MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9be4149e49efbdd6b5ef16744ad28072211b543f59d0fd322cf4c5a0281b43ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9be4149e49efbdd6b5ef16744ad28072211b543f59d0fd322cf4c5a0281b43ff
SHA3-384 hash: c07d28cb24cd7bd2d5e0aa41f353fe8099779b790e3334c4935508eb843925f91285e557937da5cfd55b80d9a8b6da5a
SHA1 hash: bcc953122a90f5bfd2f87cb3b2ae41b4a2546fe2
MD5 hash: 811b57a6db5aeb86fa561ab510a21e0d
humanhash: east-gee-blossom-delta
File name:OC HBN50918472.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'134'592 bytes
First seen:2022-03-09 14:09:23 UTC
Last seen:2022-03-09 16:24:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:xbfHb2F7ym3BqlN5lp4kmaRCaMQ6WVmVYH1XevUSGq0Ygs:x+F7/3gfTmRFemVYV5
Threatray 1'664 similar samples on MalwareBazaar
TLSH T1EE35CF21A865137BF17DC9B567D5A8A30ED3B0721244B1BE2C2CD66A0FD4A3CCE85E35
File icon (PE):PE icon
dhash icon f0f0f0f0f0f8f8f8 (4 x SnakeKeylogger, 2 x OskiStealer)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248657/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.568.14441.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Blocking the Windows Defender launch
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6228b53fb94fb38cb4480dc6/reports/ffc0e7a2-ffc0-460f-b09c-4520f30a8f9a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/de78df4e-8109-4e51-8d76-d78d6e28527e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953323
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585807 Sample: OC HBN50918472.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected Telegram RAT 2->45 47 12 other signatures 2->47 7 OC HBN50918472.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\hCAWQD.exe, PE32 7->27 dropped 29 C:\Users\user\...\hCAWQD.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp1997.tmp, XML 7->31 dropped 33 C:\Users\user\...\OC HBN50918472.exe.log, ASCII 7->33 dropped 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 11 OC HBN50918472.exe 7->11         started        15 powershell.exe 25 7->15         started        17 powershell.exe 24 7->17         started        19 schtasks.exe 7->19         started        signatures5 process6 dnsIp7 35 checkip.dyndns.org 11->35 37 checkip.dyndns.com 132.226.247.73, 49779, 80 UTMEMUS United States 11->37 39 2 other IPs or domains 11->39 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9be4149e49efbdd6b5ef16744ad28072211b543f59d0fd322cf4c5a0281b43ff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 14:10:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpsbjhsj5665nnppcz2evuuaoiqrwvb7lhip2mrm6tc2aka3ip7q._file
Verdict:
malicious
Similar samples:
25b32124cd6f952cf7dd5ce30fecbfcbc0aa1524c9ff7d3a116b3716eeab75c4
SnakeKeylogger
26d67ec38fb2cf947cc71182166947fa4824789ccc14e1ffb45fac833e9bbe34
SnakeKeylogger
278c8c0144bdd6c6b11fb2757bc92b2f3b76dff217bba26c8d1cb3cc6c0d07e0
SnakeKeylogger
3123d6c54422ae6a7e0f84c4042efca20d9fa1667d9520e3e145a8e856a72830
SnakeKeylogger
449dbae666a76c40d0c3426beff49960853382801a647374404676f7365a08c3
SnakeKeylogger
4d1cfc06d50c33a02572d8d32f34c277bb89bad8d2932c4e0549409d98d5ddda
SnakeKeylogger
5baa15d0565bd91f2f6422596986183789950ab37ad826087a26dc24126b0b7c
SnakeKeylogger
eae65436f8b35bcf0fe364b194523d4ed66fe4ad31ce76c6d97150862a759575
SnakeKeylogger
f479b28a2c1afcea576dfafa238e26fcaa0cb1c63e288050d9ed74da43765cc1
SnakeKeylogger
+ 1'654 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220309-rgn6fsbhbp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
63af7e4248b28ec436378c176bfbd9308552fe2d27ec65946fb0746dfc22f9ad
MD5 hash:
ee60c28ee38137311ac7ba89aa0fee08
SHA1 hash:
a31082b8198b165e37d2f487dc0d1e101821c3bf
Link:
https://www.unpac.me/results/70f7a60f-ec5e-48cf-a692-6c64bd2952d7/
SH256 hash:
175285bfa8a73b3990f54994b8825c1f3396635bc344939cd8d9fc60b9569b46
MD5 hash:
f26eb90c6addfc99fa0c2e63896216d2
SHA1 hash:
77e01b96d8c211d4d24fc0a1aae91122caf5f668
Link:
https://www.unpac.me/results/70f7a60f-ec5e-48cf-a692-6c64bd2952d7/
SH256 hash:
1c89d6654d80551018f029e864f79994816f99bfb8b3b1ce25b8435c9a29519f
MD5 hash:
7c78e4338e1f4c3cd820214e0bde9c27
SHA1 hash:
61e211e812156a3412f7a421663b176bc6f179f0
Link:
https://www.unpac.me/results/70f7a60f-ec5e-48cf-a692-6c64bd2952d7/
SH256 hash:
8866934684e3e4003849e26767d4912f5ea9595e458f3ae2ad6be15f6dc969ca
MD5 hash:
7f1fb1e503259a81d1395fc87b810d1f
SHA1 hash:
4e1f391a1d92b2c43567650b4ff32769feab61fe
Link:
https://www.unpac.me/results/70f7a60f-ec5e-48cf-a692-6c64bd2952d7/
SH256 hash:
9be4149e49efbdd6b5ef16744ad28072211b543f59d0fd322cf4c5a0281b43ff
MD5 hash:
811b57a6db5aeb86fa561ab510a21e0d
SHA1 hash:
bcc953122a90f5bfd2f87cb3b2ae41b4a2546fe2
Link:
https://www.unpac.me/results/70f7a60f-ec5e-48cf-a692-6c64bd2952d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9be4149e49efbdd6b5ef16744ad28072211b543f59d0fd322cf4c5a0281b43ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248657/

Comments