MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
SHA3-384 hash: 89a3a011ee807b6f197c2c8cd7a5b7a37f6e2c9a4ead9e58e10d7a7f4ac7ec13786b84262b8841ef4977acf0446b65c4
SHA1 hash: 29858e377f52ba70fad5d3f24c30e2264d96ea96
MD5 hash: 1a2030277b88a72feac4f57f6514494a
humanhash: king-lithium-summer-orange
File name:hesaphareketi-01.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:884'736 bytes
First seen:2024-10-03 07:09:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:zTvI+u/WO2QaanbotSUN3o7ifGY4+wZy2jifuNHXSRcEgPKxIYzsT:3vIFSYgp32872lWWtSBgmIYzs
Threatray 4'492 similar samples on MalwareBazaar
TLSH T195159CC076386B05D97947B19539DDB083B1292AB029F6D60CCAFBFB35A87135A08F47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2024-10-02 10:00:10 UTC
Tags:
evasion snake keylogger telegram smtp exfiltration
Link:
https://app.any.run/tasks/63789e34-633a-4571-bdfd-2ce1ab77fb96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fe9376780a9b632d229f9e
Tags:
Powershell Spawn Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66fe435188188863f38e1d92/reports/005ddf8f-6fae-460b-a3e0-f8c474e74064/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/384e6d75-5aea-46cc-8899-94300353664c
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524785
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524785 Sample: hesaphareketi-01.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 3 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 46 10 other signatures 2->46 8 hesaphareketi-01.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 file5 22 C:\Users\user\...\hesaphareketi-01.exe.log, ASCII 8->22 dropped 48 Adds a directory exclusion to Windows Defender 8->48 50 Injects a PE file into a foreign processes 8->50 12 hesaphareketi-01.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 12->30 32 mail.obaambalaj.com.tr 77.245.159.27, 49733, 49734, 587 NIOBEBILISIMHIZMETLERITR Turkey 12->32 34 2 other IPs or domains 12->34 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Loading BitLocker PowerShell Module 16->56 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c/
Threat name:
ByteCode-MSIL.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 07:21:12 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yod3shovnjfwnwsfqlrg5pamljdt4nzfd62emuh4mllni5e5lsga._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
51b79481d9e411146f4d43f1c3028b71c020ebd3ebb2e0eaeddc03a7ca0c1106
SnakeKeylogger
72d2fcb709a2bf07214901ffa2b9aea792ee4fc4ff646646bfa02ddb8e775d7e
SnakeKeylogger
9ddb1517c8f989f56454c6a8ebc28ed1431d4751cb44164aada2885a65af45b0
SnakeKeylogger
be2b337b492d73d7a55401d8a3d70ef961a3b023e6c182bad9607627a0a6d38d
SnakeKeylogger
fb297a323336c9b72d07b82486fd647efbef26232f5bd90d47a4526615f6ac55
SnakeKeylogger
+ 4'482 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/241003-hzdm1avbkf/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Verdict:
Malicious
Tags:
snake_keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/d5eb3d01-e0ce-483e-977c-c3eb93b056a8
Unpacked files
SH256 hash:
4039e01d1063aab40b0c94d3ae4e7e315aa59542fe7afb3402e076ddd7fe561f
MD5 hash:
0c50373fbc1a4cee8316cf8ae64ea39b
SHA1 hash:
ef0cb4decd90881de3c4482409f6227e536e3458
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Link:
https://www.unpac.me/results/2be392be-a5c6-4f89-a9d6-cdb7985198c5/
SH256 hash:
17561b053058fe8a34ca5f14af87d137106e691ae1c40a872d99421f69aa8f57
MD5 hash:
da1c244283a701f8be75eaa8c01a0cf3
SHA1 hash:
c57c5afa757b9a1832f9c04c11454e76acdeb36b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2be392be-a5c6-4f89-a9d6-cdb7985198c5/
SH256 hash:
d2174ddc2b6341b898b939fa0661d2a1cd8d485f5237427331f0d889672fbe7e
MD5 hash:
221f891053c35a694d7b442b7909d086
SHA1 hash:
81cb6829a184bae91927dc8b57744e895355b281
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2be392be-a5c6-4f89-a9d6-cdb7985198c5/
Parent samples :
509070cd30eb4cb05c29fe8cb222166c1c7db0f6084ea5b91e37bac79c14ac30
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
6b8c990c92c37f014fc93efd79c6fbb3a22e8da7961e9333644bfeac353a2ae2
49a6d4dde10788e5000df6a0fad4be9ab17567fd1314b64c3d7be0257adcbc65
72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
c6ae41874ccd5d6c3e6da49cae6d0a0e8eee20e7037896b38f1e4523dd9543c8
08d86feee2707af5c57b4ffa8663c0e447c7425c39a103906cf15eae7cf1df9d
a433aa981a5cbfd5fae678c523b088d034f61f57dcb61232fbaba73657867b36
2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
822e06191849b35415693155a46edff39c41db14f3dce949120456c1b7b55892
79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9
3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
3279f79164633c0881c50971c98ca39bc9367111410f77582700468f2c0e3dd1
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
b92304c2e680f54345fa77f77b0c507f93d05d43547e819d2ebf53a31e48ac97
f25dc80bfc742a0e8091d216ecbc033d93e71d43b31bbefb3ec9ef6cfc637cee
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
1cbf1a11cb59b7a4135093c3e6b11be6b81ba57fb30707de145a1d41506760a6
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
d55b00b7cb5305371e1cc170179e7025cc517b810e57992adab16893b410985e
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
520fe428b0afdaf20673224c5004c004ab1d1dfd492cc54a37e362af8a844005
8f49d498d3ed3ff8f66d7f22a4ab6b7747e2e799662ee75b2019304e5dbc6dde
884c0261a0c4ff07790fa549a0dc1d752bd97ef3e0635536193c585a291a7281
368305c8a62f4edc3ab1b94d1242e5438b7d7c14a6c65f7beb4aad32b1984821
c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
8b528f3a173e7e40394c21bb0cfa0304ef12b58ab185de1da8e4b4e5231eee8a
afef519b2380d9483a1b51eaccf235593140a75641e5a469d130f2d48ffd5268
a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
ddad2801522370c2ca5c4ec41663b36a88ef6be171867f23f084c0fa6ecb1055
5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618
02abb1d01386d7d7ffd8debc2c0fb09baebb82d88b8f758e4de3f0deaaecfbf9
65b4919d036f5dc3a1dfe9b62510ed4e578a87dccf862df6fbb8524894c2965d
a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4
780354ea81fa066b085767d98d878a9b891f7febea281d2e09577b424a6ab47d
b9f4537fa4b470f09cc62c1c706004604498c9405e638712eb4f2ea6a6b1876d
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
3376b495c19dc3e179dfb2ef072a362c2d26ed59b06266dd7dbf080a80a005f6
0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
01ab4d20ae687b065b10fdf3f3243a46a320dcec4b3a9a8e0cafcc0878aa1800
bf4ab91b352744a5ac16ef96f4c25405b993ded0aeaed9c09efbddab513877b9
b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
3d4bfc47bd88ef39e0780482a1b0fde1cd85772ddce25d9905d88d48b5b96a4a
e407720bcc7f5845bb9cf84c1c1209ef6e2afd339518359f86944c5f6e019b09
e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
20f9d4cf5cd85fa7cf0d58b55409f75f9af0b952d3b573bffdd21966d9a3f396
SH256 hash:
c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
MD5 hash:
1a2030277b88a72feac4f57f6514494a
SHA1 hash:
29858e377f52ba70fad5d3f24c30e2264d96ea96
Link:
https://www.unpac.me/results/2be392be-a5c6-4f89-a9d6-cdb7985198c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments