MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97
SHA3-384 hash:	e21cfaffc74f12226d3e13094d72ae04eeddb0f4b6cb3f4b20181696bc9e3e1825dc5bdc9fa352bcef06200bc358e799
SHA1 hash:	3ef82bbbd285b5d77e23ce28013757ecf7ff4383
MD5 hash:	69204d26fa0531e62112e92de0d6c1ad
humanhash:	butter-charlie-sixteen-mobile
File name:	Halkbank_Ekstre_20230321_080804_358439.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'754'624 bytes
First seen:	2023-04-04 16:38:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (82 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	24576:DnsJ39LyjbJkQFMhmC+6GD9R12zVZ97i9DIDenEigyaOI9wU6cOM+b:DnsHyjtk2MYC5GDbAR37QDIDeTxRF
Threatray	460 similar samples on MalwareBazaar
TLSH	T19385B026F1D170BBC22317398C96E372542FFFC11E24A98DAAF41D9FAA7F6441819193
TrID	92.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10523/12/4) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	e863eae6b696c6ee (2 x AsyncRAT, 2 x SnakeKeylogger, 2 x Neshta)
Reporter	Anonymous
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Halkbank_Ekstre_20230321_080804_358439.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-04-04 16:40:08 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/661d2ffa-a446-4d7c-af89-859e8bc51ef4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/380104/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-1

PUA.Win.Packer.D1s1g-2

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Modifying an executable file

DNS request

Sending an HTTP GET request

Sending a UDP request

Setting browser functions hooks

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Infecting executable files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76535/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

86%

Tags:

autorun cmd.exe darkkomet emotet evasive fingerprint greyware hacktool keylogger macros macros-on-close macros-on-open packed shell32.dll virus

Link:

https://www.filescan.io/uploads/642c526d497fb6f23efd5b86/reports/43da70b0-d690-46c4-aae8-f8cd8eea2f94/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fac16cc6-2288-4b57-9a85-52672e24e50e

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

expl.evad.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1208211

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97/

Threat name:

Win32.Virus.Napwhich

Status:

Malicious

First seen:

2023-03-29 12:10:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 37 (91.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ygvd4gnkubbbtcxyslzbn6ptfpcqmje4jgnmfiy6ohybf7hgr6lq._file

Verdict:

malicious

SnakeKeylogger

6bef1889e2124e776aad61e98ab354d9067b25fef573bd67563d691e01ff4169

SnakeKeylogger

98f57a58e8c04c7905cd96329487ea551f61ec1265d991f502fe7413254def12

SnakeKeylogger

a49f6e00c0468e074fa2204a7862c22aa3b934af4f2bb281c55d8bb65da67e44

SnakeKeylogger

cf3d069794498e9ee621651afdc6823dd2b076789af668f296f7ff9a233d1c3d

SnakeKeylogger

dc89fb6fea674bafdb5f7945ece7ba57090647996caee4fd06e7f2a4c20fe4ea

SnakeKeylogger

e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SnakeKeylogger

fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac

SnakeKeylogger

+ 450 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/230404-t5dezaae3z/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5253212199:AAG-02qWN77aEjxlYTZ-WAZ7WOi_I4kCde8/sendMessage?chat_id=2128925974

Unpacked files

SH256 hash:

b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb

MD5 hash:

3c6f8b2e78f5ebf58c4f170b30c04607

SHA1 hash:

c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

111d42a9ca0390c2da005690b74bb547c3be811e025ad02127706871ffd608be

MD5 hash:

393d6c4ee5dd62ecf2f0c487ccfba75c

SHA1 hash:

7573b43e8e51c4d671ee6f3851bd0cd98898ca95

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

Parent samples :

061ee3375dc3333d8c4266e773535e516206935d4f7dbbc3f0319d253840213d
840841b31d3ffecc2d05b7860a327ec585c142e25067fdfee90f67993bb9cce8
27d87225d2c5b22a531d89640b5346d988177a8d46b41e7977430dd8e095b20e
fc9a557c699b548774bbff4390c60fe2c9779b12dae6ff89860590e44e52f35c
8fd22f3a7bd250cdc73b4b603c085906d19f8a55b0767465bccbf7c3a5df7e81
0bcf67c52f7b210cc7a7bb304e66d221f49363e7e9e75d21f7eeab8355669e2f
dfd9c8d686cd930eb4057a2066b45cfd81d614d00f1d04aca07df18c22b96dc5
b239f9dd0c75dd4d7fa96c4c16aa35e159dc1832f5e86b2178201d353ae40f42
e25b10c6982c5ec2ede4ea1b0b0355f2ad69ebe9c5a423042e6e9c5365644f32
76f5705ac3ded6e48d0fd4106aeee4ff29c928db64475405af07c49456c4a98c
8ec589783ee99df7f41c722cd5e082a377a24d8e0f26121ade720132e09a574e
0e642ba6a80400a3687939384dbbc0a993b5ad11dbc7bccd6a0b00f091878463
01a61878fb688719bbd35d4788d8443d850e878e087d6b4949b31753089cad40
ecadf3a82456432d82fb7e6ce72761aa85253bff9e17d6ae25566132620a280c
6bef1889e2124e776aad61e98ab354d9067b25fef573bd67563d691e01ff4169
bb7ae35b61a135ad6315c7bb85c66bf7346d1c1d031bdd1053fa7c82ebd2c1ca
a1f4604ea58dce5c513639a0929b6e130783a85873bec08ab0e5b061736dd086
c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
307f012f74f209e4b8371400455ee296585a6d6a0d4c2195df2186ecaf0acd79
fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f
38a380b0ef5633beef842aabfa59f857cf9286a3e068987864d00b975d7e3253
f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8
1250f968f4c4db1b73b64223fcb95958b3c324afb330daf88d9379d2cdaeb2ce
be493996dade9c217151bd2f63fe9310d34ad997288d40de3fabdbdbf88cc450
4a517e9b6f85668c242fb3c74f397839a428ce95aca4f95872ee73149cfc3c29
31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
ab08bdbb5cee3c7c6fe2d7de4c8b7c383316fe7e7dd467f6dfa81dfbe443680b
e82b399e5ef3f95bfaf96d675eb290b35980e7cb2d07aff724a5b67ad4d3cef1

SH256 hash:

3553d8a37635f6a6379ebe830aceb3c40d003f11110dae469f5d1d499c2518ae

MD5 hash:

1f21014104a7c6b2bdb7a3f4c2420654

SHA1 hash:

71c478b4973de62d2a89e01afdb1f1c9d4818ca2

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

SH256 hash:

f90962c9c8968ad1798bad551a4a533b87246ce2d7cec82da5f3427ca6822cec

MD5 hash:

7fc01eb3c5329b60900a412b1e64c28f

SHA1 hash:

16dd2ca3f29a39a02de940b14bccd7619fcd01c2

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

SH256 hash:

6bef1889e2124e776aad61e98ab354d9067b25fef573bd67563d691e01ff4169

MD5 hash:

2c750c6bb2c221d51f9306b887d21b64

SHA1 hash:

9bb56fdb10ed22275e134de634c95daa7aa03035

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

SH256 hash:

c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97

MD5 hash:

69204d26fa0531e62112e92de0d6c1ad

SHA1 hash:

3ef82bbbd285b5d77e23ce28013757ecf7ff4383

Link:

https://www.unpac.me/results/8c4379d4-0665-4e78-9c85-503f872dfe19/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c1aa3e19aaa0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe c1aa3e19aaa042198af892f216f9f32bc506249c499ac2a31e71f012fce68f97

(this sample)

Dropped by

snakekeylogger

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/380104/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample