MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3
SHA3-384 hash: c763706474518bbcf6f00cd9c88187e6c2f200883551132d2590ae8523e4995cb32097a0610ceed154de3c6eba758119
SHA1 hash: 358b31fc8d61d893c1019d9bc9ec77002702f622
MD5 hash: dd72cfb4b607b1e54d22b3255899e2ac
humanhash: undress-cold-timing-kentucky
File name:Signed.PO100627.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:594'944 bytes
First seen:2023-04-21 15:33:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:1MdfWo0AfOr0Rl6PYOuH8Os++3nA2ujzjjI1QIWh5Ls6XzO6Ez4T8sSvXOAuAl0j:WFWnzuIb3920WfBX3EDXnuvL6FutFDz
Threatray 663 similar samples on MalwareBazaar
TLSH T184C4E071509E8680E01FCFB164BCFCB2173174F3E9D9C934076A9590CE9BF546D89A8A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e29c2c74d4d4d4aa (4 x AgentTesla, 3 x Loki, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed.PO100627.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 15:35:45 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/27b21834-add5-4940-a5e9-047ab2f3c06e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383981/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6442aced7ee5da80cfdfff0a/reports/16c6909d-3c64-4850-8f96-b95dbbeb090e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f67775d7-3a44-41c3-8018-0722099002fd
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218833
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 851777 Sample: Signed.PO100627.exe Startdate: 21/04/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 8 other signatures 2->57 7 Signed.PO100627.exe 7 2->7         started        11 dUZZZTnIa.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\dUZZZTnIa.exe, PE32 7->33 dropped 35 C:\Users\...\dUZZZTnIa.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp7729.tmp, XML 7->37 dropped 39 C:\Users\user\...\Signed.PO100627.exe.log, CSV 7->39 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 Signed.PO100627.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 dUZZZTnIa.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 dUZZZTnIa.exe 11->25         started        signatures5 process6 dnsIp7 41 checkip.dyndns.com 193.122.130.0, 49699, 80 ORACLE-BMC-31898US United States 13->41 43 mail.kumarmulay.com 103.228.50.196, 25, 49700, 49702 BALASAINET-ASBalasaiNetPvtLtdIN India 13->43 45 checkip.dyndns.org 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 132.226.8.169, 49701, 80 UTMEMUS United States 21->47 49 checkip.dyndns.org 21->49 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33n46bc5vlkqvmdanvl6f4drua3vgm633wton4mx5dacrae7lorq._file
Verdict:
malicious
Similar samples:
0fdc5a8bd9026a352ad7c986e4c690f7a85924235ef648a2a313f12f9ea885d5
SnakeKeylogger
1863faaafba4ed1cb5e13451aab6ccc864569bd65c7f01e58da3c66f2f0bafb5
SnakeKeylogger
297bcb98149a7029793c38e7827aba52e746e97a1a0fa85ac80a7b97bbc247f0
SnakeKeylogger
3248ccab4616fda6d7f433604e974798682af135e98b742afff13a29af08ac94
SnakeKeylogger
504a27b4efe9db79bb0ac1fd1a3258d6b94c7989e4b4b892e587e40d6dd4dd02
SnakeKeylogger
55fd1b3c7d2846e3877b9dc4cc5b78a89415ed66335d93c5bdf6fee4309832ef
SnakeKeylogger
9107f64250adc3683e50d7fca6b41e9f7875136ef7d78200b5756e154e0c2602
SnakeKeylogger
b8e476dcba0bdaf21e70dbad37d600ee95679afc0827aed027d8441a12068e59
SnakeKeylogger
c3c06ec6b0c6170345c9e643279523d70b6af46324a33752be3ccabeb17554cb
SnakeKeylogger
f44bc5440ea740d4aa104363157abba31e781936400873d4ac4736506c0b0246
SnakeKeylogger
+ 653 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230421-szsr2aac9y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Unpacked files
SH256 hash:
686d7a0f616c32c209dbc486d15fc72b99246a22a7063f31bef14cf3dbefc608
MD5 hash:
db1b60e5ba59ba71e3206ff672d10a01
SHA1 hash:
f605cd33fbf3159bc77452cbd78e7f8b4159e65b
Link:
https://www.unpac.me/results/93ab46b1-33cb-44fe-8024-83a3a3b45538/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/93ab46b1-33cb-44fe-8024-83a3a3b45538/
SH256 hash:
aad3d4bea32e05d420e976dc3c088adc3ef7de310f1518cb78215caa24621af4
MD5 hash:
07e3095fdcc3b883a2200528aa5041a0
SHA1 hash:
b83a3df51b86566ff09700df7b5cad6149f99f25
Link:
https://www.unpac.me/results/93ab46b1-33cb-44fe-8024-83a3a3b45538/
SH256 hash:
b31c959d802bdc3da4ad71bfbdb13564c4b3402b7154ffb4bd42832425108690
MD5 hash:
8e47fded75c6062bac361340eda7d3d3
SHA1 hash:
8f1a7d7a74a5e0f9fa497f1558c199a58f8b4735
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/93ab46b1-33cb-44fe-8024-83a3a3b45538/
Parent samples :
f2880cca891b77df9616dcad027fbba4e2e3425a5c0e3a91ee4a6035572053e2
9107f64250adc3683e50d7fca6b41e9f7875136ef7d78200b5756e154e0c2602
dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3
0072635a2bda42343af1afb62d86f500d931498337411f7fbbb0a850a3e386db
SH256 hash:
f48590b501fb74c0895c5f6ce35deaef533365aec2a9e4aa94af18dde5e05966
MD5 hash:
25b828414b7d74e7c79495b00a908fbb
SHA1 hash:
13031e536ebb7b06323ac7633fc972af4b2d42ac
Link:
https://www.unpac.me/results/93ab46b1-33cb-44fe-8024-83a3a3b45538/
SH256 hash:
dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3
MD5 hash:
dd72cfb4b607b1e54d22b3255899e2ac
SHA1 hash:
358b31fc8d61d893c1019d9bc9ec77002702f622
Link:
https://www.unpac.me/results/93ab46b1-33cb-44fe-8024-83a3a3b45538/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dedbcf045daa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe dedbcf045daad50ab0606d57e2f071a0375333dbdda6e6f197e8c028809f5ba3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383981/

Comments