MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5
SHA3-384 hash: 1397d9f1a06771e20b1309cf587aeb5a0435fdf20602a0d9e3841606dd2a9917bfe2acc93fb61ed109c23a4597e3a5ac
SHA1 hash: 9848849edfd0a2a734c134fb18a99e1521dbee19
MD5 hash: 9f537825c82946571a945b1d0b5c5b73
humanhash: ceiling-one-one-sink
File name:Halkbank_Ekstre_20221031_075819_154055.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'196'032 bytes
First seen:2022-10-31 14:54:06 UTC
Last seen:2022-11-01 16:17:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:t6T1u6n0oHLU/UhMIDDoUEJVN6SlMBimhq5mGIs5w4ZW:t6GEY/U6WMJJb6Smimw3I4
Threatray 8'702 similar samples on MalwareBazaar
TLSH T117457D91A190888BD86B05B1AC67D63025E76E9C94B4C10E5BDDBF1B76F3352309FE0E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
3
# of downloads :
378
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20221031_075819_154055.exe
Verdict:
Malicious activity
Analysis date:
2022-10-31 14:56:15 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/57f82ee5-717e-4ce2-82b3-106be7275c4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326462/
Detection(s):
SecuriteInfo.com.Variant.Strictor.275740.6956.10572.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed strictor
Link:
https://www.filescan.io/uploads/635fe1c7736e9d884f0db0e8/reports/980f1e19-3eef-4b8c-a9ae-9b704e0ba9f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91309dcf-e824-44fe-9cdc-853113c75325
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101770
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 14:24:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smxbea2pcg7wt5zy3j4bc6fga3rwuybba66cb53gj7bstvwe2pcq._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
09a476b31272d7aa3ba1e7f0a5ed54dda6834819fb360de18cd883fdb177686d
SnakeKeylogger
5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01
SnakeKeylogger
6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723
SnakeKeylogger
bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c
SnakeKeylogger
e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30
SnakeKeylogger
e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f
SnakeKeylogger
f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913
SnakeKeylogger
+ 8'692 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221031-saffeacafp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU/sendMessage?chat_id=5350445922
Gathering data
Unpacked files
SH256 hash:
cf63e9457af81a1c98f48956554e07e748f37f9e7acd88f5a38c48aaa1d925dc
MD5 hash:
a6a682bb0652b09f21e8bf9ed40352e7
SHA1 hash:
fa6ebb960886bf7b4f21067d019d609770433fb0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/dbf61fe1-3094-47b5-8a98-507a37710995/
Parent samples :
94c24602a155b82d399f1fc7d998b49ff13852401458eacad8172f2baf378041
f286888db8588564fd55f45265e0e8dba3ed3bc3a028faebeab4329598aca8c0
03d111de04e5af8d0a126034372cc928d8e3ac78ff8e81a0972a35c5eeddce34
8bbd67ae0b2c475d8e6585ab3f032e589ade4838574b9ef02f9523be14e6cb2f
2c9a5406517242f170bad2fb9d01d17e8fcb15aa50129089fae78666ac5d71d4
a4642bf9cbd641619645c6f4761ef8037b3844e948f588c8bd58e32eed70fb14
4d97061314f112ff5f64d8a7ebd5ddbd8ad6f51f0fe4c104d0db4c9d0ba8de2f
1f176fdfac20ab4ddb6978f2d9bb69dff8fb113d24dcf1cce2a2f2b422ffe435
6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
dc0440d22e5e04a348da6604a84406ae83ba0100514523bc01914c0d58a12a80
2d04f50f400321cefee5b2b580f1949716be8190bf43c7cb6b36abd33ce2964a
73a0327037d99cc1b679dd7a845323da2380535813892602400997cd7a7495d6
75bacff6d2d5eb004e04e769d940b82708b9ce976903ff7316aa19b2fe6e794d
0225ee8b379936c1ec1680d4d7d7924e86bd0d90d495f95003417c3f99d00015
bb53ea4486abfc99270b773a2b436fd58d68d1061c184098b6f1520c20899cfd
f44752101afb7338fa8d2140aa52c7e0fd174405ae84be04ba4bacbab37dbbff
7f827d0f713c56d3ea862dd32fe8a25ad442218818d24cf68f30d29e2d2833ea
8414a2b799387045388139ba2b42085b6293cfef47df716a3d6960819d990dcf
3e63d0e2399f0f8636782e175b48e954c6ec90a8df027b11a77a817bbab176ce
8122adb4b9e54516cbcbd5329f729c63e5df60401f081e38bc770df930d277d1
932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5
dfca98bd8e0eb54b1e7708da67016cff14e7de001e845afaa5c869ef5a75c0dd
43750d2354f27de904d8fec306226ed5c64b4df834912524e965aa9b95211e01
fc6b929d8045b7277b0e5db028eef63002c1f5fa952970d24a150974ed227fa8
e62512e7cf411e5f3c6b128aae7fdf86980e9c7e3b4bd4aca3e5f53b60af3237
4c68110055c5902ce7fb0b21937939ead3f5d1b3857618c4286e93653e5f2813
9d0ff50ebd77de7861b3770a71c3ddd6c9694b8c70fd2dd07aea0980f83d7247
72591e77bbafe38b00b3946db0ac4dfd559ff18a13562d6e58a9bdb10a668ae9
5184dee4018720301d37bc49fcf46eb957a4e847294902e90f34dcb277d36e2b
479d6d3179e41f5b8e6f331c099b5668dc92df52aa43790167f59f192e0d8db3
a316758201301fbb5bea1354ae7fee5f8a81e0ad449b527eb1b5c00ab475b6c0
d3169220e46eead42605fb4420da09e0c524c7a5d20b7b0d087c13c29c9de964
6c69f2907eccb9bc8715c3bbe0af8c8e55effab53abd16e5641b336f79bdc483
93efea0105183d17343bfbc418414d76c18c3fb9534a9898a8a43bfc65e20d55
7368e15e16845dd62299d43c9ecceed80ba8852a2f4ed36379337c1dd933d48a
2654c41feea51b45a2178689043103ff6b732c3dbb727b8987205a7e393017ec
bf305d7a93949463c9410b53f1c874a42e1b0b6c1966c4e82520dfcf352402ca
a7cfc4cd3bc4c1c1069e9db79a026f0fa4e362fc3adc086a996a5cc355a64f6c
8328804519cd57938377dcc004babb2ff194ef1c2f6aa3ed5636c8c49befe960
d80650ed37463b35238a439658309270ab12dd0b360f1d6dbe9b3e27fa298929
50ca265fdfe8cf164553eab678b3d6491cc940fa0adf369aceb55a66fad1d4f9
f39c440765aab25976b17266085e6ac69a2baa05d0fc02299c36cf265efec341
2a23c0997bc444edc695a4abdbf44727e453e2a1aefe737edc550fc2d334a9c4
3987c7ba08298c6fc3d6007468e751b3b751e750ea3a0ae5b2c5e699bac97002
SH256 hash:
7bc660fd9fbd2c97a49cf6bd6bab6e1474b5ba60a56ba6c28d3e9048ee695234
MD5 hash:
5b445c98892b0d6b939b6590e36845e3
SHA1 hash:
43ea4b65b8c745a43630548efd05ef03aa407e95
Link:
https://www.unpac.me/results/dbf61fe1-3094-47b5-8a98-507a37710995/
SH256 hash:
78051ad0b5e6e76383557b527cfffd1452a1f3111b85666a199f363bb5b28c91
MD5 hash:
2032f12c3469674f553723c1f5a5f76a
SHA1 hash:
f969d1deb3ef9b2d000de205e43d7d664b85208e
Link:
https://www.unpac.me/results/dbf61fe1-3094-47b5-8a98-507a37710995/
SH256 hash:
07d9d7928ce9a443590f671e98be781491f9bd635314b4376c37728b5b220a1d
MD5 hash:
b5bce613d88c9a43fbd678cfe0f01a87
SHA1 hash:
bb262f1d8fc78489ab075b3e0592b147815a066b
Link:
https://www.unpac.me/results/dbf61fe1-3094-47b5-8a98-507a37710995/
SH256 hash:
bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd
MD5 hash:
b52058082749f08bbcb7036b0d4189e8
SHA1 hash:
90365baf6b18ff3139da00cd5caf30660643110e
Link:
https://www.unpac.me/results/dbf61fe1-3094-47b5-8a98-507a37710995/
SH256 hash:
932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5
MD5 hash:
9f537825c82946571a945b1d0b5c5b73
SHA1 hash:
9848849edfd0a2a734c134fb18a99e1521dbee19
Link:
https://www.unpac.me/results/dbf61fe1-3094-47b5-8a98-507a37710995/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/932e12034f11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/932e12034f11bf69f738da781178a606e36a602107bc20f7664fc329d6c4d3c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326462/

Comments