MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de
SHA3-384 hash: a81d340f4c5b96c473f95328bb043662a3c70c68bec0b5ed30870719d584bdc5a9efb9e0d0a0339dc319afd3652160e3
SHA1 hash: 61b5f8b9cb744c5abd44f9d4a0d144786de568d7
MD5 hash: 521626db00ce9434f6e65ba4b9e218bc
humanhash: yankee-minnesota-fish-crazy
File name:Shipping Documents.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:556'032 bytes
First seen:2023-05-16 10:47:27 UTC
Last seen:2023-05-17 13:55:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:IYRv5y3/99S9nXhVpKRIUDO+tLJAH/ji0cKtJlksgDF:To3V99RIUDHtAf178
Threatray 1'276 similar samples on MalwareBazaar
TLSH T10CC4D070609E4794E01FCBB175B8FD72033270E399E9D9740B25A5C4CE2BF146E89A6B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
258
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-16 10:48:26 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/c39e6991-fa12-4f35-b93e-2d90662bbcb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390397/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12633.29289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64635f66f8664fd7d8d9c7e4/reports/f08cb09e-d3c4-4a46-b1eb-c661947cec25/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9ffd772-c5a2-4a9b-aad6-4418ef4c4ca9
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1234647
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 867632 Sample: Shipping_Documents.pdf.exe Startdate: 16/05/2023 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 10 other signatures 2->68 8 Shipping_Documents.pdf.exe 7 2->8         started        12 myzdOIR.exe 5 2->12         started        process3 file4 44 C:\Users\user\AppData\Roaming\myzdOIR.exe, PE32 8->44 dropped 46 C:\Users\user\...\myzdOIR.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\AppData\Local\...\tmp6933.tmp, XML 8->48 dropped 50 C:\Users\...\Shipping_Documents.pdf.exe.log, ASCII 8->50 dropped 70 May check the online IP address of the machine 8->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 Uses netsh to modify the Windows network and firewall settings 8->74 76 Adds a directory exclusion to Windows Defender 8->76 14 Shipping_Documents.pdf.exe 15 2 8->14         started        18 powershell.exe 18 8->18         started        20 powershell.exe 21 8->20         started        26 2 other processes 8->26 78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 82 Tries to harvest and steal WLAN passwords 12->82 22 myzdOIR.exe 12->22         started        24 schtasks.exe 12->24         started        signatures5 process6 dnsIp7 52 checkip.dyndns.com 193.122.6.168, 49695, 80 ORACLE-BMC-31898US United States 14->52 54 checkip.dyndns.org 14->54 28 netsh.exe 14->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        56 132.226.247.73, 49697, 80 UTMEMUS United States 22->56 58 checkip.dyndns.org 22->58 60 192.168.2.1 unknown unknown 22->60 84 Tries to steal Mail credentials (via file / registry access) 22->84 86 Tries to harvest and steal browser information (history, passwords, etc) 22->86 88 Tries to harvest and steal WLAN passwords 22->88 34 netsh.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        signatures8 process9 process10 40 conhost.exe 28->40         started        42 conhost.exe 34->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 10:48:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=trto5bai6ndncb5z3yqdkbxyabxomnptzldo722pcs4ei2zjc3pa._file
Verdict:
malicious
Similar samples:
005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
SnakeKeylogger
0555b2be69a7f5ef1a4b3948af343d22ddf3d5e1b21be20f8f9b9151c04d2a6c
SnakeKeylogger
3483bcc8e4d439c0883bd94044e95f23c4b674c0472af8e695594e00bbbf9dbf
SnakeKeylogger
4ea83aefa492b4ba2b49e13e34023674ed8b50373a9f521dc887178f60b60965
SnakeKeylogger
79105d7e93f40e7645cca097df1fe2ec3377f2ce05fb94faac893cfeafeb3e0d
SnakeKeylogger
9cedcc423c89f58cdef6386a96d9d57237cc0ce9b84622651691ec7e40d1e128
SnakeKeylogger
cd94bb8956e12aa67943b6bb657f17d2680b848b36f8726283a2037d1d588461
SnakeKeylogger
ed4b9afcb717295f5fb71bcc6f408dbbed12c6858ee2f20a1f7bd2ab72074fc6
SnakeKeylogger
fab58afbd986a4fb766f06edadc553c09b6422d1a54100f8ef1aa589f28f32f6
SnakeKeylogger
fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f
SnakeKeylogger
+ 1'266 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230516-mv4e3shd4t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077
Unpacked files
SH256 hash:
d20c75bc8a23a5840902869959361d6f3d10897d8a4b323284941f3193603440
MD5 hash:
3a64bab793c662109428126f5c395e15
SHA1 hash:
a48514e0ca90c8e7885c1f85bcb1d6011de1d6dd
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/117a71ac-935b-4d69-aa82-657df5ea95c7/
Parent samples :
132357a4b7dbf315242f39ee40ad9645a4414f16470720a675abfc39cb8e5b55
9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/117a71ac-935b-4d69-aa82-657df5ea95c7/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438
MD5 hash:
dfca41d2838170cb07ef445bb7d9c987
SHA1 hash:
7622672bed23f065cafdf2a17879ebf5926aba8b
Link:
https://www.unpac.me/results/117a71ac-935b-4d69-aa82-657df5ea95c7/
SH256 hash:
41b86206746912ff3d2e688f2a30ffa8ab4a7d10c2ec002852c9683b3257b28e
MD5 hash:
fef6e20ba3f83f15b13090684d2d532b
SHA1 hash:
3f5d8a9b794df1251e43f2bdfbfbd32cfc35e872
Link:
https://www.unpac.me/results/117a71ac-935b-4d69-aa82-657df5ea95c7/
SH256 hash:
d48e6e59191153e1791e55bbaa536d21ae0e8ef27cd721f6cc89b480b29a60ec
MD5 hash:
23c0bcdc1905755f8222f52d8cb6565a
SHA1 hash:
151b33d4a4ca53077851bc20593118beab4bb5ed
Link:
https://www.unpac.me/results/117a71ac-935b-4d69-aa82-657df5ea95c7/
SH256 hash:
9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de
MD5 hash:
521626db00ce9434f6e65ba4b9e218bc
SHA1 hash:
61b5f8b9cb744c5abd44f9d4a0d144786de568d7
Link:
https://www.unpac.me/results/117a71ac-935b-4d69-aa82-657df5ea95c7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390397/

Comments