MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6b830eb57c4bad87392f58857a37691511be8dab6cc595ce0052f6f6ee421a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6b830eb57c4bad87392f58857a37691511be8dab6cc595ce0052f6f6ee421a0
SHA3-384 hash: 0a61c1831a94dc411f3efaee07393875211aa36fd23403f12b810bbce22253a6cb075765cd7b8baceb455ab754b26d8d
SHA1 hash: 19106dfc549edb17b15d1fbcb003e7456eefbdaa
MD5 hash: 9edd5780b1dad39eb1079757bc6e0f63
humanhash: glucose-mobile-april-pennsylvania
File name:45350005419_20220615_11034374_HesapOzeti.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:884'736 bytes
First seen:2022-06-15 18:15:07 UTC
Last seen:2022-06-15 18:55:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Qe/p+ietdtY4fBOlxVfZ2AqTo1XMDTPbLZ5R5:Qgetd245OlTMZD7bnb
Threatray 5'873 similar samples on MalwareBazaar
TLSH T162154DC2F151CC96E96B0AB2DD6B543016F3BE8D94A4C10D66DA771A26B3352209FF0F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/280267/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50452114.22835.26243.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62aa21e9473553ed319260a2/reports/7faa813e-edc4-440c-9db0-42d6118d2922/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fd01cb7-7bbd-4f5c-8c62-c9d348f0dc3f
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013901
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6b830eb57c4bad87392f58857a37691511be8dab6cc595ce0052f6f6ee421a0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 09:03:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y24db22xys5nq44s6wefpi3wsfirx2g2w3gfsxhaauxw63xeegqa._file
Verdict:
malicious
Similar samples:
075d1ac0887f0028c537e2b45c1d1686d26e18464792ca65b374a4ac82261d93
SnakeKeylogger
181fd7b53768803803f237233c783ff3d8182f4e6560d0de84e7e342082d62c3
SnakeKeylogger
1abbde2370c16b13df70225a0c251790f64f3ba70067a30e959360da730eccae
SnakeKeylogger
2e0bcd0644f82dbd6f7bc920b54bf6b4a621ac938a18d35695776f44ae6bccd0
SnakeKeylogger
347fa0ad9e11712fe0628c2454141d6fec8e995acbe7fe7461e6dbf94f2838ce
SnakeKeylogger
4f7d1f1df60c29fe9eff2e75f317a316c9ddc9afe569624a466670cf396b8d61
SnakeKeylogger
b48c018d252b5974a13a65c6b67856d4f2059a90499f65037a63324e4a42001c
SnakeKeylogger
bfc2cfdeb6732fd82c5013684c3760c545b2e0a90aca8c36b3bb9049424d8f73
SnakeKeylogger
+ 5'863 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220615-wwfvvaddf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5166529015:AAHmXMIWF4K9IarF05CZj5gCu_oVRj3zFHc/sendMessage?chat_id=5170122971
Unpacked files
SH256 hash:
5e95b92999dc337f367d2c8e91e68daadbcdfc537d2d11fa2612ce68a58e8d04
MD5 hash:
e3df2dd40f0ce5dcd593a52653983ca4
SHA1 hash:
d7d895a35867dc41c8a03ab5ec3aa4e38e1a08a3
Link:
https://www.unpac.me/results/aebf6b08-9695-4e5c-b38a-57b9245f2fda/
SH256 hash:
23ebed8ff1f6bbc93df436e7fafcbd0580751b8b628761342b9bc8a96790a9a0
MD5 hash:
d53e3ef9fae38384b9cfbd817bd75865
SHA1 hash:
af3bf205ad4b51615901128d50cb10988496e565
Link:
https://www.unpac.me/results/aebf6b08-9695-4e5c-b38a-57b9245f2fda/
Parent samples :
c5d0d97ecceb4b96d309f6ae3c27cbc2b6326837765322bd84b49d8dd30078ac
fccbc2322ff9606c918673a07b68c7638c0ae6bee46a8eeba60da6715a92a1a7
9eba2f0df8e90e0471810be36a3aae12bfbc808d226ffec823927e18d429753b
7ce5acb0ec259e4f3f3aef6a8da98c0bfdb0e34918076c88c5f9a462214bc687
689df11e9923fd90bf15c3aa52a813befe084d46c3f66a5105c5a9661b24971a
SH256 hash:
06cffcbf7f95618ed68c1aaedaf93683356062a678ba172cb3f4d0ba6d963229
MD5 hash:
517f7a080b0bd89954bd9f5fe53dd991
SHA1 hash:
9b2c595fe6a14508c6894bb629936ce707e20ea7
Link:
https://www.unpac.me/results/aebf6b08-9695-4e5c-b38a-57b9245f2fda/
SH256 hash:
d9cc8a632725ba8eec614225ee35d5d02924d9bece9d906a81bc00eba9628b6a
MD5 hash:
9a577cea566f540cdac819a62a227bc0
SHA1 hash:
8a29667b31d4d5ff9c4fe13d94bbe058d536847d
Link:
https://www.unpac.me/results/aebf6b08-9695-4e5c-b38a-57b9245f2fda/
SH256 hash:
c6b830eb57c4bad87392f58857a37691511be8dab6cc595ce0052f6f6ee421a0
MD5 hash:
9edd5780b1dad39eb1079757bc6e0f63
SHA1 hash:
19106dfc549edb17b15d1fbcb003e7456eefbdaa
Link:
https://www.unpac.me/results/aebf6b08-9695-4e5c-b38a-57b9245f2fda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c6b830eb57c4bad87392f58857a37691511be8dab6cc595ce0052f6f6ee421a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280267/

Comments