MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725
SHA3-384 hash: 3e62893cfc0db2e94ec493154173bc6c34b8580aefc31f4e7c6bee0f98f5ca381d2e3ffa0eb2e4ab86a6c5c88f5c19ce
SHA1 hash: c827b614a0e95f9ead947d97291a6368a62f9791
MD5 hash: d481a532e22968d775d129ff5bf6b044
humanhash: alanine-sierra-batman-eighteen
File name:hjXFi8NFTRyUspx.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:716'288 bytes
First seen:2023-03-15 15:15:14 UTC
Last seen:2023-03-15 16:56:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:WCUeOet2sXD4vov9bdg6WH/Pav1iX51x8Cl0hJ99l0Sdh8HkYlwJGRTw:WCtOYTUor5WHLpfr+1l0ST8OJT
Threatray 49 similar samples on MalwareBazaar
TLSH T138E4020CB6695276C52F767B96A52D9C8339EE15CB21E63E1DC4A4330DF27C8E842C87
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hjXFi8NFTRyUspx.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 15:16:35 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/8dd5bb7b-b6b8-4192-a1a3-1685673e9d8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374564/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1889.10320.27322.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6411e135589154fc977db637/reports/6e09f833-4615-4924-915c-bc9e949744b9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8166e2db-9287-4f3e-88e5-07e77b914697
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194427
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 827336 Sample: hjXFi8NFTRyUspx.exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 hjXFi8NFTRyUspx.exe 7 2->7         started        11 pGnxfTwNhIldl.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\pGnxfTwNhIldl.exe, PE32 7->33 dropped 35 C:\...\pGnxfTwNhIldl.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp53A1.tmp, XML 7->37 dropped 39 C:\Users\user\...\hjXFi8NFTRyUspx.exe.log, ASCII 7->39 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Writes to foreign memory regions 7->61 63 Allocates memory in foreign processes 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 MSBuild.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 21 MSBuild.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 MSBuild.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 193.122.6.168, 49701, 80 ORACLE-BMC-31898US United States 13->41 43 checkip.dyndns.org 13->43 45 192.168.2.1 unknown unknown 13->45 73 May check the online IP address of the machine 13->73 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 132.226.8.169, 49702, 80 UTMEMUS United States 21->47 49 checkip.dyndns.org 21->49 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal ftp login credentials 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 12:48:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23o7wgbqph6v5klay5icfb2pog6sl6kynr2ivoooyqpdtzbx44sq._file
Verdict:
malicious
Similar samples:
10b51c1b01c212fb397f492f3df0ca4a5847e2350d6df9f58ca50442f9e594b4
SnakeKeylogger
10c31b0a152c71ab736a8b867e081dfcbebaf8b9e00e342e10d06fe9cc5c0ab1
SnakeKeylogger
4c0851b9e5781595ccbbb892a8dcb6b6904974d412dac559de97a687fbb2a64d
SnakeKeylogger
534c9a9fa4838e6f01ba0efc8bb323c0d5d09095d7c0f95a0c70bb69473250eb
SnakeKeylogger
59849ade722e0ac68e1105fb13ad623c8cf5b5e44fe325e5239f470195bfe7f9
SnakeKeylogger
5bfbf751176aa59b055cae2a1b3abeba1c2c5560902faec2d6b646e7fc22b085
SnakeKeylogger
5d2841d221d5f4b73591f9972ece12a9382fb40146caa6e8691eba12ae138049
SnakeKeylogger
896363cb6c5505b48615777ce409a415de259e7277888afc1bceae8afbf3b03c
SnakeKeylogger
8ab1910d7f3de293954247ef8f06fc69669c9049735fef3e324935c925ec19ca
SnakeKeylogger
+ 39 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/230315-snfy4aga4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5850516910:AAGFrVyywXI7npTHbZn_GIq2nguuXg2t7Lc/sendMessage?chat_id=5716598986
Unpacked files
SH256 hash:
43517c239a85ac4ffe2c634c6f193a949099c4e81b09a7cc19e9fa4b355024fe
MD5 hash:
c4abc2c4b4a0a28d7c2a60ce9ea53d8b
SHA1 hash:
d36ae169a3b047ae8585cf9798c7abedcb747b5d
Link:
https://www.unpac.me/results/c2d5d060-979a-4a47-8776-b5554ad72af5/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/c2d5d060-979a-4a47-8776-b5554ad72af5/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
f16f432ec9ace1671617ecc7e065e5799a6ff3144c15f395b3010e714c380c18
MD5 hash:
a4d3ba235532cb71f793eaccc4811b4e
SHA1 hash:
896a4f7f7bb263ca909cee371ac7d1d11e235e89
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/c2d5d060-979a-4a47-8776-b5554ad72af5/
Parent samples :
d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725
22b3c8355218fd0218d45ac51ac53e1322b54674e19bb8d428d8937e246dbb2a
6ad28bfd77cf1575d9eb0da15c7ab9fa54f509a4733f9f05677a224243c6ddac
b3ef6a767f98d2e81a8761a794096f44942de8897d4f4565cb23da396140f0a0
9d9bfc4da819b3ea290f62b6c1d104a4bd61503d2a7f6951389e5b8047dc08b9
e2c40dfbb54a5fe183a97cb7be58ee20969e9f0f7744df829f2b02619fc529e2
1cdc9031e10db3f5dc4f931fac2c91e3ff73f75a4182888ef445f280f91c1dff
871c9c0e18ace8f981b24671bb9da121bc7bfea7704c4a0f9d672021a0567ed5
15696d741a180dacb5b3bb87cad566b4f2ffca1df0a6673d03f9b40c71ea4def
ea138d2457b49cccaf16cef8ff2a7479ed5e5207081c5d7ced0a2a3049dcdc16
b97c6335f3e28fb25346720785352929884243a545e2a4ec10abd2f6448ad176
fd6a88c61e8b5b68f3f70d8aab48dabdfc21d96d81f823647d310ccbe1fd968a
4e1584f1e68d554e1b17baaffffa392e3a5fc6e68ebb2a3325e54cd77fa96e17
964e54faf21fc7ab2cfcac2cd859efc48acfe17cbfc22bf2ca6fcec8741a0402
SH256 hash:
900604b97bcdc423a6fe8980412c5bf39b3ac913fb202c07a3f1ede1125b9669
MD5 hash:
773d5adce2fd0ea58436d150256d54f0
SHA1 hash:
1986e82ef0cd50febd6de65121132cac6d328844
Link:
https://www.unpac.me/results/c2d5d060-979a-4a47-8776-b5554ad72af5/
SH256 hash:
e05bc57939893ce32405731a9193fc6001122f66335dd3a37a109eda57be0b36
MD5 hash:
c78475d3e3c8621c8e3c0c4bcbee7839
SHA1 hash:
01ad2b06c9d70060a3affa865a504988996b3b28
Link:
https://www.unpac.me/results/c2d5d060-979a-4a47-8776-b5554ad72af5/
SH256 hash:
d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725
MD5 hash:
d481a532e22968d775d129ff5bf6b044
SHA1 hash:
c827b614a0e95f9ead947d97291a6368a62f9791
Link:
https://www.unpac.me/results/c2d5d060-979a-4a47-8776-b5554ad72af5/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6ddfb183079/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374564/

Comments