MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81
SHA3-384 hash: 5358e6696aa788e0b4fc53bb0b43c1114084176a4013ebfd554211b2c01948f56d2ec7c688187157c622a2c866e2e78b
SHA1 hash: 31e32e48c93fccb29a8cfb178b6635ee860393b5
MD5 hash: cc5c14558ff9d8483a19da5e06ac10f1
humanhash: sweet-stairway-don-massachusetts
File name:Vessel Details.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:832'512 bytes
First seen:2023-05-10 07:42:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:w3lqK5MSTLxzKRHoqZfOtIyyjGUwJ8qOsGPojIDPrIklVThZuRI+U2+Abg2:w3IK5MSTLxhIqIXjIluVTx+U2L
TLSH T122058C3C22DA5D22C71573FA8955C6E103396F106FABD22A22BE30CC8971BA3ED5554F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9d9e1969696b0646 (9 x SnakeKeylogger, 8 x AgentTesla, 4 x Loki)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Vessel Details.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 07:47:48 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/2a4ed5ee-b854-48b1-82c2-78b5a571a134

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388055/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645b4b08b664422b69d61b59/reports/a6e98b0e-13ca-4d13-adb8-5c774e14ab5d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82951556-decd-4c3c-a1e3-aef781dca8d8
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229876
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862859 Sample: Vessel_Details.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 7 Vessel_Details.exe 7 2->7         started        11 rSHkBCFcbeyr.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\...\rSHkBCFcbeyr.exe, PE32 7->34 dropped 36 C:\Users\...\rSHkBCFcbeyr.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp6BEE.tmp, XML 7->38 dropped 40 C:\Users\user\...\Vessel_Details.exe.log, ASCII 7->40 dropped 62 May check the online IP address of the machine 7->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 66 Adds a directory exclusion to Windows Defender 7->66 13 Vessel_Details.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 21 rSHkBCFcbeyr.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 42 thenewsfortoday.com 50.87.151.248, 25, 49696, 49709 UNIFIEDLAYER-AS-1US United States 13->42 44 checkip.dyndns.com 193.122.130.0, 49695, 80 ORACLE-BMC-31898US United States 13->44 46 checkip.dyndns.org 13->46 74 Tries to steal Mail credentials (via file / registry access) 13->74 76 Tries to harvest and steal browser information (history, passwords, etc) 13->76 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        48 158.101.44.242, 49697, 80 ORACLE-BMC-31898US United States 21->48 50 checkip.dyndns.org 21->50 29 WerFault.exe 21->29         started        32 conhost.exe 23->32         started        signatures8 process9 dnsIp10 52 192.168.2.1 unknown unknown 29->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 03:42:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4unghekriiins4nhntwcuw4hom2eynvfpivikcthr44xjk6v3saq._file
Verdict:
malicious
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230510-jj9wyagg2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Unpacked files
SH256 hash:
a18a0c7c458ea554a88a9252a49149491733d8d2b8c4123c41ca8ac790228793
MD5 hash:
a82b1c7c3c5bc0af95565c41eed70dc7
SHA1 hash:
8e77a14775254b8b9671e7e75f144ed027096633
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/02d8203f-c862-4728-bfe8-61dd2ba04bc5/
Parent samples :
f79efc614f027353e325afc63ad28655b796e13a5862aa9dbe07978a2d9516a0
46a47f20c3eed9e71fd44ce1bbb288d3da1283f85ccc226679a030dde37f3c94
e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81
SH256 hash:
418a5b43b921c81611c8309bf3b24257bd0976dd3cfe9c5b959700366d30f4a0
MD5 hash:
9a4844841cf2e418faa397a0cd329fdd
SHA1 hash:
842b1f1808eb4b3388f9dddb60cda914d0417ecb
Link:
https://www.unpac.me/results/02d8203f-c862-4728-bfe8-61dd2ba04bc5/
SH256 hash:
7c92bae7171917faeca02aa519ac886f67a9a70708f94522c58fa125d87dab62
MD5 hash:
3e68768169ffdce52c0e681a23769138
SHA1 hash:
5b2772a4238fd7d73cf2cb061e25cc82c7c78d99
Link:
https://www.unpac.me/results/02d8203f-c862-4728-bfe8-61dd2ba04bc5/
SH256 hash:
5bf18333a936e0f430a0e52390060b2ea35d472bd88b1cf8299e6502e7365140
MD5 hash:
2bd1a8683a3c9993feab5f972368a5ae
SHA1 hash:
247eb4a1214e77f62e4746adae9cf31436257bdb
Link:
https://www.unpac.me/results/02d8203f-c862-4728-bfe8-61dd2ba04bc5/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/02d8203f-c862-4728-bfe8-61dd2ba04bc5/
SH256 hash:
e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81
MD5 hash:
cc5c14558ff9d8483a19da5e06ac10f1
SHA1 hash:
31e32e48c93fccb29a8cfb178b6635ee860393b5
Link:
https://www.unpac.me/results/02d8203f-c862-4728-bfe8-61dd2ba04bc5/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e51a63915142/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388055/

Comments