MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e
SHA3-384 hash: 11985622542385b65a6afde017827e6c36eea3ca901deb462810fa0e45a250c6c85bf3c20a0de298a2b282a247bc36a0
SHA1 hash: 417bfa1b0b3a7cf44bce22cb63c16cb59a12c3a5
MD5 hash: b22be8284fe041e335f2197ae7328a30
humanhash: august-coffee-seven-hamper
File name:keshcrypt.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:241'797 bytes
First seen:2022-12-20 09:30:37 UTC
Last seen:2022-12-20 11:32:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:9kw9+3B+9kDto6bDG6K5aDBf9GP4XoLyG+y5:R+3B+9kDtnbzKQDBf9GPjX
Threatray 5'106 similar samples on MalwareBazaar
TLSH T1DE341224B7C0A0B7F2A2C67694A9666AF2F1DF24192471EB17133FBE67301C69807753
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon cc133317372b7673 (18 x SnakeKeylogger, 4 x PureCrypter, 2 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
keshcrypt.exe
Verdict:
Malicious activity
Analysis date:
2022-12-20 09:32:25 UTC
Tags:
installer evasion trojan
Link:
https://app.any.run/tasks/6831223d-05f6-4bc5-83c2-7697e465ee9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348272/
Detection(s):
SecuriteInfo.com.FileRepMalware.27309.872.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33bf5749-083a-4d57-ad78-597d21356950
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137792
Signature
.NET source code references suspicious native API functions
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 770521 Sample: keshcrypt.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected Telegram RAT 2->46 48 3 other signatures 2->48 8 keshcrypt.exe 19 2->8         started        11 vqvdidegn.exe 1 2->11         started        process3 file4 34 C:\Users\user\AppData\Local\...\mezltbm.exe, PE32 8->34 dropped 14 mezltbm.exe 1 3 8->14         started        56 Machine Learning detection for dropped file 11->56 18 WerFault.exe 3 10 11->18         started        20 conhost.exe 11->20         started        signatures5 process6 file7 36 C:\Users\user\AppData\...\vqvdidegn.exe, PE32 14->36 dropped 58 May check the online IP address of the machine 14->58 60 Machine Learning detection for dropped file 14->60 62 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->62 64 Maps a DLL or memory area into another process 14->64 22 mezltbm.exe 15 2 14->22         started        26 vqvdidegn.exe 1 14->26         started        28 conhost.exe 14->28         started        signatures8 process9 dnsIp10 38 checkip.dyndns.com 193.122.130.0, 49697, 80 ORACLE-BMC-31898US United States 22->38 40 checkip.dyndns.org 22->40 50 Tries to steal Mail credentials (via file / registry access) 22->50 52 Tries to harvest and steal ftp login credentials 22->52 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 30 WerFault.exe 10 26->30         started        32 conhost.exe 26->32         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 09:31:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=whk24so2hwp7nfsffr4r2gsf4oto65yvoyvthbyhytun53gn4jxa._file
Verdict:
malicious
Similar samples:
0ab9a4a743b66d515dc9b83579a2a1a00252bc5acf727c46279fc0f09e2b2ca1
SnakeKeylogger
0dd996545ef3178719d3a8253b674b1fedfcf0ea1d9bb6af1409f6a47000dc1d
SnakeKeylogger
1379c26b10a6075c5d53de485d01d2c44be72e9a3d3dc08c28cfb0383af77729
SnakeKeylogger
1a2bcdeb48f63761b003373d932fc7eea4702ed9b856a69ae44d54a625424081
SnakeKeylogger
3bd6eaf7910876056f5f594c6b15fd7a8b75c6eef0c0a76690ed49e72ea97366
SnakeKeylogger
43b25aef4da392665de83158b04b5f705a913c9dd03bf777ea66540f8bd21600
SnakeKeylogger
9d4faa17adb02b020e7d9d7807a84ccb4e9285eb05f5cbae9ba7ee1e07d7b52a
SnakeKeylogger
b4d384c4beb28700a5ca488567c34bcec8331baf771f16549383bb06e057d4a3
SnakeKeylogger
f0464f5e9669b4112215874eb7df62b915fe83a00e5365da6d8ecf7be9981388
SnakeKeylogger
fb27645c5ba18a9e7e61876df54e4220c89cfdea419892dc08c32a9a7fe9b443
SnakeKeylogger
+ 5'096 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/221220-lg25escc51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5122580304:AAHkCWB9EFavZMQfS6pgdGmtEGk1zc21s0Q/sendMessage?chat_id=5138702702
Unpacked files
SH256 hash:
1a07717d1acff577840c72a9e81de993e0058a8d454f4816f67273c7cd26d11b
MD5 hash:
eeb8723244bf4323cf7199fb3fcb9f9e
SHA1 hash:
475665131d7c513a6f62b5986a2ab318e8761a1d
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/173c7829-5a1a-4502-b9a2-6d35bc0a09c4/
Parent samples :
b4d384c4beb28700a5ca488567c34bcec8331baf771f16549383bb06e057d4a3
b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e
70a8964eccab1bdf1d93086e8ef308aa0f9504c34c2a0321ba6eb1babc89b55f
77eba5c8f9099d4c9f2cbd300fb6d24e43c05e951860a88f17c4ffc97736453b
581c551c6629325cd764cdb54c101d3cca9150e1d22d16149d721b8e4da20e44
e6609ae5fb8180b336d2349a97518ff15ac1b7a60a022d5befd0a366040d2de4
b8a1bfdd85f3adf519fd1ba1ffbb60a4215bd3d930dfddac1caef7066fd33cef
bde58e12d41cd833eb907de3955528c3ba4ea45f7e825b6ca038f74eaf594d26
3b9b37912769526d5ca753f309018434f6d56410b88695472cdf6e948b9645f6
fbadbfd07054097238ecc6ed27a1e69e4907cbf038b4cc2ef52bd2f07085d0a9
92d153f7f41fa901887ec1494773140e4ef9b41378f2ec05deeb0ad8ec3f5d16
14105392349904938a9d2e42e5eaf8a401d2b832c89f14fb79440a7126525d57
c7d2461a20a6687bef74bfc784219676af232262762a102ae4f11765d2324210
535d74b24a5ffb30a283e855cbfdfb3509e9c94c4f97baa2f62197b221cce54f
1828a6afda383a1f6f48f9bab91e7f0d648fcef99f959b406618847c168e5325
efe80cf748bd25110797151a16a29b956213cc00a85716dae6e6008d648725dc
125ab5d56c8bc8e55483764a4fb9ad34ea9a74543e7b3a245c308703e5ee1d40
8556b28eb846e9ee99a00d6be977a7c76ff496a390e9a6f22150a6e1fb7c0d84
SH256 hash:
8d0f6ffd001514fd99b83332b1f0dda1d1c50df9736fe3131854d75bac1b4843
MD5 hash:
24983a8e5c2f2b4dca335d08063a1296
SHA1 hash:
2e46f380c8aa69777bf49d529e8bf3578b44a535
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/173c7829-5a1a-4502-b9a2-6d35bc0a09c4/
SH256 hash:
ae3224df971624761c0fb8110af5a86d01be81cca2a3cd9c2a33276c4f9a26f5
MD5 hash:
cb0b59d1c14e1eef948714085718079e
SHA1 hash:
f25bad49cdbf349a715249cddb0212224768c225
Link:
https://www.unpac.me/results/173c7829-5a1a-4502-b9a2-6d35bc0a09c4/
SH256 hash:
b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e
MD5 hash:
b22be8284fe041e335f2197ae7328a30
SHA1 hash:
417bfa1b0b3a7cf44bce22cb63c16cb59a12c3a5
Link:
https://www.unpac.me/results/173c7829-5a1a-4502-b9a2-6d35bc0a09c4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1d5ae49da3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_APIs
Create hunting rule
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/348272/

Comments