ca3b776
SHA1 hash:
d8626d47187f986d43d04a67c604f6fe4af9a611
Link:
https://www.unpac.me/results/d63aef3d-5f0b-4208-b980-25bfa1844459/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388483/

Comments