MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f
SHA3-384 hash: b85c093c1c4f71d9eeb0ae8a98bd11c648e24460c1a8b2af79ea587c3ac0e5e844f9c60b0b3b783303dd3d87fd1fd164
SHA1 hash: e7e0e2d2c28fe985a186cdc2eba629751d772d38
MD5 hash: 47b99ce0a9f8a391cb854f43e3d7ba4c
humanhash: carpet-washington-robin-spring
File name:cv.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'145'344 bytes
First seen:2023-03-14 13:36:40 UTC
Last seen:2023-03-15 23:05:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:LqGnN7fkcqUnOL5V5UkIOgfBq4SZp9q4zC8CfACb8OYAa:acqIO+JSIh9f
Threatray 103 similar samples on MalwareBazaar
TLSH T18D359D0578D41AEAF77EDBF4C1E115EC03F26683900DEB2DCDC064DA1A247C36A5A9A7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
20
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cv.exe
Verdict:
Malicious activity
Analysis date:
2023-03-14 13:37:43 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/d1171301-9269-41f8-b765-a057e518627b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374239/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20230314-0833.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
packed
Link:
https://www.filescan.io/uploads/6410787f11c297931e54fe47/reports/2544e71b-635f-4964-93cf-764881677e82/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4733c608-da6b-41c3-b4e1-6f50774f2a32
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193321
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 826222 Sample: cv.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 4 other signatures 2->59 7 cv.exe 7 2->7         started        11 eYEnELhtyGTi.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\eYEnELhtyGTi.exe, PE32 7->35 dropped 37 C:\Users\...\eYEnELhtyGTi.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp3B0A.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\Local\...\cv.exe.log, ASCII 7->41 dropped 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 cv.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 23 eYEnELhtyGTi.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.com 132.226.247.73, 49698, 80 UTMEMUS United States 13->43 45 checkip.dyndns.org 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        47 193.122.6.168, 49699, 80 ORACLE-BMC-31898US United States 23->47 49 checkip.dyndns.org 23->49 51 192.168.2.1 unknown unknown 23->51 71 Tries to steal Mail credentials (via file / registry access) 23->71 73 Tries to harvest and steal ftp login credentials 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 07:32:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f2ilo3rvrzbm57ronwjx4pf46lr2cdotk7mjn2ple22ouawb4pq._file
Verdict:
malicious
Similar samples:
33c9dd9b1af7884845cb6418f3c21e5274ae4879a036d209c48897534ae03efb
SnakeKeylogger
427551d4a93e3a0a611a5dd47ed64e062f1ca0db987afd28f2ccd86e3ea1c0ba
SnakeKeylogger
4a451953ec9d452554fe781f0b55d58ca64678df44a5f09f882cf101b45c5fb7
SnakeKeylogger
7ce06c4227d8b111e23ea4af903379bef4211205ff6a6a582aa7c74149ec8b47
SnakeKeylogger
91855c7204cf7b1a4a56e87b16e5cde14eb8aba073690ca817f2b937130135d6
SnakeKeylogger
ae1c76298164414736639b05b24e5c12078d7cffb85163b92cde019d943a62d5
SnakeKeylogger
bd17d2a96e1255eec252116dfbd6a855dc6106d8900068f7a6c72154ada19e3d
SnakeKeylogger
cdc48b0fdaf20b7077c226d4b31c9d4765c985e99b8f9eea2d01676bab786f3a
SnakeKeylogger
e6664291d17d4d53254f9f87f99ccf49c8369ca4e2d1dc9b9f8a22c734b15007
SnakeKeylogger
f2c53057334b62ee92c3c21f8b8f1f5dbacda5d79db75734abcd879c08a7c805
SnakeKeylogger
+ 93 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230314-qwslrahe6v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6276040448:AAFVY2EFkyW6FzH5nl8l6ODDRZhjrZ8yXj8/sendMessage?chat_id=1561389711
Unpacked files
SH256 hash:
f895769f0c0014c630ef6da430b0be49e09b2b09961e867f2e9c9b3c9a3366ad
MD5 hash:
c68abe610968557e2c047d9e4423f507
SHA1 hash:
9b1ec7249cd0671a65c5c8be3abc70d693ec6f20
Link:
https://www.unpac.me/results/6b147f84-e500-456e-aee6-ac26d4e74eec/
SH256 hash:
0e05d2155c9229b2ce9bf6cb585a587c91279e68781f45ffebfe4f2dca3f0749
MD5 hash:
73469f133bb5356a9776e387fe318422
SHA1 hash:
34c7f53ede9b452023f4a77e7123433cd7dbc5dd
Link:
https://www.unpac.me/results/6b147f84-e500-456e-aee6-ac26d4e74eec/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/6b147f84-e500-456e-aee6-ac26d4e74eec/
SH256 hash:
d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f
MD5 hash:
47b99ce0a9f8a391cb854f43e3d7ba4c
SHA1 hash:
e7e0e2d2c28fe985a186cdc2eba629751d772d38
Link:
https://www.unpac.me/results/6b147f84-e500-456e-aee6-ac26d4e74eec/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d17485bb71ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz 640bbe1e27734b3089dca9d24399438086c6055201a7f6ded0214e3a66302cd2

SnakeKeylogger

Executable exe d17485bb71ac721677f1736c9bf1e5e7971d086e9abec4b74f5935a750160f1f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 640bbe1e27734b3089dca9d24399438086c6055201a7f6ded0214e3a66302cd2
Cape
Cape
https://www.capesandbox.com/analysis/374239/
  
Dropped by
MD5 7dc7c13720a3a00f6d610d9984ced3a3

Comments