MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1
SHA3-384 hash: 263f3615b01d9fa645a69dc76e728108227a1daec85cbb88d3bb5b255f7662e6fda69e6cf755a662e4b497057787cdd6
SHA1 hash: c3b2f22323fb23bde6a56016f2a4d957be0a43e1
MD5 hash: 6c360b467b3541ec14d605a84c1bb298
humanhash: sad-low-jersey-pennsylvania
File name:Halkbank_Ekstre_20230414_081600_094247.PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:487'424 bytes
First seen:2023-04-14 05:41:05 UTC
Last seen:2023-04-16 10:39:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:zRJJxBpFvZhO6ynEqnp1cfn6RAFJiXMVzm0jTINg1SXgWgVHG2Tdd9aLNTXB:zhZyVAf62uXMBaFgrRTT9a9
Threatray 80 similar samples on MalwareBazaar
TLSH T12EA4123772D41A3BD75D63FA0A21A90343B2442AAA71D1DD5DD901FC6AF3B904E32E93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter abuse_ch
Tags:exe geo Halkbank SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230414_081600_094247.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 05:44:32 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/57172dc4-ab1f-4769-bea7-ac55be08810c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382126/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos
Link:
https://www.filescan.io/uploads/6438e7abb4ec50bace602057/reports/830bd808-2cfb-4022-b6ac-3d34ee6042ac/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/752db946-abfe-4e7b-9932-756ca2f1aa0e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213635
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846563 Sample: Halkbank_Ekstre_20230414_08... Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 40 checkip.dyndns.org 2->40 42 checkip.dyndns.com 2->42 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 11 other signatures 2->60 8 Halkbank_Ekstre_20230414_081600_094247.PDF.exe 7 2->8         started        12 SxSttwJNiITe.exe 5 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\SxSttwJNiITe.exe, PE32 8->32 dropped 34 C:\Users\...\SxSttwJNiITe.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp327D.tmp, XML 8->36 dropped 38 Halkbank_Ekstre_20..._094247.PDF.exe.log, ASCII 8->38 dropped 62 May check the online IP address of the machine 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 Halkbank_Ekstre_20230414_081600_094247.PDF.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 22 SxSttwJNiITe.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 44 checkip.dyndns.com 193.122.130.0, 49699, 80 ORACLE-BMC-31898US United States 14->44 46 checkip.dyndns.org 14->46 48 192.168.2.1 unknown unknown 14->48 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        50 132.226.8.169, 49700, 80 UTMEMUS United States 22->50 52 checkip.dyndns.org 22->52 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal ftp login credentials 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 30 conhost.exe 24->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 01:49:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwjfrc7ez2tl5cosrpmmy6oaaod3yoqz5qwfz3moimua4wehjpiq._file
Verdict:
malicious
Similar samples:
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
SnakeKeylogger
22966ba42f0a0adda0c87caa3aa1b8b9fcc8537081b2a6c2791df3b37a4ca5cf
SnakeKeylogger
66b54ac951afcaae39c61d837f9f38543e164f8fa93e1479fb458e8e445f7e59
SnakeKeylogger
84faedff54ca269a6704eaabe8406e9b282d668713d853ea02c356968953d1ff
SnakeKeylogger
8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
SnakeKeylogger
a8fe73642ab1caf476e2b0f547261adf305a85f6b25776393e543a7a6a15511d
SnakeKeylogger
c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec
SnakeKeylogger
d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d
SnakeKeylogger
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
SnakeKeylogger
f86378105b4028797386149c63ced3dfb596164326381b99257b49ae61d90db9
SnakeKeylogger
+ 70 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230414-gd1d7shh3t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5972904963:AAH_L0Z1BaWpBDyPhmUAMb5yVXWF00k11jk/sendMessage?chat_id=5334267822
Unpacked files
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/330d548d-22c4-41fd-8e21-5cdcc6859925/
SH256 hash:
e07ef0f30baec5f76fb2420ee8a38b40bae2925b05b78b5d3ddbd9408be246fc
MD5 hash:
e51ee4a3f36fd69442b909b6bda9610e
SHA1 hash:
6cc2d7d58fdd8b8e0b121da2833909b41ac062b5
Link:
https://www.unpac.me/results/330d548d-22c4-41fd-8e21-5cdcc6859925/
SH256 hash:
bc92c956d457e23d316e3a96117bcd751f173315f091ef4652f681c4e70c3c6b
MD5 hash:
89b1afd50ea42b6c30173aa150bbb2f1
SHA1 hash:
3437516adfaba3700a38ba223cc5883147b63b02
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/330d548d-22c4-41fd-8e21-5cdcc6859925/
Parent samples :
052b8200781ad3e1a2a457c191190517f42c6e6d32aaebed469e4f04ef91a084
2e506d4171255bed1d192868eddc5760a4ca24c6f0bf05287c9f7d42d3481641
9db2dbd0a7e07b2b791bd864069c0d8bd94a43f41fee3bcb5164d5e4321ca29a
200e8cd66316a2b90a7e08b9f7997064198617243d3d9e477b4e474caa4dcf89
069fdfe3f720161acc0845785533ce607d29b6fe26d6ea66e3d7d1e4eba09703
0b20f075554102a9edd27184296555170d7ca610d540c47126bb02b94aadb7de
f80686e2d4265e07d5693ba67db39f0956e420de32e78012d2735d8bde358ce1
197bbf64b3138631374f548f8ceac43752764cb6039c5e89cc2dcdbdc05a5c66
04896af781081e872566fd5fa00b502ee5cef7093f4ce51a499a19434125bd07
3e04c2123d904dbc6332c6ac903d9653a48659ec979b879be232200639aa4431
c797f8d906b11b9f81a74dfa440db2d996c3d171dbe4f860cb552745b0d3144c
caf38468bb4c88ceeb6d81e15d5f14a10d1717d0aaa94078d464d5b20c3d8df4
4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721
9ce6334520ddf82976f7a4b77620e56e6504e1f1c5f871d8f46d277e1ed7ebed
0355a54d6aae27829f3e33aa8fce6dee0310802ae4e5a842bd7fe25fe1a6274a
8669e8779f88d44fb2a4bb15f313813540826f1019433bec3b466c2227406854
cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1
4ab6d78c4846a801d11c6263585e0154d8e610fcdaeb123ef91c819cc7c76cd4
cd465f7792e59bbed490c66d9c3d47a5da49abe8839aa21810b3844ecbc5863c
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/330d548d-22c4-41fd-8e21-5cdcc6859925/
SH256 hash:
7ec71bb7e2ac30bc651ac590b03108ff60ec294daf890a2ac22355edbe518670
MD5 hash:
bd408c5ae9dab38f464053956f762953
SHA1 hash:
07672ca547efb5263c29a3b1efa9b9e83a36d022
Link:
https://www.unpac.me/results/330d548d-22c4-41fd-8e21-5cdcc6859925/
SH256 hash:
cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1
MD5 hash:
6c360b467b3541ec14d605a84c1bb298
SHA1 hash:
c3b2f22323fb23bde6a56016f2a4d957be0a43e1
Link:
https://www.unpac.me/results/330d548d-22c4-41fd-8e21-5cdcc6859925/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd92588be4ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe cd92588be4cea6be89d28bd8cc79c00387bc3a19ec2c5ced8e43280e58874bd1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382126/

Comments