MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ac1c3f1bc5b2f6534a96581600cfa8e253cff1bdba23ea9fd3001cec389b9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	c6ac1c3f1bc5b2f6534a96581600cfa8e253cff1bdba23ea9fd3001cec389b9b
SHA3-384 hash:	d8f38c299143dbc9935bf558499da9584e990658ebfdf158c7c868cd1aa1f2b124d6afb68c5517e87a0f4a937d1fa5d2
SHA1 hash:	6247d18fd981778e341a32292846632703e77da1
MD5 hash:	95a7eee2e62c2a37f84362ef5ed0f98c
humanhash:	stairway-oranges-failed-mars
File name:	ggeeeloggercrypted.exe.vir
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	145'408 bytes
First seen:	2022-06-23 18:13:42 UTC
Last seen:	2022-06-24 07:44:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	384:99xU6PLEJtpMN39Bz9LF/6AGQ3CutZrj1ABa:9DzzZF/Ja
TLSH	T18AE3FC0679DAB168F7F32EB7416715C0857FF4E27DF189DC8214494A8982B01EAFAB13
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	KdssSupport
Tags:	dropped exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5B1D0906D714F97D1C1EBC32888A9DE2F2746170

Verdict:

Malicious activity

Analysis date:

2022-06-23 17:08:22 UTC

Tags:

trojan loader

Link:

https://app.any.run/tasks/f7daba3b-e160-4ae9-829f-4172b842e896

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/282709/

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/62b4ada9924ee6692339511e/reports/10a4cbbe-f902-4082-a1be-b8bc0bc3e46e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66473f59-570e-4146-bdd2-781f3b845940

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1018821

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c6ac1c3f1bc5b2f6534a96581600cfa8e253cff1bdba23ea9fd3001cec389b9b/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2022-06-23 18:14:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

8 of 26 (30.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y2wbypy3ywzpmu2kszmbmagpvdrfht7rxw5ch2u72mabz3bytonq._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer suricata

Link:

https://tria.ge/reports/220623-wvax7seeej/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Blocklisted process makes network request

Snake Keylogger

Snake Keylogger Payload

suricata: ET MALWARE Powershell commands sent B64 1

Malware Config

C2 Extraction:

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Dropper Extraction:

https://firebasestorage.googleapis.com/v0/b/testeee-d23ed.appspot.com/o/17-06-2022%20Dll%2F18-06-2022.txt?alt=media&token=f889385b-d605-470d-afa6-2a30fe4a1d9d

Unpacked files

SH256 hash:

c6ac1c3f1bc5b2f6534a96581600cfa8e253cff1bdba23ea9fd3001cec389b9b

MD5 hash:

95a7eee2e62c2a37f84362ef5ed0f98c

SHA1 hash:

6247d18fd981778e341a32292846632703e77da1

Link:

https://www.unpac.me/results/88aa5e0e-9ec2-4a4b-b717-2d06a3ed0c37/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c6ac1c3f1bc5b2f6534a96581600cfa8e253cff1bdba23ea9fd3001cec389b9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DROPPER_njrat_VBS Create hunting rule
Author:	SECUINFRA Falcon Team
Reference:	https://bazaar.abuse.ch/sample/daea0b5dfcc3e20b75292df60fe5f0e16a40735254485ff6cc7884697a007c0d/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_VBS_Wscript_Shell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon