MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7
SHA3-384 hash: 513c51fce2baf8fd4189c2cf33981bfe22c9f69f6b55360fe28375e3ccf90473e5e998b1c6810168bab7099b76f9c8a4
SHA1 hash: 1a8564d058cfecad514e6894caecb80b6067826c
MD5 hash: 9fa3249acbf5c1f64cd48b7922550cc4
humanhash: magnesium-stream-spaghetti-lake
File name:9fa3249acbf5c1f64cd48b7922550cc4.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:804'864 bytes
First seen:2022-10-12 15:09:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LMp/ggTzXZvwhxDl5ObrLgI58IN8AUU+670BzNDlYLX2SvgkX:KF4DDO7nleU+6OpDyz2SvgkX
Threatray 3'074 similar samples on MalwareBazaar
TLSH T14E0538BA12924607E8193175C8C7D2F32AFB6D607061D1C79AD76F6FBC440BFA612386
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319432/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.45026.15874.22140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6346d8cc0d2bcf0ff9a28746/reports/e9fc8257-e6fa-4997-8f32-906ff6294da2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee79983e-5be1-4420-a268-61294b0c0de0
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088958
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 721559 Sample: JgBtvp0NxM.exe Startdate: 12/10/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 9 other signatures 2->55 7 JgBtvp0NxM.exe 7 2->7         started        11 kWdKmWrYbdhCa.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\kWdKmWrYbdhCa.exe, PE32 7->33 dropped 35 C:\...\kWdKmWrYbdhCa.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpC686.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\JgBtvp0NxM.exe.log, ASCII 7->39 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 JgBtvp0NxM.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        21 JgBtvp0NxM.exe 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 23 kWdKmWrYbdhCa.exe 14 2 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 158.101.44.242, 49702, 80 ORACLE-BMC-31898US United States 13->41 43 checkip.dyndns.org 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        45 193.122.130.0, 49703, 80 ORACLE-BMC-31898US United States 23->45 47 checkip.dyndns.org 23->47 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal ftp login credentials 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 31 conhost.exe 25->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 04:31:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzqp4e2wvfwsdszfp2apqxgvwsflg5vye6aj6h7ghmr2p3o2xstq._file
Verdict:
malicious
Similar samples:
3322f0adecd7f6e55f7d22ff1b6601eb7818285e21f96e0102a24a87c92d347a
SnakeKeylogger
68869812f8a2684414348ecc16579fb740a8bfc179957641ee2c39db6ad271d1
SnakeKeylogger
a06e29202c62a82a9b16220854210aabb48c2cdbd6c63db226e68338346c860b
SnakeKeylogger
ad97db9a2ec2dffd87a00d37fe369244c206e0502721425b3d0b4636b89ad3aa
SnakeKeylogger
bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd
SnakeKeylogger
c3a1c0ffbbba5b50ca8f4785ea21363cb4674b335574b95aee73953a932e8944
SnakeKeylogger
ddbc8012d2d452db94873a384b977cf40fd991abb9826487e8fc5ed94c72328f
SnakeKeylogger
deac8ad34ff6f59a3ccdb8161f7aff94cdb9780d74201f77142c34bccf0fcd18
SnakeKeylogger
e15b4c36878dd4b68d7875fd502d4259a53ab0e0d7b800df5fcbcdee3d9e9db4
SnakeKeylogger
+ 3'064 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221012-sj14gaggd4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5336386315:AAFr4275liluBmKq3DdynSzdvBY-y98fXrU/sendMessage?chat_id=1736922894
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f191ff33-7f1f-4b85-8385-fe15ce8f95bd
Unpacked files
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/8ec1a28c-fa0f-4e86-b292-3ce7905b5eb4/
SH256 hash:
9c492a87a0cd057c961a21d1843d6d0fd41fde6fd7ef22c7bbc1649d937f2811
MD5 hash:
f15902a9e908d1b8446cb7492e92cf5a
SHA1 hash:
b02e74e203e8b05dab8855f4c9cc95f43a085b99
Link:
https://www.unpac.me/results/8ec1a28c-fa0f-4e86-b292-3ce7905b5eb4/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/8ec1a28c-fa0f-4e86-b292-3ce7905b5eb4/
SH256 hash:
d01b05299811f0a742430eacf71660cd9cd6f2f66a44e554108db0c567b399e2
MD5 hash:
36039b3c6d6226ab433a3fd44fa1f0f8
SHA1 hash:
655966f7fa21409970257da2c8ec272fcc65cfcc
Link:
https://www.unpac.me/results/8ec1a28c-fa0f-4e86-b292-3ce7905b5eb4/
SH256 hash:
6985e0faffcd0a51af5911046a6cafd9765bb0815c8d4cc3baa359f84bea2508
MD5 hash:
f907da5ebc69b850aef014f8de240108
SHA1 hash:
281f63015e01f33456eef8bd53293291de54509c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8ec1a28c-fa0f-4e86-b292-3ce7905b5eb4/
Parent samples :
d40f32f81438c0c6bad28f8b8b08ebb452871640a691cb879ea1a4220b452017
be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7
SH256 hash:
be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7
MD5 hash:
9fa3249acbf5c1f64cd48b7922550cc4
SHA1 hash:
1a8564d058cfecad514e6894caecb80b6067826c
Link:
https://www.unpac.me/results/8ec1a28c-fa0f-4e86-b292-3ce7905b5eb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe be60fe1356a96d21cb257e80f85cd5b48ab376b827809f1fe63b23a7eddabca7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/319432/
  
URLhaus
https://urlhaus.abuse.ch/url/2359955/
  
Delivery method
Distributed via web download

Comments