MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6
SHA3-384 hash: 86a49cef0c5da5aba9abaa40ed1e2e5b07b383ab0e86cafee8ec7b688efdf4551066c1054873b5d2091cb4e949e12bcb
SHA1 hash: 48ebffab2c9f9bc931bf513a1745b945f8637dd7
MD5 hash: a80295ae0157914a80e85dfa3f0042fc
humanhash: single-gee-alabama-nevada
File name:IV0MjHzypK9fepo.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:575'488 bytes
First seen:2023-05-11 18:30:32 UTC
Last seen:2023-05-13 22:52:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:lYvasUHMHHpGbmK71TZQmLht4vaUIcW2JiIZxgUkfixGT+r2f2N1oYMG3whHIMsM:lqUHmmJZQYvxcWZIfgLKGT+qSoZTI
Threatray 1'088 similar samples on MalwareBazaar
TLSH T1B0C4CF84523BBFE1D9A417F0221038524B7DA11A75F8F0BC6D5BB8CAC89AB114BD4B77
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IV0MjHzypK9fepo.exe
Verdict:
Malicious activity
Analysis date:
2023-05-11 18:39:32 UTC
Tags:
snake
Link:
https://app.any.run/tasks/cc4a37ab-99ea-4f94-9d77-c4e0213340fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388476/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645d3473b87853d1e17b6605/reports/43339eba-dfc8-4839-a3c1-c4a463ba0f94/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a8138c8-705c-480b-82a1-cebaa39697bd
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1231176
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 864158 Sample: IV0MjHzypK9fepo.exe Startdate: 11/05/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 9 other signatures 2->53 7 IV0MjHzypK9fepo.exe 7 2->7         started        11 LHLtHqNDt.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\LHLtHqNDt.exe, PE32 7->31 dropped 33 C:\Users\...\LHLtHqNDt.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp6465.tmp, XML 7->35 dropped 37 C:\Users\user\...\IV0MjHzypK9fepo.exe.log, ASCII 7->37 dropped 55 May check the online IP address of the machine 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 IV0MjHzypK9fepo.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 LHLtHqNDt.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 158.101.44.242, 49704, 49706, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 43 api.telegram.org 149.154.167.220, 443, 49705, 49707 TELEGRAMRU United Kingdom 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 checkip.dyndns.org 21->45 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 10:47:38 UTC
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2c57khm5y4ia7n3lqn5v4x76rg3wonivddtwuzh2e5eemoq4rhta._file
Verdict:
malicious
Similar samples:
167ea427613672844817e73ce587a325bbce315affd1636c249249cecbada4b4
SnakeKeylogger
2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
SnakeKeylogger
307f012f74f209e4b8371400455ee296585a6d6a0d4c2195df2186ecaf0acd79
SnakeKeylogger
3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d
SnakeKeylogger
43b2d95b4ca603f5007a2d5a389b02d19df2103077146ba3aef9fbd82f2e0770
SnakeKeylogger
58dda17dafc74dd89d83c27483ef35cd298a205d543bb7d1e8305d231705277b
SnakeKeylogger
a1fc12e0b11dc727c1e4f58da908d512b2ea1fb69cc317e024390440807d62eb
SnakeKeylogger
bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e
SnakeKeylogger
c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162
SnakeKeylogger
f9abc71a65beed84b344ec4ca11b2d242a9fba725fa5c12db5ad8152bd551826
SnakeKeylogger
+ 1'078 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230511-w525fahb24/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5905114115:AAEtJ13Y8sU1fQgR9KsdZZhYCIQmu7J2ahU/sendMessage?chat_id=5334267822
Unpacked files
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/85b1abde-e617-4b4b-8554-bdae17baed52/
SH256 hash:
6759d7bcc9ed7e16e93bf1304246fd6541f46ba4a6752f3eadc98e6e1cd2fa7f
MD5 hash:
806070b2a0a24a92860ab0b699092e78
SHA1 hash:
c128e4b262cf52c344fdcab0c707b6ea6a8f6da8
Link:
https://www.unpac.me/results/85b1abde-e617-4b4b-8554-bdae17baed52/
SH256 hash:
37931bd35c9ccdcb30a808db46c927f6176cab368ae8e68aae172ad50324b633
MD5 hash:
8fc438758604a2110d54a7088a77d495
SHA1 hash:
b062bb208ed4b0d138260145f13217bff0d2f572
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/85b1abde-e617-4b4b-8554-bdae17baed52/
Parent samples :
187e9a262dac093e04914b16b11f41adec97c3115f4a6b5e5cf1125d2be8eeca
f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227
0981c7be951e32102a5ea4eac7862654a0979c95b486a491c567ddb2095c679f
a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd
d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6
5631b2c6aa5495d9756f92501442b809e0f004d9fe2c1d423ef8906ca912c69b
d6844e4d321d82b76bd2d9d6b66c6a8edfd695323a741481cddb426825cebc44
SH256 hash:
c96db3bc00b7ce29ee32687add431da310e8e9159b2a4cd4df71ed59346b8d06
MD5 hash:
b501c138173c5869fcfe3e5bfc0ea6eb
SHA1 hash:
301891c56d7856c7fcbfa9753526ec4c05bc1af1
Link:
https://www.unpac.me/results/85b1abde-e617-4b4b-8554-bdae17baed52/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/85b1abde-e617-4b4b-8554-bdae17baed52/
SH256 hash:
d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6
MD5 hash:
a80295ae0157914a80e85dfa3f0042fc
SHA1 hash:
48ebffab2c9f9bc931bf513a1745b945f8637dd7
Link:
https://www.unpac.me/results/85b1abde-e617-4b4b-8554-bdae17baed52/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0bbf51d9dc7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388476/

Comments