MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de9f6c2d1c5290b7b9fb54e959dae7156cfd7005b1eb0299ea93e56e7883ca4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de9f6c2d1c5290b7b9fb54e959dae7156cfd7005b1eb0299ea93e56e7883ca4b
SHA3-384 hash: d5c447f6a2efc74f4d7538deae6170a86e350c7037a09ee9641987b8576c8a47494ad90bf1593a853f01d92958fecf3d
SHA1 hash: 55cd546626f2e334a0ce2cde158ae5ddffb12836
MD5 hash: 693c67ec2c061754dfccdea800ba29fd
humanhash: jersey-missouri-charlie-mexico
File name:Halkbank_Ekstre_20220315_1583843832.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:795'136 bytes
First seen:2022-03-15 12:07:45 UTC
Last seen:2022-03-15 13:51:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:PgOmskwOEocE55VxEcp393xWznh+yCApzbwos5BSqUQGpLke7Uv1K:IOmHwOlEQBxbyjpz0F7SqUQGTUv
Threatray 1'849 similar samples on MalwareBazaar
TLSH T10F05010AB3F49F83F4B6E7FA8425160843B6B129560DE3584ED630DB14B7F009BA5B5B
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
snakekeylogger
Create hunting rule
ID:
1
File name:
Halkbank_Ekstre_20220315_1583843832.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-03-15 12:10:55 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/af82241b-9bda-47e4-9d35-8a881b8338de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250743/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.25660.28953.11267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/623081ab0cd58dbd929e5f73/reports/a084dd5e-5c35-4437-a8c3-256364468b79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/949f9abe-e171-4300-bfd5-cf4fbc1e6949
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956963
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589441 Sample: Halkbank_Ekstre_20220315_15... Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 13 other signatures 2->45 7 Halkbank_Ekstre_20220315_1583843832.pdf.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\bFGxywDtG.exe, PE32 7->25 dropped 27 C:\Users\...\bFGxywDtG.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmpE869.tmp, XML 7->29 dropped 31 Halkbank_Ekstre_20...3843832.pdf.exe.log, ASCII 7->31 dropped 47 May check the online IP address of the machine 7->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 Adds a directory exclusion to Windows Defender 7->51 53 Injects a PE file into a foreign processes 7->53 11 Halkbank_Ekstre_20220315_1583843832.pdf.exe 15 4 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        19 Halkbank_Ekstre_20220315_1583843832.pdf.exe 7->19         started        signatures5 process6 dnsIp7 33 mail.celkonsan.com 37.230.104.41, 49788, 49794, 49795 AEROTEK-ASTR Turkey 11->33 35 checkip.dyndns.org 11->35 37 2 other IPs or domains 11->37 55 Tries to steal Mail credentials (via file / registry access) 11->55 57 Tries to harvest and steal ftp login credentials 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/de9f6c2d1c5290b7b9fb54e959dae7156cfd7005b1eb0299ea93e56e7883ca4b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 11:55:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32pwyli4kkilpop3ktuvtwxhcvwp24afwhvqfgpkspsw46edzjfq._file
Verdict:
malicious
Similar samples:
13a20e11cd5a555f254458a08800d84b16cbc42871e9b26baef8b5e8ec958557
SnakeKeylogger
2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32
SnakeKeylogger
3fee0d32925b8e8b2525e9b697ef141fe0635570ad42cc8b9fd0819913983db8
SnakeKeylogger
a9189b815c696214f9c7297e0ee9d6ecfff9bcf7e7064651dc3d64522d922b8d
SnakeKeylogger
bcbf8a906dcee1a2cf55c638b4fd5c815d93b764bc88038210edfd7cb635ac69
SnakeKeylogger
c9e41839229f9f0212302fabb622b307341d9094b6f6c348b166b858012f296e
SnakeKeylogger
f13f9e43f10104b7502bb7359d9d4f6bef97495af69be9f7b895730af56ca89e
SnakeKeylogger
+ 1'839 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220315-pawkvachdk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
b8c7606ad9554ebe0828675a68325c0d8ed799215f2a4e6c6d8c29caa93d4fa2
MD5 hash:
302099799002c4d1acc7c45dabe4a2c5
SHA1 hash:
f218d7669105fe64cac1afc7a1514b9b65594915
Link:
https://www.unpac.me/results/33f3c07d-e16c-45fb-b3c1-562db8b44549/
SH256 hash:
b3f1690e05dff72c79f5e592641c3b620ddee87ec9f45474bd73835be871185a
MD5 hash:
1a302883114cef7749c7178789c5a2e8
SHA1 hash:
f00af6376b12b1ccbfe8272c4cc93c5dfcd0f945
Link:
https://www.unpac.me/results/33f3c07d-e16c-45fb-b3c1-562db8b44549/
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/33f3c07d-e16c-45fb-b3c1-562db8b44549/
SH256 hash:
b62c959adbbe2b44e4ce93151f554b1aacf2e4f90b816795abdb0e656a6a5280
MD5 hash:
d661c0cc39d9eefa13a1ec91c4020a9d
SHA1 hash:
4ef58eeb94c01d7553c1be3d57be4bc1ba67aa36
Link:
https://www.unpac.me/results/33f3c07d-e16c-45fb-b3c1-562db8b44549/
SH256 hash:
de9f6c2d1c5290b7b9fb54e959dae7156cfd7005b1eb0299ea93e56e7883ca4b
MD5 hash:
693c67ec2c061754dfccdea800ba29fd
SHA1 hash:
55cd546626f2e334a0ce2cde158ae5ddffb12836
Link:
https://www.unpac.me/results/33f3c07d-e16c-45fb-b3c1-562db8b44549/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de9f6c2d1c5290b7b9fb54e959dae7156cfd7005b1eb0299ea93e56e7883ca4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe de9f6c2d1c5290b7b9fb54e959dae7156cfd7005b1eb0299ea93e56e7883ca4b

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/250743/

Comments