MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c
SHA3-384 hash: a69e1b1daa04eff7b9eaaff743f028ad4374801fd7ef1becfe81843e1fc20b5479576d0b9a614029b49f4abc331653df
SHA1 hash: 0f100aa2ae75856eb849896c9cdf406b44dabfe0
MD5 hash: f2762469d21522cbbcb84ee027b358e8
humanhash: angel-red-tango-lithium
File name:f2762469d21522cbbcb84ee027b358e8.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'427'968 bytes
First seen:2023-01-19 12:18:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:IkdpLKWY+Fn5vkR9YNTIAj3aWBwCV+8OZYyGsaUNZowoD6nV8qKoe:IkbLRr3kR9YNsY3aSJ+8cYyGsa+ZToOY
Threatray 4'843 similar samples on MalwareBazaar
TLSH T10F65CFCF28F048A9DE34057E02671155224D9C6EC768D93AE6C4BEB7FF9A74A0412F2D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f2909696969ef66e (42 x AgentTesla, 42 x SnakeKeylogger, 13 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2762469d21522cbbcb84ee027b358e8.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 12:21:46 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/354e89b1-76c7-4f48-9a6c-10867cc07ffb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354463/
Detection(s):
Win.Trojan.Generic-9907631-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c9353bafdaca54d43966b9/reports/4ab6a18d-1385-4752-83e5-f8eddba99c27/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae34ae97-0956-42df-9f9d-4b5652b042ff
Result
Threat name:
Snake Keylogger, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154603
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected BrowserPasswordDump
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787335 Sample: fP6jUIa8ww.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 12 other signatures 2->45 7 fP6jUIa8ww.exe 1 7 2->7         started        11 Hgupwpx.exe 2 2->11         started        13 Hgupwpx.exe 2 2->13         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\Hgupwpx.exe, PE32 7->23 dropped 25 C:\Users\user\...\Hgupwpx.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\...\fP6jUIa8ww.exe.log, ASCII 7->27 dropped 47 May check the online IP address of the machine 7->47 49 Encrypted powershell cmdline option found 7->49 51 Injects a PE file into a foreign processes 7->51 15 fP6jUIa8ww.exe 15 2 7->15         started        19 powershell.exe 16 7->19         started        53 Antivirus detection for dropped file 11->53 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 signatures5 process6 dnsIp7 29 checkip.dyndns.com 132.226.247.73, 49699, 80 UTMEMUS United States 15->29 31 checkip.dyndns.org 15->31 33 Tries to steal Mail credentials (via file / registry access) 15->33 35 Tries to harvest and steal ftp login credentials 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 21 conhost.exe 19->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 16:42:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yua7pddufhmimmakhlsvuqlpsqmmoi7ourgjkvmf3grnbn7orwa._file
Verdict:
malicious
Similar samples:
079ebfc9684c2028587bd3cd09739b3bf0c8f5c672e25684ec672f7942ca07d0
SnakeKeylogger
11cc9b67323e0356700baf2912a772542687ecd29c2d32c3f20ec41d8ce6ae2a
SnakeKeylogger
63314e978f8b297d2cbf0585f648bda443fdfafceb666541b2a6bbc23f2cc812
SnakeKeylogger
6375d4e0dad1b1f461a4456cbefb8cef43175e2b4b0caa9780cc2a18de115a73
SnakeKeylogger
6c42b5cbbaa75f7b08f1a605a12ade3277c73669a06f334e94060312dab4755c
SnakeKeylogger
7a7cd3d74f4f1b893f6de65d0690bd3b1d636e669599e699069f5b74c51b35d7
SnakeKeylogger
c061fdbee9bcc8f7a144ebaa92026184cf60430b49b891539f42ec07f711acb6
SnakeKeylogger
d47665df3dbdb06b08f039f677ad84480a98336e929600666730982795c95f38
SnakeKeylogger
+ 4'833 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230119-pg6z6acg9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5656046645:AAFLvaPCHZH0qXICPkEdCEz47RjQBHLQ8NQ/sendMessage?chat_id=5647518390
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9fc39409-2914-4375-9216-e7b80d4b52c2
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/ca53ae9b-e927-4415-aed9-d34c63ae107d/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
0530d8d645f3ec6784168ca58d5840237bed36f09f883955d86a6439d9637a86
MD5 hash:
48717d6da624ccdcb1ce0e6c63bc08c3
SHA1 hash:
752906d8e5a7b7fb0ef4c4040b9fcdde55cffc40
Link:
https://www.unpac.me/results/ca53ae9b-e927-4415-aed9-d34c63ae107d/
SH256 hash:
b805041171f0c65741876477d755c71e8010bbd563b170da21adbf6f33ab58bc
MD5 hash:
a632b05c7bdda4da5e4e60d70223ea53
SHA1 hash:
facb21d645c48501e900c2e2e2541445faa7a586
Link:
https://www.unpac.me/results/ca53ae9b-e927-4415-aed9-d34c63ae107d/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/ca53ae9b-e927-4415-aed9-d34c63ae107d/
SH256 hash:
f5ba7ed800c2c7c6f61cdfc82c9dc8370fa6cda19fdd18ce3054b3fb849d5a7f
MD5 hash:
5d5f4b1a7a0c4c362dc57842c57eb9be
SHA1 hash:
03a35cfb0de1d2975be5130dce605de88f03cff1
Link:
https://www.unpac.me/results/ca53ae9b-e927-4415-aed9-d34c63ae107d/
SH256 hash:
d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c
MD5 hash:
f2762469d21522cbbcb84ee027b358e8
SHA1 hash:
0f100aa2ae75856eb849896c9cdf406b44dabfe0
Link:
https://www.unpac.me/results/ca53ae9b-e927-4415-aed9-d34c63ae107d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6280fbc63a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354463/

Comments