MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332
SHA3-384 hash: 7f0ff49e2644b50f75c75c35176cbebeba8a90bd62fcbb9baaf452f07873c59e878a3632f0e6bc621e66c283823a1f09
SHA1 hash: 7ce59a4d73e181821cfcb281b660ca69ae6c5436
MD5 hash: 793fc03d9e22666b08d756787e2c926f
humanhash: paris-white-iowa-saturn
File name:File8748928 spcl (1).exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:623'728 bytes
First seen:2023-02-22 12:58:09 UTC
Last seen:2023-02-22 14:42:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:vYOZfcORL0CaC5uleReURCSjLRuN14x94cXmZc1qtyLN6BbIZmfphkyEn8fO+I6u:vYOZNXVReUX38N14xpm+82N6BOmfLkRv
Threatray 126 similar samples on MalwareBazaar
TLSH T1F4D423006215C57BDEF1CBBB24AF231AAFCEDD06505A62472BA82F445C357A7874D3A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
File8748928 spcl (1).exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 12:59:40 UTC
Tags:
snake
Link:
https://app.any.run/tasks/02864c14-cc1a-4f80-8276-7b9ac724f129

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369038/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72242/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f61197b53d126ad2642c82/reports/c07ded3b-b0a7-468f-91ab-e968c694f127/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80ecb7a3-7660-4147-9e90-e42e441cd73a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180702
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected BrowserPasswordDump
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813527 Sample: File8748928 spcl (1).exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 5 other signatures 2->55 7 File8748928 spcl (1).exe 19 2->7         started        10 mirnwgclu.exe 1 2->10         started        13 mirnwgclu.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\Local\...\sjyzunhr.exe, PE32 7->33 dropped 15 sjyzunhr.exe 1 3 7->15         started        57 Multi AV Scanner detection for dropped file 10->57 19 WerFault.exe 10 10->19         started        21 conhost.exe 10->21         started        23 WerFault.exe 10 13->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 35 C:\Users\user\AppData\...\mirnwgclu.exe, PE32 15->35 dropped 41 Multi AV Scanner detection for dropped file 15->41 43 Detected unpacking (changes PE section rights) 15->43 45 Detected unpacking (overwrites its own PE header) 15->45 47 3 other signatures 15->47 27 sjyzunhr.exe 15 2 15->27         started        31 conhost.exe 15->31         started        signatures8 process9 dnsIp10 37 checkip.dyndns.com 193.122.6.168, 49691, 80 ORACLE-BMC-31898US United States 27->37 39 checkip.dyndns.org 27->39 59 Tries to steal Mail credentials (via file / registry access) 27->59 61 Tries to harvest and steal ftp login credentials 27->61 63 Tries to harvest and steal browser information (history, passwords, etc) 27->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332/
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 12:59:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmfk6gbxvy6q4fz3aawz5fqr5sje4nozsoycwxtqyuhl3halmmza._file
Verdict:
malicious
Similar samples:
3857fcbee4a5113f3be6d087d6c01d1b78383e1b5930b0549ec8bf78a8bb1fdb
SnakeKeylogger
3c767a0ad593b2c41a646cec0f17e12363e72ef2697eda72ae96313f899b9438
SnakeKeylogger
61c4f2646a200a57f063517c527d7336e77caaa27e83f382b66be014cdedb7f6
SnakeKeylogger
8f2561369ef2cb842b5de723de6ecd7db391f32391406ced8b10b184076c8ee9
SnakeKeylogger
99cf88c829d3c072a3ed4cdd282d9876f4bc32fa3ccfa12180910caa15ba351e
SnakeKeylogger
9d4bb6ad1ecf6354fa3839fc9ae30f458bfb8a4dc0c1b99ad024108113afa833
SnakeKeylogger
c64eedbbfb5e111089a3e0eab54f848da53dc1387b9c3a53653c534d198730fc
SnakeKeylogger
d47084cfbbfd58e7dadf1d197791721e39da4bc35b0632edcaf3d2e6e242ede0
SnakeKeylogger
f3de6a2726972446f95283d07213cc5970fbb815d84a3df97e0dccc8cffda298
SnakeKeylogger
+ 116 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230222-p73enabf55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/43a14b6d-72a9-449b-8054-3bcb6641b514/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
da9e9e44444e68cdbfaa573e646ffbbaac5bdc5d7c0b922f719f2c1099233783
MD5 hash:
e26206b866ab62e9dede4908a8e4f67f
SHA1 hash:
351061c73f63f162d635eef2e210e800e2a9581a
Link:
https://www.unpac.me/results/43a14b6d-72a9-449b-8054-3bcb6641b514/
SH256 hash:
470357f3f3590d611bd8f54f88a4c81b3cc946028e211e1322ecb532f95e8335
MD5 hash:
673be2b85c125f6ea41ee48fb2449c22
SHA1 hash:
2326a83205319b9d67e55c105d7e364f9afb8424
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/43a14b6d-72a9-449b-8054-3bcb6641b514/
SH256 hash:
6fc812a3affe511b8f471a23d52c69dd4144bfa24822129f0fafba9117d85725
MD5 hash:
8dfe6a14bcaf3e1b5c152cc45e674934
SHA1 hash:
11ff90583d3977f7a979f70d1c8a86d380be40b4
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/43a14b6d-72a9-449b-8054-3bcb6641b514/
Parent samples :
bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332
2cc5b915835368d59f7a46adb02593d468bfa0cd63eea856e9e4cd55b29f8afb
SH256 hash:
f86d826f188099bcdf782cd1053cf4a2141f2ade1761d515cf7ea66bc6f1be3e
MD5 hash:
8f520d2af439a9d236319c1d30be9085
SHA1 hash:
e64e94073c4f83818801dd3ee67ced1c44d39371
Link:
https://www.unpac.me/results/43a14b6d-72a9-449b-8054-3bcb6641b514/
SH256 hash:
bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332
MD5 hash:
793fc03d9e22666b08d756787e2c926f
SHA1 hash:
7ce59a4d73e181821cfcb281b660ca69ae6c5436
Link:
https://www.unpac.me/results/43a14b6d-72a9-449b-8054-3bcb6641b514/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb0aaf1837ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb0aaf1837ae3d0e173b002d9e9611ec924e35d993b02b5e70c50ebd9c0b6332

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369038/

Comments