MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
SHA3-384 hash: 38097f10363fa4c4c874edeb512c3bb485cf5e7d37e18b439854a45e21ba9125d02127b077431365804efb3552f35d08
SHA1 hash: 6369618c52a51f7ad14c14acf95e81ba2f33bbc6
MD5 hash: 3dd6925ace1a6d42b4834cd829f4d9a5
humanhash: music-alanine-butter-lake
File name:NEW SHIPMENTS HO CHI MINH-IZMIT-2X40'NOR SPDSI2300303.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'064'960 bytes
First seen:2023-02-27 16:15:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2wk1pdKvPbbrSlJTLonyJgGrbH+ymmVtBzZ:Bkz46oQrbXDXBzZ
Threatray 290 similar samples on MalwareBazaar
TLSH T16A356A8032F8D155EDCF323D091C568E7D79A207A162F22AAB7676C6A7077F772C8091
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW SHIPMENTS HO CHI MINH-IZMIT-2X40'NOR SPDSI2300303.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 16:18:22 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/9678061b-c570-427a-af62-e2e5d9913ce3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fcd70a885563d6c8bc1c09/reports/187ef331-3c1d-41ca-bc63-de56ea2d1223/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b0e7329-126f-4e5b-b588-abc30a2371a5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183557
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816390 Sample: NEW SHIPMENTS HO CHI MINH-I... Startdate: 27/02/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 8 other signatures 2->53 7 StaspOFXjFwO.exe 5 2->7         started        10 NEW SHIPMENTS HO CHI MINH-IZMIT-2X40'NOR SPDSI2300303.exe 7 2->10         started        process3 file4 55 Multi AV Scanner detection for dropped file 7->55 57 May check the online IP address of the machine 7->57 59 Machine Learning detection for dropped file 7->59 13 StaspOFXjFwO.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        31 C:\Users\user\AppData\...\StaspOFXjFwO.exe, PE32 10->31 dropped 33 C:\Users\...\StaspOFXjFwO.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmp1876.tmp, XML 10->35 dropped 37 NEW SHIPMENTS HO C...PDSI2300303.exe.log, ASCII 10->37 dropped 61 Adds a directory exclusion to Windows Defender 10->61 63 Injects a PE file into a foreign processes 10->63 19 NEW SHIPMENTS HO CHI MINH-IZMIT-2X40'NOR SPDSI2300303.exe 15 2 10->19         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        signatures5 process6 dnsIp7 39 193.122.6.168, 49698, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal ftp login credentials 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 25 conhost.exe 17->25         started        43 checkip.dyndns.com 132.226.247.73, 49697, 80 UTMEMUS United States 19->43 45 checkip.dyndns.org 19->45 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 14:06:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 25 (80.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3gpoy53hbsj7fp7wk6ggepm7dlmzj5wjcgxnjkfwpcyigjjddva._file
Verdict:
malicious
Similar samples:
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SnakeKeylogger
27c76711661cf48d0dd9745cc6c389901f87c38bf7a899eed3e4134afbdb6686
SnakeKeylogger
49783e573a0077bd788eb30488faca31c9b6ed231ba0d418538b10651cf0e780
SnakeKeylogger
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470
SnakeKeylogger
6d4eead03f27551a1c48b4da0e274a7d889002e673b578a5782122fa11eb21dc
SnakeKeylogger
6e21c799f14d0104ee3fc1f6142aab3b1cd8b00260c3a8100386a0f44405b967
SnakeKeylogger
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
SnakeKeylogger
e35243e69e01391bd0e35adeb074f6e2dcfc28226d149543f4e1c891ca58bfa9
SnakeKeylogger
e7534a0a853b8f9adac6cdf14f130c09c955b913726507f28a18c1e6700820aa
SnakeKeylogger
fc8c6d3dafa922ac0493c26e96e337563b1beaa46e1725ed1799ac5a46ceabcd
SnakeKeylogger
+ 280 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230227-tp8aeaed92/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6166695280:AAFYAmHtNxka4VVDE564YnB1MkmT68AnzXY/sendMessage?chat_id=5981442240
Unpacked files
SH256 hash:
6813830c55360f19c3e07af19636ba482d19ac867faae1c2dc735b07c89bd04c
MD5 hash:
2a1618c4896024738da7b7b883889b91
SHA1 hash:
f4068ebd7b3920146197a858865c68178fed4104
Link:
https://www.unpac.me/results/2cb39975-5634-4e42-8dd1-5e6a10e86d8b/
SH256 hash:
9b6f784ba7a2a79eaaf2663bffb7673efb314595d9eacc96f061d3a22990b718
MD5 hash:
f673a146bfbd1d0b3dc6cc23b75d9b8f
SHA1 hash:
8cd9f487d25aad32182150824dbef5d2c3566e75
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/2cb39975-5634-4e42-8dd1-5e6a10e86d8b/
Parent samples :
4f523193ac9b23eee38414ec05142a0c0a75a8ff2511e74466b83dbd91f4f2e9
8e395be3af871eb7fdb84251645d3dde84ad4f292cba86558ee5a460492c9d5c
c901b86e7d9f3cd9b9c50533d67b0e95ab1bb154aa7d817b40af99b528d3dc58
c498eacc7854b7f3a2e47bda26774db27b72de28922232b4c789e0abf5d92835
03f5d841cf7d05300ddc081bfcc79ae321dd9e78cea0300234f54b475d847acd
092d252847b5c7d38f15bf70a993d2593bb200791fbea4e4f83586786ddc04ba
3015cb36bd43f649d4f6047cc5c9766d52cc8d7f9c6cdcefda0ca8059cba53ff
b3b88519f1491b7853455a033d91d12ed1b8186d15bd29203b8d0b24b89c0c52
fb77f5d41e15baf9dc0f4e2901c4a6fede55afd967e4b650d8603fe0123c7c3f
49783e573a0077bd788eb30488faca31c9b6ed231ba0d418538b10651cf0e780
b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/2cb39975-5634-4e42-8dd1-5e6a10e86d8b/
SH256 hash:
fde82c6dd7b71027b6162bd13dfeac8c39de0682f51e136270a450467bf5e6d6
MD5 hash:
c3c3bfbe0bb2332ae28184950dc15484
SHA1 hash:
44c729ec14ad1d94d5f7594121fcf50b57726328
Link:
https://www.unpac.me/results/2cb39975-5634-4e42-8dd1-5e6a10e86d8b/
SH256 hash:
219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38
MD5 hash:
88dd74207f3882979e21e26bf33a0e9c
SHA1 hash:
02a2db1bcbdb700f16c730a45d6ca62f805af8d4
Link:
https://www.unpac.me/results/2cb39975-5634-4e42-8dd1-5e6a10e86d8b/
SH256 hash:
b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea
MD5 hash:
3dd6925ace1a6d42b4834cd829f4d9a5
SHA1 hash:
6369618c52a51f7ad14c14acf95e81ba2f33bbc6
Link:
https://www.unpac.me/results/2cb39975-5634-4e42-8dd1-5e6a10e86d8b/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b6ccf763bb38/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6ccf763bb38649f95ffb2bc6311ecf8d6cca7b6488d76a545b3c584192918ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments