MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1
SHA3-384 hash: 20884c724cd12412707a16dd99e4e3646417f5744617ab0cfc0394f15bd2285b8c58821218c8996596db59a7a1262d36
SHA1 hash: 9d950bb108b703edb2636d93559f477bd4885c7f
MD5 hash: e114a64352092d6217d10f54ff42ca3d
humanhash: freddie-six-hot-kentucky
File name:seven.hta
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:84'875 bytes
First seen:2024-08-15 13:36:23 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:Ea7ANeOwBNeOEXXXdETYwNeOLWNeO6SKKJPHhNeOfjT:EaqeOwPeOC9FGeOIeOzPeOrT
TLSH T104832099DC319DDE87A49F87B8FD66EC316D136BD7553E88B26F3182DC60B0060C2926
Reporter James_inthe_box
Tags:hta SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66be047faa5b40be0aa041e8
Tags:
Discovery Execution Exploit Generic Network Stealth Trojan
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66be047e32f6d05ff3cd7ca9/reports/d798cbc5-0ecf-4558-8c04-4a239cce32a8/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.2D1DE298
Link:
https://www.hybrid-analysis.com/sample/e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, PureLog Stealer, Snake Ke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1493359
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Detected Cobalt Strike Beacon
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1493359 Sample: seven.hta Startdate: 15/08/2024 Architecture: WINDOWS Score: 100 71 reallyfreegeoip.org 2->71 73 checkip.dyndns.org 2->73 75 checkip.dyndns.com 2->75 95 Multi AV Scanner detection for domain / URL 2->95 97 Suricata IDS alerts for network traffic 2->97 99 Found malware configuration 2->99 103 16 other signatures 2->103 11 mshta.exe 1 2->11         started        14 OKmzKrla.exe 2->14         started        signatures3 101 Tries to detect the country of the analysis system (by using the IP) 71->101 process4 signatures5 113 Suspicious command line found 11->113 115 PowerShell case anomaly found 11->115 16 cmd.exe 1 11->16         started        117 Multi AV Scanner detection for dropped file 14->117 119 Machine Learning detection for dropped file 14->119 121 Injects a PE file into a foreign processes 14->121 19 OKmzKrla.exe 14->19         started        21 schtasks.exe 14->21         started        23 OKmzKrla.exe 14->23         started        process6 signatures7 85 Detected Cobalt Strike Beacon 16->85 87 Suspicious powershell command line found 16->87 89 PowerShell case anomaly found 16->89 25 powershell.exe 45 16->25         started        30 conhost.exe 16->30         started        91 Tries to steal Mail credentials (via file / registry access) 19->91 93 Tries to harvest and steal browser information (history, passwords, etc) 19->93 32 conhost.exe 21->32         started        process8 dnsIp9 79 192.3.176.138, 49704, 80 AS-COLOCROSSINGUS United States 25->79 65 C:\Users\user\AppData\Roaming\asusns.exe, PE32 25->65 dropped 67 C:\Users\user\AppData\Local\...\asusns[1].exe, PE32 25->67 dropped 69 C:\Users\user\AppData\...\xztpyuop.cmdline, Unicode 25->69 dropped 123 Loading BitLocker PowerShell Module 25->123 125 Powershell drops PE file 25->125 34 asusns.exe 6 25->34         started        38 csc.exe 3 25->38         started        40 svchost.exe 1 1 25->40         started        file10 signatures11 process12 dnsIp13 59 C:\Users\user\AppData\Roaming\OKmzKrla.exe, PE32 34->59 dropped 61 C:\Users\user\AppData\Local\...\tmp98F7.tmp, XML 34->61 dropped 105 Multi AV Scanner detection for dropped file 34->105 107 Detected Cobalt Strike Beacon 34->107 109 Machine Learning detection for dropped file 34->109 111 2 other signatures 34->111 43 asusns.exe 34->43         started        47 powershell.exe 23 34->47         started        49 schtasks.exe 34->49         started        63 C:\Users\user\AppData\Local\...\xztpyuop.dll, PE32 38->63 dropped 51 cvtres.exe 1 38->51         started        77 127.0.0.1 unknown unknown 40->77 file14 signatures15 process16 dnsIp17 81 reallyfreegeoip.org 188.114.97.3, 443, 49709, 49711 CLOUDFLARENETUS European Union 43->81 83 checkip.dyndns.com 193.122.130.0, 49708, 49713, 49715 ORACLE-BMC-31898US United States 43->83 127 Tries to steal Mail credentials (via file / registry access) 43->127 129 Loading BitLocker PowerShell Module 47->129 53 conhost.exe 47->53         started        55 WmiPrvSE.exe 47->55         started        57 conhost.exe 49->57         started        signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1/
Threat name:
Script-WScript.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-08-15 13:08:10 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4uuxhca466dblknk6bczot7njnjydn2d4ye4qx4mjkyg6u3owxqq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection credential_access defense_evasion discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/240815-qwsxhsyenp/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Credentials from Password Stores: Credentials from Web Browsers
Snake Keylogger
Snake Keylogger payload
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e52973881cf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

HTML Application (hta) hta e52973881cf78615a9aaf045974fed4b5381b743e609c85f8c4ab06f536eb5e1

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments