MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac601a34b6e00a6409580aa29283f241b44a33785757354c846b3df4a3bf676f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac601a34b6e00a6409580aa29283f241b44a33785757354c846b3df4a3bf676f
SHA3-384 hash: 24da78abb2d5c81cd91d319e88417256561bd41a2e97e2ee32c39092649fa90601967b7f4cbdc96fecd1fec2dcbf96dd
SHA1 hash: 527e4fcdb32a1f67641f3b4a1dfb71253ff0f3c7
MD5 hash: 736aa6026a89fedde2c507de5789c81e
humanhash: ten-hawaii-social-delta
File name:736aa6026a89fedde2c507de5789c81e.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:507'392 bytes
First seen:2021-11-15 07:24:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:KmQgN/gK3ht01o/h4orxsMha+gxREvsnZVj3k95BC4Nz4+EmP5:cy/gED7h40xsMha+gsIZVUTpz43w5
Threatray 3'758 similar samples on MalwareBazaar
TLSH T188B4722CFA051672FE8DB0304C110AA4BBE60F7F2A50A99353CB25CAA75FCF59D05D99
File icon (PE):PE icon
dhash icon 40e0aa8af0ecd6ca (7 x SnakeKeylogger, 2 x Formbook, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205776/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61920b183edf00a722d4f2a4/reports/2d01d403-9859-42ec-9090-aab52a76242c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca5d6cea-33dd-46e2-b258-c30bbb33c69d
Result
Threat name:
AsyncRAT Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889372
Signature
Antivirus detection for dropped file
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521841 Sample: lmSfqJ6x2D.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 10 other signatures 2->69 7 office.exe 2 2->7         started        10 lmSfqJ6x2D.exe 3 2->10         started        process3 signatures4 73 Multi AV Scanner detection for dropped file 7->73 75 Machine Learning detection for dropped file 7->75 77 Tries to delay execution (extensive OutputDebugStringW loop) 7->77 79 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->79 12 office.exe 1 5 7->12         started        16 cmd.exe 1 7->16         started        18 cmd.exe 1 7->18         started        81 Injects a PE file into a foreign processes 10->81 20 cmd.exe 3 10->20         started        22 cmd.exe 1 10->22         started        25 lmSfqJ6x2D.exe 10->25         started        process5 dnsIp6 61 192.168.2.1 unknown unknown 12->61 45 C:\Users\user\AppData\...\FB_8485.tmp.exe, PE32 12->45 dropped 47 C:\Users\user\AppData\...\FB_7BBA.tmp.exe, PE32 12->47 dropped 27 FB_8485.tmp.exe 15 2 12->27         started        31 FB_7BBA.tmp.exe 2 12->31         started        33 conhost.exe 16->33         started        35 schtasks.exe 1 16->35         started        37 conhost.exe 18->37         started        49 C:\Users\user\AppData\Roaming\...\office.exe, PE32 20->49 dropped 51 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 20->51 dropped 39 conhost.exe 20->39         started        71 Uses schtasks.exe or at.exe to add and modify task schedules 22->71 41 conhost.exe 22->41         started        43 schtasks.exe 1 22->43         started        file7 signatures8 process9 dnsIp10 53 checkip.dyndns.com 216.146.43.70, 49773, 49774, 80 DYNDNSUS United States 27->53 55 freegeoip.app 172.67.188.154, 443, 49775 CLOUDFLARENETUS United States 27->55 57 checkip.dyndns.org 27->57 83 Antivirus detection for dropped file 27->83 85 Multi AV Scanner detection for dropped file 27->85 87 May check the online IP address of the machine 27->87 91 3 other signatures 27->91 59 bbccdd.duckdns.org 45.144.225.178, 1616, 49776 DEDIPATH-LLCUS Netherlands 31->59 89 Machine Learning detection for dropped file 31->89 signatures11
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac601a34b6e00a6409580aa29283f241b44a33785757354c846b3df4a3bf676f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 17:07:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0e826d9174ddb2554e1c7a78ee145a3348660256269716d15e9c5f1a4c8f01c7
SnakeKeylogger
36b652a48927acff9e7e99be2d2e558f81036a400c1abbeed39d23ea8d3eea8c
SnakeKeylogger
5f278f8bdee6e51c769320f10506c28a4e84a56ee3ff44f63eec9a189236b1cb
SnakeKeylogger
609924bb2e3350f494553b8a7e91916766dae319d2b17550c8d97b403fc00794
SnakeKeylogger
6fe626105e92733a8c3119e1636c72daa63ffa0fde2407c654c2f9ffe3f77ae7
SnakeKeylogger
86fe486e3f2591d8c631a2d25ccdc147a1e003eb5c39c11bf33b9e44d570102c
SnakeKeylogger
df623c9ac537de8028b61717582bf71ee72949fc825da23c1167889454980f4b
SnakeKeylogger
ef08187ddd77cfae0d16477699368efb73ef47f255690c731948358a2433c2c9
SnakeKeylogger
f4edeab344f7191212f56330be9228495f1d3bd6ee6fa80b1fbdc6533c3cc240
SnakeKeylogger
+ 3'748 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:snakekeylogger botnet:nov collection keylogger rat spyware stealer suricata
Link:
https://tria.ge/reports/211115-h8dz5aedfl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
Snake Keylogger
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
bbccdd.duckdns.org:1616
Unpacked files
SH256 hash:
2a1c139bc7469c2a16d5af17fa605346cb4320f2afb5e2afa1e19501505a9d6b
MD5 hash:
203b49c18ce2ba899f9beda2b1d29bf5
SHA1 hash:
9a5c3619d960c7dabf4d276887d15cd720416edc
Link:
https://www.unpac.me/results/d4edc967-d2d0-4f31-91e5-b147a2585c5c/
SH256 hash:
da8ec1c3214e4abefebf67e38e9543506cecd5a1b0cb807153193f263f6f968c
MD5 hash:
a849fee37ba42a1603c0f47856771ce4
SHA1 hash:
7dd7dbbf6c31f2a5fa897136dccf6459bda99af8
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/d4edc967-d2d0-4f31-91e5-b147a2585c5c/
SH256 hash:
6d9ac758d08de79391140b2c62175e544e82a3e656a4e97dcfc293abe3656cb8
MD5 hash:
2066dfe86018a4de5deb3b4275573ab7
SHA1 hash:
1038efdac1742ef67ca8a269e3b894576b3ee06a
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/d4edc967-d2d0-4f31-91e5-b147a2585c5c/
Parent samples :
86fe486e3f2591d8c631a2d25ccdc147a1e003eb5c39c11bf33b9e44d570102c
ac601a34b6e00a6409580aa29283f241b44a33785757354c846b3df4a3bf676f
SH256 hash:
ac601a34b6e00a6409580aa29283f241b44a33785757354c846b3df4a3bf676f
MD5 hash:
736aa6026a89fedde2c507de5789c81e
SHA1 hash:
527e4fcdb32a1f67641f3b4a1dfb71253ff0f3c7
Link:
https://www.unpac.me/results/d4edc967-d2d0-4f31-91e5-b147a2585c5c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205776/

Comments