MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 bb6c70d163e39d401e3f09be611d14b68d0a6f4d27c6628ee71e024ea3bd1e9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
SnakeKeylogger
Vendor detections: 12
| SHA256 hash: | bb6c70d163e39d401e3f09be611d14b68d0a6f4d27c6628ee71e024ea3bd1e9d |
|---|---|
| SHA3-384 hash: | c77b4cefb266f159f5019a3808384248b2e88f5b979cdc7f4e2999f2b1de1132dfce4a500ce24d4ee287f49dfec20c16 |
| SHA1 hash: | b24517c9700db7c5d841b9ad73cef5cfdd2cda24 |
| MD5 hash: | 3ea848aeaf2264338898fbbaedf8aa85 |
| humanhash: | comet-fix-oscar-cola |
| File name: | MTO.exe |
| Download: | download sample |
| Signature | SnakeKeylogger |
| File size: | 590'323 bytes |
| First seen: | 2022-04-19 12:10:55 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki) |
| ssdeep | 12288:HNlH/yG6fuBBEAXgenm6V0gfbBS5Ui7j5LmQOCWPwpaM:HNlntBNX46fgN5vWoMM |
| Threatray | 2'958 similar samples on MalwareBazaar |
| TLSH | T139C423AB4474E4B2D5F6637204772F2309F6261F3ABD0327A7E49E0E2E22670D945786 |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  lowmal3 |
| Tags: | exe SnakeKeylogger |
Intelligence
File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed python shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
Snake Keylogger
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Detection:
snakekeylogger
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2022-04-19 09:41:43 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
29 of 41 (70.73%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 2'948 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Score:
10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
880b1f61121ab6f6aae6c0cf597ead87f46891e7a2a596ebcfedd864de85beae
MD5 hash:
75301de33f914048e79f8cdb59caa70e
SHA1 hash:
52c33599c10c074e00c048d3d10269c89162fd87
SH256 hash:
cc44c8255c7a0b0abdf2ab8f864a210901101f56bb7ffd3b2bdec1b623a59cbf
MD5 hash:
8ce58406acfffe4f8e5361be7d548fea
SHA1 hash:
272b849c854d3ef0d18b2e23cf66d3d1c713cb97
SH256 hash:
4391f83d0570996747345d476ae53206ca9baea3112bc9c444131652e850e72d
MD5 hash:
512a3fa68ef745278a1b75553be8519c
SHA1 hash:
5c50cea86a0ea6ccf12d462931ddb932dd9f0ebf
SH256 hash:
bb6c70d163e39d401e3f09be611d14b68d0a6f4d27c6628ee71e024ea3bd1e9d
MD5 hash:
3ea848aeaf2264338898fbbaedf8aa85
SHA1 hash:
b24517c9700db7c5d841b9ad73cef5cfdd2cda24
Malware family:
SnakeKeylogger
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.