MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
SHA3-384 hash: da1237219f143cd3f7010062281987b3de599368ad4fafafa8513c47ef28943381149f0130dd5dcb4ab752d4bd938643
SHA1 hash: 27ebfc2576551267db98b26b70ab47cce0d351ac
MD5 hash: 59fe13a8377c30271d44777e396b6bd5
humanhash: salami-orange-nine-cat
File name:de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:599'552 bytes
First seen:2024-10-16 10:56:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tnC8t19OthcGsWjeHCGvQmG7hf6b7Z2z1B9jmE:fShqWjeHTQKfE
TLSH T1A5D4F1689609F103CDAD57B85BA1F5B4276C1EEFB502E2175FD8BDEB7976B100808183
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon e0c4a2a2a4acbcd8 (11 x Formbook, 7 x SnakeKeylogger, 6 x RemcosRAT)
Reporter JAMESWT_WT
Tags:D3Lab exe sender--pncala-com SnakeKeylogger Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
Verdict:
Malicious activity
Analysis date:
2024-10-16 11:30:01 UTC
Tags:
evasion snake keylogger smtp
Link:
https://app.any.run/tasks/373c9d62-9204-424f-8a4b-19e78c0b2014

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3073.30961.28058.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670f9c001d4ef219fa634ea9
Tags:
Powershell Snake Spam
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfa582a9-1f03-4899-8fd9-bf21a10c604e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1534982
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534982 Sample: ACGH8aovg0.exe Startdate: 16/10/2024 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 pncala.com 2->51 53 4 other IPs or domains 2->53 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 10 other signatures 2->79 9 ACGH8aovg0.exe 7 2->9         started        13 uSYikBvofLR.exe 5 2->13         started        signatures3 77 Tries to detect the country of the analysis system (by using the IP) 49->77 process4 file5 41 C:\Users\user\AppData\...\uSYikBvofLR.exe, PE32 9->41 dropped 43 C:\Users\...\uSYikBvofLR.exe:Zone.Identifier, ASCII 9->43 dropped 45 C:\Users\user\AppData\Local\...\tmpA81D.tmp, XML 9->45 dropped 47 C:\Users\user\AppData\...\ACGH8aovg0.exe.log, ASCII 9->47 dropped 81 Uses schtasks.exe or at.exe to add and modify task schedules 9->81 83 Uses netsh to modify the Windows network and firewall settings 9->83 85 Adds a directory exclusion to Windows Defender 9->85 87 Tries to harvest and steal WLAN passwords 9->87 15 ACGH8aovg0.exe 15 13 9->15         started        19 powershell.exe 23 9->19         started        21 schtasks.exe 1 9->21         started        89 Multi AV Scanner detection for dropped file 13->89 91 Machine Learning detection for dropped file 13->91 23 schtasks.exe 13->23         started        25 uSYikBvofLR.exe 13->25         started        signatures6 process7 dnsIp8 55 pncala.com 206.222.19.218, 52046, 52060, 52061 ENET-2US United States 15->55 57 reallyfreegeoip.org 188.114.97.3, 443, 49708, 49709 CLOUDFLARENETUS European Union 15->57 59 checkip.dyndns.com 132.226.247.73, 49707, 49710, 49714 UTMEMUS United States 15->59 61 Moves itself to temp directory 15->61 63 Tries to steal Mail credentials (via file / registry access) 15->63 65 Tries to harvest and steal browser information (history, passwords, etc) 15->65 67 Tries to harvest and steal WLAN passwords 15->67 27 netsh.exe 15->27         started        69 Loading BitLocker PowerShell Module 19->69 29 conhost.exe 19->29         started        31 WmiPrvSE.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 WerFault.exe 25->37         started        signatures9 process10 process11 39 conhost.exe 27->39         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-10-09 04:09:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ygln263hxttdr3ism7m2m7uvxysvztgoej4u2hesu4l2zcm2mwa._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
snakekeylogger
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
error
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/241016-m19jaazdnm/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5e72953-3e10-424e-9045-e42a9411504d
Unpacked files
SH256 hash:
072a047bd4191df9bf3840d3fca15a92dcc9138caadd55a898bca7231c7280c4
MD5 hash:
93899a803c1c347a14845ede9cfa2db1
SHA1 hash:
62e39bb385cf84741ca19a1c93ecab16751537ee
Detections:
snake_keylogger
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Link:
https://www.unpac.me/results/9be4b6d2-2861-4f16-82ba-7d7e23c23bac/
SH256 hash:
6bf294c9ec3feb47c757ebf032a60d51be054fa8a0cc2d7e7ead3726b01bcf53
MD5 hash:
430dfa6ef09db4c88df04dca42cccfab
SHA1 hash:
0d62f452f2149bbf1666b88ae05e0ac6ba75b98d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9be4b6d2-2861-4f16-82ba-7d7e23c23bac/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/9be4b6d2-2861-4f16-82ba-7d7e23c23bac/
SH256 hash:
de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
MD5 hash:
59fe13a8377c30271d44777e396b6bd5
SHA1 hash:
27ebfc2576551267db98b26b70ab47cce0d351ac
Link:
https://www.unpac.me/results/9be4b6d2-2861-4f16-82ba-7d7e23c23bac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments