MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd
SHA3-384 hash: dea12bf70f54be2ed9045325a8e4d9c2ccea2bf928170886d752a871ad67313255ccf1ef64b7922539cd309a182a9e5f
SHA1 hash: 834cbc1234e09775d6d4549ae6c4d2e3b48993ec
MD5 hash: 57866cacbb7df3fa371dd9590c0e4a9c
humanhash: stream-yellow-arizona-pizza
File name:quotation.7722164.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:808'448 bytes
First seen:2022-10-12 07:28:32 UTC
Last seen:2022-10-15 10:22:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:wEp//7/aUQYbMDE6jKbl/+zVSyHBploNOkXy3NaI:T79DbMANGfHBQNOkX+B
Threatray 6'084 similar samples on MalwareBazaar
TLSH T16C05387A15965607E4293175C8C3E2F32AFB9D607061D2C79AD76F6FBC400BFA212386
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/319234/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63466cc20d2bcf0ff9a26ca7/reports/103ec243-b952-4f9c-a085-1d00b14a9c52/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5583b2be-4059-4307-8800-7775ac2efcc8
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089445
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722044 Sample: quotation.7722164.pdf.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 12 other signatures 2->61 7 vImrgjPRBTO.exe 5 2->7         started        10 quotation.7722164.pdf.exe 7 2->10         started        process3 file4 63 Antivirus detection for dropped file 7->63 65 Multi AV Scanner detection for dropped file 7->65 67 May check the online IP address of the machine 7->67 69 Machine Learning detection for dropped file 7->69 13 vImrgjPRBTO.exe 7->13         started        17 schtasks.exe 7->17         started        19 vImrgjPRBTO.exe 7->19         started        35 C:\Users\user\AppData\...\vImrgjPRBTO.exe, PE32 10->35 dropped 37 C:\Users\...\vImrgjPRBTO.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmpA22C.tmp, XML 10->39 dropped 41 C:\Users\...\quotation.7722164.pdf.exe.log, ASCII 10->41 dropped 71 Uses schtasks.exe or at.exe to add and modify task schedules 10->71 73 Adds a directory exclusion to Windows Defender 10->73 21 quotation.7722164.pdf.exe 15 2 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 43 132.226.247.73, 49721, 80 UTMEMUS United States 13->43 45 checkip.dyndns.org 13->45 47 api.telegram.org 149.154.167.220, 443, 49724 TELEGRAMRU United Kingdom 13->47 75 Tries to steal Mail credentials (via file / registry access) 13->75 77 Tries to harvest and steal ftp login credentials 13->77 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 27 conhost.exe 17->27         started        49 checkip.dyndns.com 193.122.130.0, 49717, 80 ORACLE-BMC-31898US United States 21->49 51 checkip.dyndns.org 21->51 53 192.168.2.1 unknown unknown 21->53 29 WerFault.exe 9 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 06:45:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xp7h3gl5sx2wsmcrwldlwph6sfiou2idfgwayuitdqecknmisk6q._file
Verdict:
malicious
Similar samples:
1013c6bce8d8b6406be7f964a7f109eeb334fe3d5d4926892d0bf5344f4487c4
SnakeKeylogger
155a2f38ba648b7e598fbae00a45519290785cd1e6ea000851c388676b7626ef
SnakeKeylogger
43f3f0a3b7d6d55ab36beab272059f503f43426d0fb0007ed1a3221202c398a6
SnakeKeylogger
462cfabc375614908d94f806e3471327ba67f2660a89ebf7c7e76c3f0b102647
SnakeKeylogger
70c021052ad4b72188bf5d6c960e668524c7d538e9d30e4991269f7a5e79a566
SnakeKeylogger
98bd1ad6fbedd36a402e3f138a1589af7f460d8544273578d287dcc6796547b6
SnakeKeylogger
b3e11539b6fc679f1ab2feec2a9ad46e47ab6be724f4793d3bc705552f852b55
SnakeKeylogger
cfa0310c20af141220a0cfa1e5181f491d9d61613148fac11cb22b1ee98a96d6
SnakeKeylogger
+ 6'074 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221012-ja8mhschbk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5643064068:AAHUW-qjYqjmbklVdTKS8RtESPH3MP5FLbM/sendMessage?chat_id=5120307802
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1f9ae99-0391-422e-adba-af2672a12925
Unpacked files
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/3e12b8ee-6951-4fcb-a08e-ee41572a49a0/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/3e12b8ee-6951-4fcb-a08e-ee41572a49a0/
SH256 hash:
19e200d82f998c6820338f26263c6c03875439a6a6ccef9b81c9c07b3b61e837
MD5 hash:
b9016c83729a63e58d906878b4a65150
SHA1 hash:
497049908c599185419986751e65a9a2a6663db9
Link:
https://www.unpac.me/results/3e12b8ee-6951-4fcb-a08e-ee41572a49a0/
SH256 hash:
dcefa1c5d47bc343aba988fa5ca89ce7a7205fe1da08ecef7b38af430cfbdf32
MD5 hash:
98885b940b039de81a869ceb8eab4e92
SHA1 hash:
436103c7e87cdd951891193e48c45689ea0b8784
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/3e12b8ee-6951-4fcb-a08e-ee41572a49a0/
SH256 hash:
925bf6c9e0f745b957daef7400ec78df917f412feb7d5d0ca09ff7f5b31868aa
MD5 hash:
fa2f910faea0ee583ffba4155788b989
SHA1 hash:
30f306992c125f69dc0c7ce38c810ca83d25bada
Link:
https://www.unpac.me/results/3e12b8ee-6951-4fcb-a08e-ee41572a49a0/
SH256 hash:
bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd
MD5 hash:
57866cacbb7df3fa371dd9590c0e4a9c
SHA1 hash:
834cbc1234e09775d6d4549ae6c4d2e3b48993ec
Link:
https://www.unpac.me/results/3e12b8ee-6951-4fcb-a08e-ee41572a49a0/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bbfe7d997d95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319234/

Comments