MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e
SHA3-384 hash:	d806fa34d9a552e0347a975356e44cb868a682c1ad9f30d0a54891337439648c1634211b73b9d75cd5889b12d5945941
SHA1 hash:	92321e98305af200088d2c2fb8cb1e814f4bcd6a
MD5 hash:	4324ea69e5ea45c825b3f851f762514f
humanhash:	princess-sierra-pip-comet
File name:	SecuriteInfo.com.Trojan.Olock.1.25940.17118
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	720'896 bytes
First seen:	2023-01-10 03:27:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:0KIO7w4qE4iVV/r7VWCqS1Jc0qLXTIqyROZZ768j8gfzGY3:xIONqEZV/NWCX8fEqKOv7Kgfz
Threatray	11'508 similar samples on MalwareBazaar
TLSH	T1FAE4F12966F5E809F8BD62FA5211DA9403B06521C749D6DD0EE737CECAF8B2DC207253
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	b1b1b17964989c06 (31 x SnakeKeylogger, 4 x AgentTesla, 3 x XWorm)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Olock.1.25940.17118

Verdict:

Malicious activity

Analysis date:

2023-01-10 03:28:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7e523e63-30e4-43cc-aa38-f96e8e80ae3d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/351356/

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.25940.17118.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Enabling the 'hidden' option for analyzed file

Launching a process

Creating a process with a hidden window

Moving of the original file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63bcdb47a70bef46551e133c/reports/ffaf9fe3-fe6f-443a-b293-6687ad62d990/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8992be68-f461-4078-bb7e-abbf62c74a34

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1148445

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Disables Windows system restore

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-01-10 03:28:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 40 (52.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xpvsxrhlzs7zjlmh3whwkdkltyvz3rs3b7u6pbnejjhy4rslk5pa._file

Verdict:

malicious

SnakeKeylogger

397be5bd6dd070eb7cb65a18294fbebc7d103d60de335ae146973e728e134f93

SnakeKeylogger

43dcd17aa2e97a45074d166854347fe25b59e384eb84ddc685092c21e1a4db1f

SnakeKeylogger

695e823587b2441ca95f76514ec7745ff78bf8dc5b3e153ca63e7d7a11d1a4f5

SnakeKeylogger

7db45a54b5f18064cdb02e35b051b9f1daf43c10dce1f95fdd16cba8ecd15bfd

SnakeKeylogger

bdc23c4c2ebd2e221f94c6a17ffe084493dbf86f206f55fe55641cb133b337ed

SnakeKeylogger

c22cdec62fd282220bfc2277df68b12839f84c5ec1f507e99598be1822038db8

SnakeKeylogger

c53982a042ba3b6bcdb766a0b174e92ac62ae9578ec4a25209c7bfea42a06880

SnakeKeylogger

+ 11'498 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection evasion keylogger spyware stealer

Link:

https://tria.ge/reports/230110-d1bskseg2x/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3d987dc8-2b48-4308-b44d-e8d7e4714523

Unpacked files

SH256 hash:

30f99742f9f5f7e941f28beeef66f774526209cfbcfb5328065e0c68b990f3c1

MD5 hash:

1e2f3fb4b9eae2bde9b5c250d558f095

SHA1 hash:

f30fe77b179ff7623308c6d8e6f03b6e090ce56e

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/af2eb488-7a3a-472a-a1e9-17d8c995d464/

Parent samples :

bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e
2f77a0882a1faa6b040bb17d2bc63a5a154835d46adedd98339eba6599974655
64b9c66d1790f7f9a62366c7bbcd694941f39fa86077994f0d752f70c90f56b6
4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd

SH256 hash:

c47e2d12442ecc8e285ac50096896d2f5c5e7eb0d6be54c211011e8c440e2c83

MD5 hash:

134c8597c51c3ceb44400bc003c60fa2

SHA1 hash:

7ca835dd55c7a84175c03c86d2892719e3d05092

Link:

https://www.unpac.me/results/af2eb488-7a3a-472a-a1e9-17d8c995d464/

SH256 hash:

81d62334d499ddc6338b79de96f9f1fd6435c934ca085c4b808362700a909d9b

MD5 hash:

5510a26e98970badceb866f3287f6b8c

SHA1 hash:

73686735480c1cabfa5b446ebb5678a0f9d8131b

Link:

https://www.unpac.me/results/af2eb488-7a3a-472a-a1e9-17d8c995d464/

SH256 hash:

f3dd40a5b297133c99c457952c894393a52c6d518c8f2c36c12223d4d14eef94

MD5 hash:

8125f07e51929838dad303df3a7d75cb

SHA1 hash:

232b3540943d252fd6edd4159becca48d68eebba

Link:

https://www.unpac.me/results/af2eb488-7a3a-472a-a1e9-17d8c995d464/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/af2eb488-7a3a-472a-a1e9-17d8c995d464/

SH256 hash:

bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e

MD5 hash:

4324ea69e5ea45c825b3f851f762514f

SHA1 hash:

92321e98305af200088d2c2fb8cb1e814f4bcd6a

Link:

https://www.unpac.me/results/af2eb488-7a3a-472a-a1e9-17d8c995d464/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bbeb2bc4ebcc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/351356/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample