MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3
SHA3-384 hash: f0a39a43af052b76a2d32aad0ca940438808d28555c100b315de69a5571162fbd257d1e3d1498dba6fa6e79afe2581c5
SHA1 hash: 6b3b5aeccbc2b3d9db8e869913b05b86fdcfce9a
MD5 hash: 7f12a64357d9b1c5610facbaf69297c9
humanhash: utah-quiet-aspen-illinois
File name:ynrJ210n4wSkQ4A.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:705'536 bytes
First seen:2023-07-12 06:47:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:OJ4ajp7tL+Nwl3cATDL5aMUKZYG9GwGqmPJ8XMj9boDpsuPb:Ap53nTf57v9GRq9MjWDOuPb
Threatray 274 similar samples on MalwareBazaar
TLSH T1E8E4F12671FB9B0AC5B9B3FE0554554837F8890C6A70F3184C8BA0F75976B8805A4FEB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ynrJ210n4wSkQ4A.exe
Verdict:
Malicious activity
Analysis date:
2023-07-12 06:48:53 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/2e88282f-23b3-48f6-bb48-c0709a1b1156

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416430/
Detection(s):
SecuriteInfo.com.Variant.Lazy.360811.22123.26701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Enabling the 'hidden' option for analyzed file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64ae4ca76e9f7019de9f7c06/reports/418a47df-55d2-4667-b59c-9f20ddd49cdc/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd364ced-279c-422a-9d04-1d61e8d4e588
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271565
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271565 Sample: ynrJ210n4wSkQ4A.exe Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 ynrJ210n4wSkQ4A.exe 7 2->7         started        11 konbHHAVNOyb.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\konbHHAVNOyb.exe, PE32 7->35 dropped 37 C:\Users\...\konbHHAVNOyb.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpF86E.tmp, XML 7->39 dropped 41 C:\Users\user\...\ynrJ210n4wSkQ4A.exe.log, ASCII 7->41 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 65 Injects a PE file into a foreign processes 7->65 13 ynrJ210n4wSkQ4A.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        21 ynrJ210n4wSkQ4A.exe 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 23 konbHHAVNOyb.exe 14 2 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 43 checkip.dyndns.org 13->43 45 checkip.dyndns.com 193.122.130.0, 49697, 80 ORACLE-BMC-31898US United States 13->45 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 checkip.dyndns.org 23->47 49 193.122.6.168, 49698, 80 ORACLE-BMC-31898US United States 23->49 31 WerFault.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 06:48:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lws7ztkrgqfyasrbwv7inqpr7su63zh5fgm3bsmk27k6imcfhrq._file
Verdict:
malicious
Similar samples:
2c3d16e1c28e192249da7fc79bc4fc2ed1508610627e82ca96c50083f4e0d9ed
SnakeKeylogger
367fb0e0d122f5eabd8d344d27bd9f3aea9ed0959b5186e54ec18137a2854cc7
SnakeKeylogger
65acc93f4a502f7efbe10313ed41bc436425ebe172f3974883f0ecb6d2ecbf3c
SnakeKeylogger
71c93b4b1cef4f5c4f562ea58850fc63f945c4f7932f0d78d7912fbbf1fa1cee
SnakeKeylogger
9f8dd7a2f5e56970c9e6aa9af1c62b9d1d2ee03ca5dc33f9d6d376edd3bc0cdd
SnakeKeylogger
a771e432eb0dce654681e18c337cafbbedc875bd918198762933dd9d7d8772c7
SnakeKeylogger
db8e94d4e4064fce82dc25bf64aa58cdb05a06b23af3a0b7d396ec599c0df2bb
SnakeKeylogger
dc7f9c2cbc0466c884b6fcfa3430a74b2e582446e4560133495cabb5ce05c940
SnakeKeylogger
e5fe74a699fdee524980b0ccdfe82a6a98abd5c011ba909822455b831720b686
SnakeKeylogger
fbf09b46b7511113432fe9561eeb4294e04799f439d675c1c3a309b739fc2f7b
SnakeKeylogger
+ 264 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230712-hkr7vacc44/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/e5f5dfa3-1cef-4d59-aaa9-755829218a2d/
SH256 hash:
862f3cd524b29fc5b6ced9cfc4d13756cb90d6c95ca50fd2438e2d5df44bbf05
MD5 hash:
8ade068b8a62b6173f1d3e07bf0a7e04
SHA1 hash:
b63b1dddf4358e8826dab84e4206137d41718592
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/e5f5dfa3-1cef-4d59-aaa9-755829218a2d/
Parent samples :
6b9078cd23ba0a810bb971fde08fcbe3b4124c84846b7446ebaf7eac57da047b
db7f70227c9ba4a6977cbd919bf9aa2f611d2557b145e5a8d7f06d184dd9d5d3
d1e6c1aa5e9ba581f78bb0270c55f94dc5013f5d546ad2524efb6b005dce36e8
d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3
14bc396bc52d43f2e370a4a65ad0b08012e48b0644ed66325848e0dafd195ce4
f6bdba555d1356168f7f1581949ab5ca8d6b20e9a6495e0cfcef8d3b129638a0
c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059
d757716097082fdcf35033613d1736f4cf02f07afb368b1381489ba8ebba3cb0
48edab5efefe889cc80214488317960772b2482e86a96e1ceac109287926179e
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/e5f5dfa3-1cef-4d59-aaa9-755829218a2d/
SH256 hash:
c9f182735f3414224d1e0210b53126d31423318d6f5614f5469bf7bd65bf5402
MD5 hash:
dd3136dc81808763a40c8373b35a190d
SHA1 hash:
6d4e16d5d4c6acc9f9b5f934f639944f7f2d0500
Link:
https://www.unpac.me/results/e5f5dfa3-1cef-4d59-aaa9-755829218a2d/
SH256 hash:
d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3
MD5 hash:
7f12a64357d9b1c5610facbaf69297c9
SHA1 hash:
6b3b5aeccbc2b3d9db8e869913b05b86fdcfce9a
Link:
https://www.unpac.me/results/e5f5dfa3-1cef-4d59-aaa9-755829218a2d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2ed2fe66a89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d2ed2fe66a89a05c02510dabf4360f8fe54f6f27e94ccd864c56beaf218229e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416430/

Comments