MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6
SHA3-384 hash:	e7e03fdc5e68afbffc393d141598ba555291657dcfe3d3808c0c65f1fa4128a88f45557d9d69e8d14e4bcd5f0741b236
SHA1 hash:	f51aafc55d19536b20eee1b046fd06a4e40ba322
MD5 hash:	a0b4a1c89699a189931bb1b43fa8e1bd
humanhash:	hydrogen-texas-oven-may
File name:	SEVKİYAT BELGELERİ VE TİCARİ FATURA.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'010'176 bytes
First seen:	2023-05-31 11:47:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:mfzAMTihh6xhZ6OrMHZ0RbPZoNgFI3q+HkSGKRpgTX7mR8qQHqPKuD:DMUgh8yS2PZ+g63hEpKREqFP
Threatray	2'007 similar samples on MalwareBazaar
TLSH	T16B257ED5F1A4889AEC6B09F1BD3A643024E7FE8C54A4810C569A7B2B75B3351309FE1F
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SEVKİYAT BELGELERİ VE TİCARİ FATURA.exe

Verdict:

No threats detected

Analysis date:

2023-05-31 11:49:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b564c778-2634-472a-b0ba-c31c0318e5a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/394076/

Detection(s):

SecuriteInfo.com.Variant.Strictor.275740.29371.13010.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/647733f4e6cc9218e8eb7f97/reports/5120ee96-2f6b-429f-a724-eec866bdf1a2/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/69142577-bec5-4e48-afac-76063122e3ff

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1246055

Signature

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-31 11:48:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2jxrb2vake5oyz34lkranvxyczndcgcaezgthqwcdstkl6y6lhta._file

Verdict:

malicious

SnakeKeylogger

4051cb962adc56da0c94bdb3b81fe0a0cf4d4b5fc0652289513a3691513bc0b8

SnakeKeylogger

564b04babf3a9e21e6b6b3f5a1c7ea624e5036052382afc1ba15e206b6308f6a

SnakeKeylogger

5e120295dbb1df0ffae200b49202256cc03f6f5414addf758a4c1b11d683774d

SnakeKeylogger

823a206dcc8e78823dd154d935da7c7ba7029b9b51adfa1caaaca282fc7df829

SnakeKeylogger

8615169ad317d762db6aac611781bbfa7f96e977e3fcf2e5385a952c8b3a3bca

SnakeKeylogger

a66fe6a02551d6fe4813f4d7d9d7b5afe13d9ed94983009132535ade72bdbabc

SnakeKeylogger

c9234000f8f576a39a7d2a957826094c1c0e37b141ef26ee2e8e36a62e09805a

SnakeKeylogger

eb70269bb8ef78bb7c44342ed5efac0d76df99207bf45e9f9739aad5b9cf9563

SnakeKeylogger

f9de572b6969fcde747af49c9b07b6851182eb62e53deeb7d792a4df485bf1c7

SnakeKeylogger

+ 1'997 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230531-nyfc4aeg24/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d

MD5 hash:

9390df6c9a6111978dee5414bc42eda6

SHA1 hash:

d3cb1c366b9e466afa93eb369838a04d30777795

Link:

https://www.unpac.me/results/41271961-9105-48fd-b3eb-f555b7235d0d/

SH256 hash:

b9b9f42febd7daaeda20e559b968c4fec518c30cf99d3f7cf22312caae0740d6

MD5 hash:

d4193486ab62e751ee686bf3f246b9d9

SHA1 hash:

8ab1663b90016428d096e255082aa74e38a86444

Link:

https://www.unpac.me/results/41271961-9105-48fd-b3eb-f555b7235d0d/

SH256 hash:

5013f231aac0b1ad66fd5ec6bbc96b5e52bbafcf44135eed7efb31df3b8051de

MD5 hash:

3c39d7e6c71b29e46c7212f4193cd358

SHA1 hash:

86013e15db7af2901183029d8aa94f214a0b28ed

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/41271961-9105-48fd-b3eb-f555b7235d0d/

Parent samples :

778782d68c349fbb021a749f1370c2446c19cd3a64e7891c84c55ddf834f2e02
00330ca48a13a195fb80bcaba66fee393bba1821b65bd89cc1349687a99cfa55
86dcc7e6f6823b793907989be56679cbd0e40cf78353601b001548311be0434b
92b60c79c289dec73d2f96ea3923428531a57f03e06d957cb2fb8dbcf0eadfba
11d5f5ceb48ca7a34ddf39853c57a5128e4f5edb51b603a0ad775ed59b5024dd
1755a6d6a60e68fa8767edbc6071d2353ef42ca59b0908c0ad55b6b5d8c1289e
98ae109a9877c37dacd2b556a20c2b0f0e6b154aa256c0bb258be8e7f5bad0bc
8fb29a999e6c92b4511cff2615d6e518ebb42028ec49652ea76e1d8322166b17
773487046d018f6263a41e61d0387dbe6570096212418e29ea9de596d19ca08b
490a19b1bafe833ee7d47f627ffb8824fa39142c14378fb08ba1526d79cd2c3e
5d9bb423fe6b1cb4fa77edde15ac108d779750606fe6dc904c3190af91b4af75
d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6

SH256 hash:

b845298489a78c7d66ba9e106de1606e64f9104b2fedc756ebe22275dbee8634

MD5 hash:

9e4440f3a14a5099078ddb26d3fef08d

SHA1 hash:

80c47af8fa3ccfabbb1ec79e7f7b03c19b337dbf

Link:

https://www.unpac.me/results/41271961-9105-48fd-b3eb-f555b7235d0d/

SH256 hash:

7747e30a4484309bf33abc1428754db8f1131a1e3218d53264a4b3ef0a324571

MD5 hash:

b98095df98845423936e2e3db1883212

SHA1 hash:

6ba3fce8dfc13d3047c035088bded5810875f926

Link:

https://www.unpac.me/results/41271961-9105-48fd-b3eb-f555b7235d0d/

SH256 hash:

d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6

MD5 hash:

a0b4a1c89699a189931bb1b43fa8e1bd

SHA1 hash:

f51aafc55d19536b20eee1b046fd06a4e40ba322

Link:

https://www.unpac.me/results/41271961-9105-48fd-b3eb-f555b7235d0d/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d26f10eaa051/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe d26f10eaa0513aec677c5aa206d6f8165a311840264d33c2c21ca6a5fb1e59e6

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/394076/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample