MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
SHA3-384 hash: 80572b51b2bfe262ad70f4dbb8cca1b72d751ea19228f58a6a94795f66b2cbff63c3da23adf0ce9c7d6795046e418a3a
SHA1 hash: fa0ded7146ba901c43d7879851fe7e8ec4f47605
MD5 hash: 7f055858f49c1b6e7209731dd3eef0d2
humanhash: echo-jersey-west-carolina
File name:b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:803'840 bytes
First seen:2025-06-06 13:23:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:t2mFqer3Y7LTLOgf4jSLNpuj0aP0TYL12IhXiqHwcFxl3mib3Cdjbcw6ObUevByS:t2mbryL4jSL3utPpLjRP3rdmA0u8pFV
Threatray 1'093 similar samples on MalwareBazaar
TLSH T1C60502241798C905C4AA3F706971E2BC07B96EC9E902DB53AFF47CE77C263021D5A396
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
Verdict:
Malicious activity
Analysis date:
2025-06-06 14:00:23 UTC
Tags:
snake keylogger evasion netreactor telegram stealer ims-api generic
Link:
https://app.any.run/tasks/360e3243-49bb-42ed-989a-f17f9e573747

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7727/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3337.2643.11733.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6842eef88bd5d68a12e5f218
Tags:
krypt agent msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d633514-c00e-41cd-820e-7a6a01271102
Result
Threat name:
PureLog Stealer, Snake Keylogger, VIP Ke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708242
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708242 Sample: YsOoHmJZii.exe Startdate: 06/06/2025 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 2 other IPs or domains 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 12 other signatures 2->68 8 YsOoHmJZii.exe 7 2->8         started        12 nvuPIxwyBHr.exe 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 52->64 66 Uses the Telegram API (likely for C&C communication) 54->66 process4 file5 38 C:\Users\user\AppData\...\nvuPIxwyBHr.exe, PE32 8->38 dropped 40 C:\Users\...\nvuPIxwyBHr.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp67B4.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\YsOoHmJZii.exe.log, ASCII 8->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Uses threadpools to delay analysis 8->74 14 powershell.exe 23 8->14         started        17 YsOoHmJZii.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        76 Multi AV Scanner detection for dropped file 12->76 24 nvuPIxwyBHr.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        46 checkip.dyndns.com 132.226.247.73, 49721, 49723, 49725 UTMEMUS United States 17->46 48 api.telegram.org 149.154.167.220, 443, 49741, 49755 TELEGRAMRU United Kingdom 17->48 50 reallyfreegeoip.org 104.21.32.1, 443, 49722, 49724 CLOUDFLARENETUS United States 17->50 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 14:23:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgg7acj7obfpdlffbunovf4crdl2aoecgajxa3d44wqga4qsdyda._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
16e98f38ce60581b593580dd757e715ae01e5127bfc357d10848542852ab8a5e
SnakeKeylogger
1909a38fd79f2a646233e19288ee195167336c4afc266c0c852476af1df931a9
SnakeKeylogger
3961987dda53c630bbff8bca5d0ed8b6dae39c77a448aafda0a67c2db173e8c8
SnakeKeylogger
b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
SnakeKeylogger
c6e7f1dfe1147b82aa1a3f872cbfa81183d777911edc6a4623255b7db6cf0d86
SnakeKeylogger
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
SnakeKeylogger
d505aeb609922a84eee0643174d65e2bd43b1d11d70cca975f401f7900d5c267
SnakeKeylogger
error
SnakeKeylogger
+ 1'083 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250606-qnzebsvlz7/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2815ffd-bac3-4f7c-99f2-07d47a94be0b
Unpacked files
SH256 hash:
d27669acdb5b3975bd9b3a4099d85ac0e0361b6d1389273759354cd5e5a8587e
MD5 hash:
20f25c09bab2633790332e25d0cd6b90
SHA1 hash:
458cfd7dc1fdc63b329f5f361a87acad3593da4f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/73475850-4310-49bb-a35e-84f59f498589/
Parent samples :
5300d530719dedb6a72a1cdc2f7f1bcee476b089ecdf61efabdffa563cb7f677
dc7ce5b3cf200b892d1c189340459cedba99d3a7d37a4aeb9060330e30957ed8
be535ca266042b0e45a33715f5a1b7a3639cc18a445a6e6bd7cf967bc6cb588f
64e521b1aaa4bd2be8a49cb4e0072f41fc01511111bc8ebae05b47db97597282
f2cf2e30e5adbd28df56d9b640ac94dc8fcf6ff6cecc04502af5664e3afe82a0
bd9d4a2d5627b27b2e43afd37b07ce6c6b2d64a7017def2020c2c1434eae1a2a
a1b6fa9e588243668944849e127e349c783fc334dea9c2bdddcece2ff34dd7f7
5aca8a1675535db0ecee6e6c9253eae33a1729644097f882648e0eabdbb9d07a
5538bf66572560a066e4187d013e458a2af4323a7a5de87ff87968765e466ab4
2c0b6ae87cb80705150f9b3bf019a9033d5e841b8256397e8af4c162d0fae5a4
df898007e1517349ff3254eee2650fc870569478eaba486d3dff939e07fda9c7
9515b697030a6361fee15cb76079d448d0a754ce2552ab74fc690a73f5b602f9
c001d7f3f3ef024395493979bfa740429035bbb41b2586be826a0323c1ced030
e81120da828bfc636cb5cadb20a4e5418bfd3c66b8211a30510d686c8bb02bc5
7b62e2e0e51bc3923d80d98a074afdc84c8435c602f7d419c785d1907252312d
0fa26e0e12d79f68c5c3bccb9cb814fcbc6bb9ca50d05fe5cead8869db88887c
98eff3a2a7ca393f91baea68e96e2747cdfe01d3cdd8c3025f4d3467f0b3dacc
fe8482db209db0df28466076fae6bb2dec09aa8d4dea74e083d0aa2ff7d943fd
4ae05d2bba8d46d53a9c5bcce0471849b959c7fda03f461dcd33cb972683fbd6
95b82aa50dc25b6d67b4c4368411e8f82bdf1352b830e57e5899ab1cd427a1d2
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
d29951ed6ca3422a3ae5e2290a755571354f8d17ba3512a3b64275386ab08c6d
ca58ead25fcf95690d903e455bf82ea743c5b899204f4c8b96b9837b62557e6f
a39ada8e971d67fb725632144587cfebcbd96da06f29ae39d69214f7a5d79234
a6c286bfeda980d98802ccdc481d8e0d22ef3d3a302cf6febbc206069a64f821
27cc7ce2c2328a5082ce11cc27fcc2240c48e013423269b12fca82d5797e4d1b
5ea0fc5f67e7259de6a90c985727e2758e5ab65536d23eac0561b328477f1c80
13cbede450e1c06e03ef174fd85e1007d4a8bc0b039fb37c99176a8aa73c229e
c6e7f1dfe1147b82aa1a3f872cbfa81183d777911edc6a4623255b7db6cf0d86
6cbb096deab1c0c40f9f1fdbe309833b82a00da407bd2bd515194c68a8b82127
90de8c395fd4b0a2c0cfcebff04f087535c025bb838fef8c3f20b734e2334f52
3e8619539b467a07851e0bb29967dfc08938a2a99f0617ba732c04a2468a2ded
3c831d32919d82c5b30e3bbe158dff4d2090803e5553248eabdedd95dd085736
e69d7fa2b55a9c5b632015c4cbc2551b1109e99f7773f4fe7def0aa8a91eca11
b3d2f41b5704729a419d9e83bfa59a94ed5169ab4f54d03145683a8d7dbd9d9a
3d0b896f48f03df06736eb64f46fea7e163fd750a01c232a0484e7ce302777f1
3961987dda53c630bbff8bca5d0ed8b6dae39c77a448aafda0a67c2db173e8c8
960e9c3e54dad1225bdbdf547efe031e0b45d5ecb7cff888a93001174161bfdc
cdb1354002555ada87956b8f0969543e171e7e5299002b2d2f55006c86dac026
d505aeb609922a84eee0643174d65e2bd43b1d11d70cca975f401f7900d5c267
63b75ca07d4c9bccc01f641a0521139b30fbda1ce268a8db0b98d03c751a0bab
8c4a4b649c366c2d0f1e0d8fdf1b656e0211f3f85e3514dc0fe1beb55badf5ec
1d1f82425838d2a940335c24e7c3e1abd269f413886818cf6448765b9a7b95c5
0aba07d01429aed2703c4045ef036dcad9b7f93ab2eb9f8f416f940934fa970b
0504c370ae5534a38818114100bc4c1a320931e320b2fd729e36ff58b875c546
a91cb8f0964b26c9063a3c3ced42a52ef548599b077d1f4a569f41877320c60b
5db250fb2ab758b4a3eaefe43070c2bf4be8ccd1fef3094b537ca602327220e7
6496f9016e966f55155171cc1518eb36ef88255adbb7f878dc2da2f87105c781
cbaf21eca02826ae4c3a6b7e4771a0d35b95e68faca9da32ba9dc0206e6ad174
8a93ef79c8277df11cb0ddcbd599d91628b51c4e1e2ae1b3a6577455d099f068
a6efa39536c28ce7c13801e1dd750d1e2a355a9fbf5b6f8ec234df50d8e93927
7183c81fac07b1c9a8ecc1690834e6a43e139a4cfd456713e62ed1804e1c19f9
c7ff164c5514d4163a06d218d458bdd52190a8d9d9f74a03f5d169570684a2d7
dc3c5b7993046434bbbe259da9c49a95022e7c3a32bd859485dc47217f57fe4f
280a6134113df4030679a57174accffb38dcbbe4263c149b1464fb3ef6eac0c8
051e5a94a6c94d57cf8231fbc78a1e33ae444bbeba7ffeccaaf1f0549a8e7e90
348d96514ff4a0006e2209eaa1e6e07cef0f28dfacec3aa4e69741a8b9637db6
617a4e7ecf0aa360735368ced0894f2c6676931888e3dc9b8a9400c3d1fe6cf4
b1f74a3da6549a5a2f17264da736756d47be4f4d815248815825cb5f997f9091
479eca3c180a3a97910bbea2cccd959fec8a3ec0419f4475e389dbc6b0dfbb91
68a1b863890521eff813bfb64d5b951e54a881b3d4474dea78cd72a24825f79f
63e9c56ece51abcf78da3653ed4b03355f36982fdca931043a4bcfca7caf145e
4c1ef22eb44128c908b57c9a8d5cd8755360a1ffab38372571d2db570852e3ea
5b5f9ff4df3c30e75660a3b1a87df600a738bf8ed4f6aba3b2f947bd029de864
f23224ea557cf148c03d5a2bea56890775022a159bc51792a8566bfabe65aa69
a87d275ebd05d10612525aa2cc02e4d54a2a77727e32e63ea5e3e10fe0c906f9
2a0c0c4c8709b5cc6f1043c4ad67c0dfcc96304c85f445e2c61a94fd14a1d688
bb2a41c1af77ec24270822faf43681073d9d9ddb6011265130c5c9af91d68356
eb157afe45c88449ca1a85887d33e8ee0c479a943abb96f89843a399bf1afc9e
ec018c564b8e7cdf15fe86dd50da2a8bd0ff20ca78948e89a31220eb8312f4a9
3bf577746fd479f9a7b91d7731999f2a3a2b8b8c6687f0df3d214dc1a871a5bd
3a323ce49e543bc089f489f3148b3d2c55b65bf210083830cb144cd15fed499c
b8a32448db879eb7ed511462a39d1e3116b02c3479a0ee04924a6cb9b8a167f1
7108d6a322392785eabb6327078ba9d4f9025a3a31c8f53e1253654d482a1655
a44fd93d26afd4ff2cf9d2bc47b5ec6eb123d69ec7824fb5e1ff097b6b5ec1cd
b2649a80ffb6315161f9b79bf651c31eb950d82ef77083aa3c03367c485851e4
c98d82d45df5d5a8ced124ef90869c7259a40f333d05f00fad4ce784569690bf
73f172c85028274de1decad7c80280cf39068e3437696b0750a0a0cb6894612e
16e98f38ce60581b593580dd757e715ae01e5127bfc357d10848542852ab8a5e
78e4582e6f6efb9def82e467566458cf71b8a150f7d6ee2ec5d5a6f4b828b8d9
9c4dc3b1c2f30fe23b0c7474d4f031baa894bab164bed065d72368d03aaebe80
cc198cc6d2e8efa770bba7b238fc2a25e425dedefb6387ba57674e9df10470b2
0c7ae10f72c07314a0f572acbc889401fd63af29f88dbdbcc30012ed4fc841aa
ba553640d08259f9cc3c8a3d118fb445ce452e6f50c0f36b91e51009eb2e8f8f
c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
3e10b4ceecbc52eb03e9b82a300ac1015e319f29fe3bf055b1ac762c7ce9b9ce
bdb7b7cd3368224c457242baf24c2235e60d077f13741363c2307f1fbccfe5ff
b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
ffeb6132a9b624f6cc5ed5eb0c4819fb50658d966741d7774f2af530a400e699
e9dfb235c43655fc7f5ca74800a2c61218953b1f8e8d537cf4b435a9d1ac3d06
1909a38fd79f2a646233e19288ee195167336c4afc266c0c852476af1df931a9
9b80a8c7bd762d18e429725dc2520d7526b71d89593b49139ea7432170480648
e2f0b9dd0b78dd0a118d56c3606ba1643e1b4f63e7286bee0bb4f37f62266e40
c66005d3c7cd89f90c4280c7e99d6cacb96519fe21e3bdf72fd4c9223a27f8d5
768c64556f7e99ef482f6667d36082b5d88e42627d3961e2a1c6d50f6261954a
14c1b644e15f38f65b958fa200c9e40c1012b506022acb628613a6cc82c6bbac
d622c6e2e12e98681dd35ba906d735f0b60c178bfbcc806316bcad0efa7795fc
44e5228cfda6b52b192d2cdbce315ff517d43a087fb4bdde35b33ab197244bc6
9f727554346a304f9f045faa9349376067ba77a67cb072c10e7eeab246f24912
ecc0fb5ac93d82276ede030c7dfb846bfb345e631303224a238e782f1f37bbea
647ec8952063d8eec38013263de81895915cd407644c3ad0ac299d6e0f8b92de
2fead9e82b6b80508b3277e3d42a6a2c6a840fa4d307515ebda7364ef66185c6
6924b42d5d4d864ab365ec7b61078283e1fa5baa7f1ede0be94e2230eb060a77
a31db956d519b61be6c114ffd0bc069f72023e4eb332b783b13f2236107bef9c
4af6e14b66a0133a768976c94a605fc9fe21bc9f4f2928821e360ead69fdbb59
83ead02d86f49c956f10aa4f5c6f5d2d8aa5d46c12a82bbaf5d82c0390ba3044
53a9b2a14405c08c826397d20cf2946376fb576a8d251d9358676b925dd09825
ca14309813d292e3856252b6f4722ad9557f83c78b682ebf4781d31d38dee5f5
568f2488fb16b814b7b9a935a103e84df90f57f172a064f0dc34c25c73061f63
f654b98ea2e66b9f5ea9966f3da47442d3d4d71d3ed14a1a909f9cc4631b40dd
0ebfd6beeae72ae9f0a77968d90714146f353a32642c957a4b6774a57dadf287
7cc82c5d9605714ea18ef8dde14682831c53fbb8ae9c4ac09de2bd97d71f025e
0fb73562c769bfc935a2bfcc89f5c749f30212d6125b1ade665ff19bf5279bbd
8303a238f47b067289c1d0464e7d1c576288b0cc62dc43e7f563506804d4e5ba
1b90fa962c8b4ae6410c30cdd4af285caa2ed2381541572cf61a8cb20bfb36ce
0e9f2b852a6a060d1a741443659edeeed4a787f0b64f29a4cb6e5ea78d8d2a23
765d7485fb6cc4f939dd400802dfc6416f9e3ca1cf64ea9fcad08b97d2f206f8
46820e1a1693cd1fe29d27e442d488e6f7b6b9c422bfb4df76f18472488f1554
9313c29e84753f2904ac18f2e066b83ee91fca205aa6822ac90f89dd99b8805a
ac3262aee85b44738f7274ad207272a5da88060813a3c61284addf5f8ec7a767
6e73b55524c54eff5ebf588a7a964b1242047703d1a23ec6a83278470c5b3b74
701675ab87965d75ffac1446792e2504288377fee593bbf0aa3a3dd5d0aab031
c3287e8fd9e29c8818bbc9d162989d7d42095f7703c084162fa89a750218660b
a1fdcf3ccbf0d0f72ec62d632ed0cd750f58aa2c99c9eefc53133a7142f52d5a
527702a449a96ccd0ea26f5891680429057e866a18568edd43d3e705e01a336e
e39b8e8e04cf05907dd3bac8c172e0c2e3b06f169fea9a52e0e414e3dd0c5942
676d3c0fe0073ed133dfe2e2f0563d16e388b9b46ca436ecc580b7c07dc9b842
7afa072ab9f7d5260d1ed990ecce3e9e5f029c299ab4356f927af55d22051d3d
f73fab97f18b4700229b7eb9ded13c97fc99145057b1c6abc58f80272e3e21f7
2f064bf632c0821d2e798a66f51364fec30cd5c7d88367eefe1fe310c61e1671
1d99ccab2f2e70d66f2cdff40ed6fe6b638be63b9465fb2bb0790ad19c30e7d2
5f0c1e6643531444cada92f54702c1f60894484cce980f70132f04f753a398f9
9efaf32c5a406442430af9d14f3a4a85715de8b0f24d3f01753e145ae0db84b7
793a7f75c0979fea7f27ab5fd968416c19b1d8fd8d285b4b73dc67a850c26ff9
dcf87640a659f4dfa0ce7bbe7edd97090d02286262664ca581f18c954f96272d
f4e01d4d9834914db9621a06d4d567b48274ba1a30aeb0b12ddb8e7f39bcad44
1651a7b68f3468fdd53cc4f61e652491e4eb9ede675eb10b728a8e96e00a9581
5be644bc72d42d2b65547a369515bddcea970999ab0946a3e968311a365de425
38d76806484020d16c7e5113221089624e3b7917251bc5cc8224885563eb2a7b
1c4eecc941d8ecdf577063e731a5f506fa23fb951a7f34dad50768e0b6503008
8d9e4cdc23217573230ac18c77993958b28794bec8d2ab4acbb624030d50faad
4408732364104503053b4e5b48a431792fe8f4ecff83d073b93c0cf067ce6219
9c2d96d79e1975f6bc7ec20fdc8e7b57f4a8a8747ce5158d12b3ec4a6c7e63a8
7f3d5c371b6c14ed1010d3a130371974fa58c28dddef241429af3395dde56c9b
dc55c5c1535fdf16c7e36ac490fde1fbe20bdda6fe4994559246772cd03ac4f1
35f474f7310edb04f7fa82b60f56f4008ba725662628206dfc656a98c017601b
c9e8e3c92669d9191e42e90d879f53b9386636d8ad0fb2178d1d318bc241d662
584c4ffa608653ad21fdfe0ed4208b82aa762e01dd79d761889e0f7d645c4c5b
d735ac4882c834ba0a6f321dc6a2ea620a2916e85275266ca5e593af2132a2f0
4fe3d56a5cb89bdf31145b7ce1c17f22d8d1616dd491fdf1462bf623ca8b3a10
a8c91a43ab6ee2de15fe46e35a211b3c1c8e7ae4a1c4c28131618944ba8dab64
03e19460e77b9a239ad58dd9683cf49f3c79e485f90aa04f569e7e40a1924898
6a0acc5498eb90bd314b5148feb8ea698763b847ff5e6c62afb1eb361a386ea7
0df0feb6d8f0322c3bd6d7c1ecd0e7042b03bb16edff78acb7569e76821a1b36
0740c327a3fcd947256f351fba7b164d90b162fdfa873cb8041436a2c41e99d2
93f03eb8822d0770e3079b835a7d06c4685e9b489bd0aea32a416ad50e81ebc2
c11c368b82c5705b3d768ebbdc5d61415961233fa06ec08d915ebb240ff0c663
75d436daf3a4884c7ac1e12650cc105232a2778f769028e50a837ef14034ddab
ee8cea3c0570686d2ad7f38269d0d25e43cd9627be5c063aa7405ef86c679e23
b0dd31d246f2137e1315e3d93d1479e34b23fe9d2546b8afe4ed94cc6a30c879
5467ed9d9ca270411cd5fc7d60bf02dfc593d72f7b5673779787c0c0d8961b41
SH256 hash:
65a0da0a10aeb91badad3d964e242ddd01f717bb128fe2330a821bc32ac8ca2b
MD5 hash:
c42c5587569023bf36f3b6db1a5f337c
SHA1 hash:
bfbdfca22903376f88cca854a91df07c2f46e4df
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/73475850-4310-49bb-a35e-84f59f498589/
SH256 hash:
11502c1288018456f526571ab2f17c81a88d07abc3255c0d7fe072c58dc45c8d
MD5 hash:
f818c45e3a56392149c0daeb81793fac
SHA1 hash:
e8ddbdd43c6315da2b6cd869f6f0e4a73cdcb6af
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/73475850-4310-49bb-a35e-84f59f498589/
Parent samples :
791b3e443dbd294095ee0e73e1073dde2d11e609177b93a1b942d52a8737d15e
88542466186bc534e3c76b6c6e114f332b60fd62beddabbcb05d8ca4f2b1276d
fdeb577d33564e951a3202b64fd9fccc9f5a90ae07af41aeb12ec4208e754eff
c2f8a15aa9224ddaff68441c9e14be234c26bf19f5893de1e7966224fae2bb5f
7314ff23e9706da87199e8b88530bd741b43df32f007b4c517be68b84bebbd02
54cc14bded44addd135438ad4739ee1209fc52ea70159ae2558d026cd17698cc
c94b49a182c1649efac2a51c3e94dca43a907e16031fdbb2880fad726c67a171
0c7ae10f72c07314a0f572acbc889401fd63af29f88dbdbcc30012ed4fc841aa
b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
20331b45b686e183cb628218e6fe464eb1e7e2f56ea9336e7dd3ec067d194226
aadc24b7a4b80fd831fc321f0bd18319b6354af49eb2b8d56d43dff3ecfd7b23
5cd2fa8f1a6122349cd41168d49ba607197f5e071511478b10250ac99b12fd47
be7855cbace4c35a3525ee28c84ae6a84c3e0ae2c1862ec37627a33c4677cd85
564cc293595fc35bfde75682cbccfb9c539721c7266f37aaa9703777407b22ff
c5b8dcac999dedc765dd0d39bd6ecf08edd6151819c0affb56156706f2d71d22
6efe9fbfc3d3e47786a8ae76434966a1c64f7c4e91d8709c4eb36ae7b6bb0a86
SH256 hash:
b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
MD5 hash:
7f055858f49c1b6e7209731dd3eef0d2
SHA1 hash:
fa0ded7146ba901c43d7879851fe7e8ec4f47605
Link:
https://www.unpac.me/results/73475850-4310-49bb-a35e-84f59f498589/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b98df0093f70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7727/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments