MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d
SHA3-384 hash: 983303155bb892f34e2f89b28cf77dd01b876cda5757c1d104de154f4f8895f9615e0e31c37ab36147cf4a2e47be0df7
SHA1 hash: f6f59bf99d6d8d355bf8bf867488f442481cdb76
MD5 hash: 9f8b2cf1b5026b2a9c3bc420cefba47e
humanhash: uncle-wyoming-alpha-ten
File name:PO.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'519'367 bytes
First seen:2023-05-05 11:22:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:wTbBv5rUDYysjJCDsJJDsXuE7ZPDKvMrBW4eNTygt90e+hoyaxlD:iB3ZJJDseE7MvMr8jygt+0D
Threatray 4'947 similar samples on MalwareBazaar
TLSH T17E6512027AD184F3C4762E325E65FB25AA38BC301FA88DCB77D52E1DAA311C096357E5
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d0d2d2b0a8f018 (8 x SnakeKeylogger, 1 x NerbianRAT, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 11:38:21 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/a4ef04c2-e0c2-4cbe-a77b-62b2f784fd50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386794/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the %temp% directory
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82643/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm autoit greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll wscript
Link:
https://www.filescan.io/uploads/6454e71902eb38e718e955e2/reports/fb70aab9-0499-42a8-a13e-a55c04ad8391/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68380002-401d-41d0-880c-e20c51a731e3
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227254
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860223 Sample: PO.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 8 other signatures 2->70 8 PO.exe 37 2->8         started        12 bkcp.pif 2->12         started        14 bkcp.pif 1 2->14         started        16 bkcp.pif 2->16         started        process3 file4 36 C:\qrtr\bkcp.pif, PE32 8->36 dropped 78 Drops PE files with a suspicious file extension 8->78 80 Starts an encoded Visual Basic Script (VBE) 8->80 18 wscript.exe 1 8->18         started        82 Writes to foreign memory regions 12->82 84 Allocates memory in foreign processes 12->84 86 Injects a PE file into a foreign processes 12->86 20 RegSvcs.exe 12->20         started        24 RegSvcs.exe 2 14->24         started        26 RegSvcs.exe 16->26         started        signatures5 process6 dnsIp7 28 bkcp.pif 1 3 18->28         started        46 api.telegram.org 20->46 54 2 other IPs or domains 20->54 72 Tries to steal Mail credentials (via file / registry access) 20->72 74 Tries to harvest and steal browser information (history, passwords, etc) 20->74 48 158.101.44.242, 49761, 49960, 80 ORACLE-BMC-31898US United States 24->48 50 checkip.dyndns.org 24->50 56 2 other IPs or domains 24->56 52 checkip.dyndns.org 26->52 58 2 other IPs or domains 26->58 signatures8 76 Uses the Telegram API (likely for C&C communication) 46->76 process9 file10 38 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 28->38 dropped 88 Multi AV Scanner detection for dropped file 28->88 90 Writes to foreign memory regions 28->90 92 Allocates memory in foreign processes 28->92 94 Injects a PE file into a foreign processes 28->94 32 RegSvcs.exe 15 2 28->32         started        signatures11 process12 dnsIp13 40 checkip.dyndns.com 132.226.247.73, 49696, 49955, 80 UTMEMUS United States 32->40 42 checkip.dyndns.org 32->42 44 api.telegram.org 149.154.167.220, 443, 49697, 49698 TELEGRAMRU United Kingdom 32->44 60 May check the online IP address of the machine 32->60 62 Tries to steal Mail credentials (via file / registry access) 32->62 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2023-05-03 02:40:46 UTC
File Type:
PE (Exe)
Extracted files:
315
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qeankzcdqwi45hdedadymwgix7gk5v36ksjrhfyqf52z3evcboq._file
Verdict:
malicious
Similar samples:
050ff72362dbca4fcf4aab3117d7215c3f66f6c271f0f03955e75e3083fb6bb1
SnakeKeylogger
4e62540930b121dc5eb404032401ac2b37cd86b591e14c4404610a2e59f06b6d
SnakeKeylogger
66fc3723780e346e20f615a78c74f9252e2b95eda2141d7158666b2b94eae303
SnakeKeylogger
b8e476dcba0bdaf21e70dbad37d600ee95679afc0827aed027d8441a12068e59
SnakeKeylogger
b8f2e3ecf35e329a28c78ee2dac2f766e41d1768cd204e7bf4588535b92ad981
SnakeKeylogger
bf15bf7ad5e678a40cca28a50fbe8a4f4aa8b86f3480820d8c0178db3107cb15
SnakeKeylogger
bf36b9ac0998d56e00d4fa60997ba6105f5d9ace84c3e5949fe036d0315d9019
SnakeKeylogger
cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d
SnakeKeylogger
e5576bd4af80125cef4bbaf71b357486fde975fce56ff17c782644933d542828
SnakeKeylogger
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
SnakeKeylogger
+ 4'937 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230505-ng577ahg52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6102267622:AAFFZ_GvUj4OisNxsdlwZ5OHZVEfanDQBf0/sendMessage?chat_id=6107719374
Unpacked files
SH256 hash:
8c413cc835e7af67e4c2ec90c8d62511e5701b79587f8b64463e8dca137a4448
MD5 hash:
25a0a07bc3c64e118ae5a2523145d2b9
SHA1 hash:
c2a005d0f9b8653f73ec640ee4a8dfc5cb905f22
Link:
https://www.unpac.me/results/46c8a5eb-b630-46c7-b7dc-0508b9736e60/
SH256 hash:
3601fd192edd63314617880907f09e83a9b94b8be6bf1854727a9b527961fb43
MD5 hash:
1ff2b9f2eb968a4e8f05b6165d9e22c7
SHA1 hash:
a92d0112ee021042ef7dec0212f6beb08ff7f0a2
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/46c8a5eb-b630-46c7-b7dc-0508b9736e60/
SH256 hash:
dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d
MD5 hash:
9f8b2cf1b5026b2a9c3bc420cefba47e
SHA1 hash:
f6f59bf99d6d8d355bf8bf867488f442481cdb76
Link:
https://www.unpac.me/results/46c8a5eb-b630-46c7-b7dc-0508b9736e60/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc0806ab221c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe dc0806ab221c2c8e74e320c03c32c645fe6576bbf2a4989cb8817bacec95105d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386794/

Comments