MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdf329c1001b540fffb7ad110b6cf460a89c3408fbd62b15e7c55d8cdb55380e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdf329c1001b540fffb7ad110b6cf460a89c3408fbd62b15e7c55d8cdb55380e
SHA3-384 hash: db120a613badaddfdd1c2a52d9271237182f376b395a0d5d359ed04065113e85e85ba7a4f5bd4facbb9106d53175999e
SHA1 hash: 47288c7b56bf798ab620f8e1c7d2d952f0a6cd3c
MD5 hash: d26e9a9ca834081f9decb5cdb0c10065
humanhash: undress-april-bulldog-football
File name:vbc.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:753'664 bytes
First seen:2023-03-22 13:44:27 UTC
Last seen:2023-03-22 20:29:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:4tk1AtYVa8jW4VUKz0VvDMj6HffXKmT1NidpqXTg6MXCmWxZ+m4FHNcLHuD9aIFL:hj4bMmHVTIpiM6MXCmY+mIch33qvt1C
Threatray 171 similar samples on MalwareBazaar
TLSH T16CF40206B2E6CB65C15D5BB9A4E25D2003BB6F932A33F3056DC430E92B377E50B45A87
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d6c3c1f98c8edef2 (12 x AgentTesla, 5 x SnakeKeylogger, 1 x RemcosRAT)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2023-03-22 13:47:56 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/8523836a-2b76-4132-9ab9-50bc8397c85c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376472/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed strictor
Link:
https://www.filescan.io/uploads/641b065fb236355850d76101/reports/9d63983a-2eda-4a83-81a7-bc0bc4ae9d4e/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/bdf329c1001b540fffb7ad110b6cf460a89c3408fbd62b15e7c55d8cdb55380e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5647c59-a3dc-4b89-b873-a96a0eb697d5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199395
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 832300 Sample: vbc.exe Startdate: 22/03/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 vbc.exe 7 2->7         started        11 BdCFbREZbnTf.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\BdCFbREZbnTf.exe, PE32 7->35 dropped 37 C:\Users\...\BdCFbREZbnTf.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp4913.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 7->41 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 vbc.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        27 4 other processes 7->27 65 Multi AV Scanner detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 BdCFbREZbnTf.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 BdCFbREZbnTf.exe 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 158.101.44.242, 49695, 80 ORACLE-BMC-31898US United States 13->43 45 checkip.dyndns.org 13->45 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        47 132.226.8.169, 49696, 80 UTMEMUS United States 21->47 49 checkip.dyndns.org 21->49 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 33 conhost.exe 23->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdf329c1001b540fffb7ad110b6cf460a89c3408fbd62b15e7c55d8cdb55380e/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 13:43:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxzstqiadnka775xvuiqw3humcujynai7plcwfphyvoyzw2vhaha._file
Verdict:
malicious
Similar samples:
0355a54d6aae27829f3e33aa8fce6dee0310802ae4e5a842bd7fe25fe1a6274a
SnakeKeylogger
2102d9af8a4655fa6da49edf860ee6a2c96db569ba88c330d51f941b28e22369
SnakeKeylogger
3cacd0691978243f04148ce39e057d9eb18f569515ec32ea49f58b6a11a58313
SnakeKeylogger
3fd2b3c66c8673586d4573c3cd434c65be4e4eae0fad1ee19989ad6e94408109
SnakeKeylogger
571a662f9f434bfede9e6c79294bfd87fa23e7f93918e4824590b961f5b10d85
SnakeKeylogger
5b8ea5f56d68898aaebc5f302bdc6d61a708456ebc2188c675d5b64038d4dd9d
SnakeKeylogger
a95ec8327b950ca7895addb70ef50f2e28bbb982a1fd706015bb3f35ef476257
SnakeKeylogger
ac6d957336c039f000748fa1491549e9416005c224eea1cf089aab0d91b10844
SnakeKeylogger
b153cca3bac87165e94ba9851a895ee316e0b9876795c1216388715a01b45674
SnakeKeylogger
cfee0fb48134e7fecf10d360e537299729b365a47e813c89aebbd167467cd35b
SnakeKeylogger
+ 161 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230322-q2dd1sha96/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e5f7c2a3fa16cb6ff3433bff0820339b58d2be6560fd63fcd643d6b1c521de98
MD5 hash:
e135531d9e675da3d2655f421c317c2c
SHA1 hash:
ae330d410eeaa2e195f015cb225ffb3a4980fadf
Link:
https://www.unpac.me/results/8889cff6-b291-454d-83d9-aec83a82bab4/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/8889cff6-b291-454d-83d9-aec83a82bab4/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
7b96249b96961628cfe81e6ebcc8e067eb72e79495969c37a8f73ccf0bc3e99f
MD5 hash:
752e1672d6e5175559f221bde3841893
SHA1 hash:
7800ccee0f2031b388c02e453f1a9e43014020c6
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8889cff6-b291-454d-83d9-aec83a82bab4/
Parent samples :
26b651e58c2f3327e4bb8f994047e77bb3c4a9a9b821ffa3d6e5c61ddfc6408e
bdf329c1001b540fffb7ad110b6cf460a89c3408fbd62b15e7c55d8cdb55380e
SH256 hash:
f27d590cb6167fa1231e278c47ab1b3b74218b71debc56bc89197e1d427ba1ef
MD5 hash:
b4e1f620292d88061141a9ba48a1ecbb
SHA1 hash:
5732a2c713af05b6cb7e2c8b28c27c79f1a0ec9e
Link:
https://www.unpac.me/results/8889cff6-b291-454d-83d9-aec83a82bab4/
SH256 hash:
ffb04f61540537d5133104842da30a1a2030d763040c69c3163e3dceef39885a
MD5 hash:
b0cb4418ae8f91cdc4444107e2af936d
SHA1 hash:
4d2134492c1352641fdb5a1032b3bb3f87117409
Link:
https://www.unpac.me/results/8889cff6-b291-454d-83d9-aec83a82bab4/
SH256 hash:
bdf329c1001b540fffb7ad110b6cf460a89c3408fbd62b15e7c55d8cdb55380e
MD5 hash:
d26e9a9ca834081f9decb5cdb0c10065
SHA1 hash:
47288c7b56bf798ab620f8e1c7d2d952f0a6cd3c
Link:
https://www.unpac.me/results/8889cff6-b291-454d-83d9-aec83a82bab4/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdf329c1001b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/376472/
  
URLhaus
https://urlhaus.abuse.ch/url/2581157/

Comments