MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
SHA3-384 hash: 1d9909b3ad6f048cb15f9c63a17fb8651e3214c0b95fc1ca26c383eb9a7b1a5f32c17e0d5ece49bec29e9d1227da935e
SHA1 hash: 8a7bed64958921559c66806efa1d8869eee7993b
MD5 hash: 0ccf77a8618572e7db472deb75721667
humanhash: triple-paris-vermont-lactose
File name:Halkbank_Ekstre_20230321_080804_358439.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:667'136 bytes
First seen:2023-05-22 08:47:25 UTC
Last seen:2023-05-23 15:17:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UTux0YPX/NqPs0K2/tWqjHgGQr1eLwThtPjnr0tj+l/zdsqcmnTp8o+UXn0:UTlHPs0j8YA91hGRSpsqTTj/
Threatray 5'425 similar samples on MalwareBazaar
TLSH T190E4F1C017988D50E65A5EB95AB2E23443793CA1EF17870E68E46C8F7C66F823B017D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 224472b2a0c04280 (13 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
3
# of downloads :
250
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230321_080804_358439.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-22 09:04:36 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/c7137446-4519-4427-844e-084990bd06c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2037.28235.31666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646b2c435c0e83bc226afb92/reports/0eca6622-eb02-4463-ab3b-2bd6dbf4e5ed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d7d9783-fdd7-4fcb-9cb8-6042e70afa5b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239456
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450/
Threat name:
ByteCode-MSIL.Spyware.Snakelogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 05:41:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzettfw232occ4krxuxwh7utcdjuvwmxfcgubxr7vpn5x6emyria._file
Verdict:
malicious
Similar samples:
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
SnakeKeylogger
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
SnakeKeylogger
606157eb85fa1f90ad5b6def0cbddc1445298156aecb9da21bcc925e6cd7638c
SnakeKeylogger
95a4f31cf9b3c1876798edc24aa9323d84e35a3c6d0fccbdde059e4062e50f78
SnakeKeylogger
f2919d54bbf74198eb4bf4c43f7cbd394acff9af2e57f7b7ba9e59fd6a57f79c
SnakeKeylogger
+ 5'415 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230522-kqe6kshh7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5253212199:AAG-02qWN77aEjxlYTZ-WAZ7WOi_I4kCde8/sendMessage?chat_id=2128925974
Unpacked files
SH256 hash:
57ca1cdc6e6355f3ca922fc11b347236446cd8f4b5df47fb1caf1983d95ec658
MD5 hash:
15716af9b2b0c2b2c1f918b55fed4feb
SHA1 hash:
d8a23a41bac49b2860d3697228b3d8c3ae6d4042
Link:
https://www.unpac.me/results/6788345a-41f3-428e-8bbf-31246e212164/
SH256 hash:
4c7ce432433fc3a8b0a33d558e0041d3f1c222224c5e61f33104d990a534c7a4
MD5 hash:
e8d756b4e2de5a67446e0b1b80e1bb99
SHA1 hash:
b664448f87ac044a16706d35e5d76538ba79508a
Link:
https://www.unpac.me/results/6788345a-41f3-428e-8bbf-31246e212164/
SH256 hash:
3e5d2231b74c89862b08154d767a5531a294d25ca35c10474beac8d5a9581f0a
MD5 hash:
2884799b024984c4fcc5e1b8ef2175df
SHA1 hash:
951f061240f65654d19737f1b5e4ac6493081ac4
Link:
https://www.unpac.me/results/6788345a-41f3-428e-8bbf-31246e212164/
SH256 hash:
111d42a9ca0390c2da005690b74bb547c3be811e025ad02127706871ffd608be
MD5 hash:
393d6c4ee5dd62ecf2f0c487ccfba75c
SHA1 hash:
7573b43e8e51c4d671ee6f3851bd0cd98898ca95
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6788345a-41f3-428e-8bbf-31246e212164/
Parent samples :
061ee3375dc3333d8c4266e773535e516206935d4f7dbbc3f0319d253840213d
840841b31d3ffecc2d05b7860a327ec585c142e25067fdfee90f67993bb9cce8
27d87225d2c5b22a531d89640b5346d988177a8d46b41e7977430dd8e095b20e
fc9a557c699b548774bbff4390c60fe2c9779b12dae6ff89860590e44e52f35c
8fd22f3a7bd250cdc73b4b603c085906d19f8a55b0767465bccbf7c3a5df7e81
0bcf67c52f7b210cc7a7bb304e66d221f49363e7e9e75d21f7eeab8355669e2f
dfd9c8d686cd930eb4057a2066b45cfd81d614d00f1d04aca07df18c22b96dc5
b239f9dd0c75dd4d7fa96c4c16aa35e159dc1832f5e86b2178201d353ae40f42
e25b10c6982c5ec2ede4ea1b0b0355f2ad69ebe9c5a423042e6e9c5365644f32
76f5705ac3ded6e48d0fd4106aeee4ff29c928db64475405af07c49456c4a98c
8ec589783ee99df7f41c722cd5e082a377a24d8e0f26121ade720132e09a574e
0e642ba6a80400a3687939384dbbc0a993b5ad11dbc7bccd6a0b00f091878463
01a61878fb688719bbd35d4788d8443d850e878e087d6b4949b31753089cad40
ecadf3a82456432d82fb7e6ce72761aa85253bff9e17d6ae25566132620a280c
6bef1889e2124e776aad61e98ab354d9067b25fef573bd67563d691e01ff4169
bb7ae35b61a135ad6315c7bb85c66bf7346d1c1d031bdd1053fa7c82ebd2c1ca
a1f4604ea58dce5c513639a0929b6e130783a85873bec08ab0e5b061736dd086
c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
307f012f74f209e4b8371400455ee296585a6d6a0d4c2195df2186ecaf0acd79
fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f
38a380b0ef5633beef842aabfa59f857cf9286a3e068987864d00b975d7e3253
f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8
1250f968f4c4db1b73b64223fcb95958b3c324afb330daf88d9379d2cdaeb2ce
be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
ab08bdbb5cee3c7c6fe2d7de4c8b7c383316fe7e7dd467f6dfa81dfbe443680b
e82b399e5ef3f95bfaf96d675eb290b35980e7cb2d07aff724a5b67ad4d3cef1
SH256 hash:
583abe7cf9d23804de162b72368fe4aaf1f81333f565a2aee706e6db681e76db
MD5 hash:
49b45e53d1213c6cdc56b3b9ea6f9881
SHA1 hash:
18adc138dc57765c6e0f43d2241b1a5c8e2ae483
Link:
https://www.unpac.me/results/6788345a-41f3-428e-8bbf-31246e212164/
SH256 hash:
be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
MD5 hash:
0ccf77a8618572e7db472deb75721667
SHA1 hash:
8a7bed64958921559c66806efa1d8869eee7993b
Link:
https://www.unpac.me/results/6788345a-41f3-428e-8bbf-31246e212164/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be493996dade/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments