MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641
SHA3-384 hash: 7f4e4507b74560819772842d0375cf394a502cb042bf36a7013a5725fd65956f828182bc70cbc782148295c0cc17a8b0
SHA1 hash: f2bec4fd130199e6ea3ca566ccfc8a2bc7da0af5
MD5 hash: 53064607ec8935db6c6eae9c0e994975
humanhash: missouri-carbon-four-delaware
File name:SDEP034_S125081510410.pdf _fiyat teklif 20250828B.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:710'144 bytes
First seen:2025-08-19 05:30:17 UTC
Last seen:2025-08-19 06:33:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:h1eW7dZIacVzFqRWg2NR/VaByOWTK7aHpxZCazRpjXBxLEs2540g/hu8+:PeWTPcLq0ZkBZAD2ArBxP2540shF
Threatray 2'614 similar samples on MalwareBazaar
TLSH T166E41216528ADA03C5521FF08D70D3B862689FDEB811E307DFF9ADEB3C367466284192
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SDEP034_S125081510410.pdf _fiyat teklif 20250828B.exe
Verdict:
Malicious activity
Analysis date:
2025-08-19 06:14:16 UTC
Tags:
evasion snake keylogger netreactor telegram stealer smtp
Link:
https://app.any.run/tasks/7f7ef6f6-675f-4339-b23e-d73cd4f93acf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22063/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a40c308fd55a79c52922e8
Tags:
spawn shell micro spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8712a02c-79d1-4147-8489-7f6ae324cf02
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759926
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759926 Sample: SDEP034_S125081510410.pdf _... Startdate: 19/08/2025 Architecture: WINDOWS Score: 100 25 reallyfreegeoip.org 2->25 27 api.telegram.org 2->27 29 4 other IPs or domains 2->29 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 55 12 other signatures 2->55 8 SDEP034_S125081510410.pdf _fiyat teklif 20250828B.exe 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 51 Tries to detect the country of the analysis system (by using the IP) 25->51 53 Uses the Telegram API (likely for C&C communication) 27->53 process4 dnsIp5 23 SDEP034_S125081510...f 20250828B.exe.log, ASCII 8->23 dropped 57 Adds a directory exclusion to Windows Defender 8->57 59 Injects a PE file into a foreign processes 8->59 15 SDEP034_S125081510410.pdf _fiyat teklif 20250828B.exe 15 2 8->15         started        19 powershell.exe 23 8->19         started        31 127.0.0.1 unknown unknown 12->31 file6 signatures7 process8 dnsIp9 33 endermekanik.com 94.102.15.166, 49714, 587 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 15->33 35 api.telegram.org 149.154.167.220, 443, 49708 TELEGRAMRU United Kingdom 15->35 37 2 other IPs or domains 15->37 39 Tries to steal Mail credentials (via file / registry access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Loading BitLocker PowerShell Module 19->43 21 conhost.exe 19->21         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-08-18 10:50:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5f36vlbcgv5tvo3p7kma7zrrognwmejvv5vi7x26rxotxttn4zaq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
6d39efcc099850406049865919398ff1e38b06ee4841a9fba76bff863583f520
SnakeKeylogger
9957870d8b4fb238246540cf95e7c1b0a3a5d1ddb4d94628c4d6c11be9c7503e
SnakeKeylogger
a239e5544a81a4b552f1ff3b273a60b04f527e940e39a7981c135f7088b9597d
SnakeKeylogger
bea5e2297d603061b7622f0a4203b9698b708564c38fd53307de832542b2c8e9
SnakeKeylogger
e9b41f0fbd640613e949417dfe2cc1835e4458e1c20c766b0331274da1f53c79
SnakeKeylogger
+ 2'604 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection defense_evasion discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250819-f7nf3agn8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a434fcad-fb77-45f3-9750-60cae2d494cb
Unpacked files
SH256 hash:
e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641
MD5 hash:
53064607ec8935db6c6eae9c0e994975
SHA1 hash:
f2bec4fd130199e6ea3ca566ccfc8a2bc7da0af5
Link:
https://www.unpac.me/results/736096a6-87a1-468b-8831-8502f2f2cd53/
SH256 hash:
bec9eb852c03f6d7e779d9f9609737d5a2e8916c5205d87b4569abaef889c5cd
MD5 hash:
bd7d01798cab0b845700d523a050c53c
SHA1 hash:
89c369f81d70b1fa3d393d06f071580c62652b4f
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/736096a6-87a1-468b-8831-8502f2f2cd53/
Parent samples :
a6cc6e17a43fd18e44449df2bee44d53d4098817149e1d443a61777cf458611f
7e545a76c16dee6d24d3e86c6667c07bcd0f76064f232463b58fd4ec6d930090
1ff8756737194c817aa77be88799ec219c232d5c0e93fe4ab73c961500759055
0f8f4d5651684cb127cb4f921afda71d548b8a75c5976c8b0219586e4dc024d3
e2263780bc74e9300528646a608133f1b123def3ceb62d09c5086f32ae813e82
372210f4c6442c3236ed1b7dde082f60d169afc634d13e6953a86230e4fc06d2
f8f933f5cd77285961b3522a36e93bdca687fba229d327348e7ec940027ae80b
7ffbc8a42a1ad362989b7098ecad4392f1c2a18f49a294932946ab99ac54368a
a8cdfa7e2c10da2b86a2c1824415310726630037cdb268ff2a40763aa811b632
b3a0bb7276b0ecf1e99aa164ebafa0b9aaa7aa3c4db93f83b255e91f7d273dd9
30c5e0eb405f1b8a789dfb58b0a279293fd047dc53560698596d42514e4359a4
37dc8d3d4987e46bd8aea0be9a7de2fade3f8b4e2c5db5d498f6d20bc0d287f7
9c259077adbc15c9fce702a70ba80d6824b3f38b6c899d68f19ef516b442603c
a239e5544a81a4b552f1ff3b273a60b04f527e940e39a7981c135f7088b9597d
e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641
898fa5e7ec65acee299dca750e5369836bd3453aad9e7d5fe5e6061ee24e35d3
9051c1be2c95d7e2e53fee0434385bc2c3561369a210a6698d3b2ac3240f34db
0f77b919d298fd05c180930f360b2cdc66b01987b5fbbbd27857592ef87aea69
2000e4e1a60a0d0e581af4d08b5b1c9cf12436cc8ef7c3f3821e93dec7c39a85
8a66d39f70c5e10e1cc7b7b108ac259281682ec4a09dbee9962e27ea4c5ad2b9
a41e95be482495af59de5e3d4ba9c298a93c2efedc25083de52c960cb64718bc
a649b5b04a26259cc8c92e558907389df2ddf89a2b2f8569ea51fbcc9c33b670
fa3763f9b9ad6d6b3abbc0f4cc9814797040f769e416cddc9c5ebc6788f564bd
4cf6adbd484317ea9575c236291b11a675a0b03246646df502ffc1623c9f3bed
9af23a04d5aaa31d148764d642922392d5d5dcb845fa1a4728afcd81cf46a87f
c64d63e024949488a1826759e838e3a7190d5cc5963423086443c1a7a7e9fce3
0f1a9c884b9d89178d285a19f86035fa2c24501eb4248f3adcd08a1dcb1753ba
bf81578fe213f6355d4e315cc23d1438b4f0b0f5f35ac3ba5814162fb0504d1e
e7b49b01463ba069ef6b17e39fea65f06882a23bcbf821e52c5ef357cee141c5
SH256 hash:
957e0a6c8effafe17b99720d6357a5e8029f52c117607b34e0f600ef12052a7b
MD5 hash:
c9f3d08f106285f8ef932adea1ef8942
SHA1 hash:
9cd9cd1ebea666d4ac998b6bb350b8bf3474cde8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/736096a6-87a1-468b-8831-8502f2f2cd53/
Parent samples :
2297f5c874d2b7d185670c7877fa38922f2ccf5c593adffa9850188b63142584
bc8c43e5b2edd24663599d319b7c0b0f855504d66c6e26b122904781291a33a5
d89a76737ea433332fec51bc5662a0c87ed094e8dd6fcd9dd484377cc2ec5d88
afcb9a98287b5852b6fd25a60e9fdee42c3039054de5150e3a77e18944ec7c80
5dd5af1e3e58f87e05df02899150dba2b0f4de55f7ca8aca172d9a4a26b7266b
cc6de21ebaf5b1da25218987714320f9dcc9dd38acad71a9513a42323621a2ed
3052b8ccdf8f2b0e43ff460d0fa79e75fe741fcbb823fce9ba5d7db8203d0c3a
7f13aacf27f72555c75715896013a1cad6968603e8db181f775675786abbe45d
2366eb1c3c5a10b3782f7d6948cb6a3b43fb20e348bc9d1ac2e4a2e96b13075a
ea64b5ce174c5c197fdcb0cdd9c9371e941c3cebb1a990fdf069b596c02d411d
75346394a107950f00200cc98250dc265e7708d6833275bd0e4ce3645fd860ee
27d9bc341947a02d196c43a4ecc1ad5d0506e34b901fa8dd1d74be4eaa8753cf
96440b5ac7a820be9ce16faa820eac1cccd39b0154573326331f828bbfe96c17
030e28b8e4a701de5854149a82398d15c8dbd52ac7479883d085d52a1ba8fbb6
50c0d11e8f7153f1129643673ded00e74fe4cb9e929b0a97d9c5bcf983805e41
a172deb94ea7c05df19865326d5b50e5e2b594f32e9f417b8f5544e2cf98cbcc
b897296b26ad15c42b2194eb6c75fd5a2b91aede9e7b9606acb1ae2bbe3e269c
e9b41f0fbd640613e949417dfe2cc1835e4458e1c20c766b0331274da1f53c79
e6a4824d29cc701da1e29294c2a35d3446c859a63c08e0cbe014eddfc4b60b99
d18b33fc8e8aad80c50bc4ea73a9c77b60abbf18e6c41623edecb962d9eab3bd
a4e1ceb8458e0bca4119adb33ded5b1ef154f0ba69594b2079fbbcfb48cbe4ce
a430f5b9c6c4199bd7b9885f3435b0ac1bd6afdca74530a62c8afac41c9f4978
8c0cd5bdae1355f8bc7f7af9102fb77eb8b52e432cdbe17c27456be4af1082ab
c110e6c5421c2522028d14cede4792b8f093c8219e4d1bea1ffea7284aa495d8
633326457f86d0a12d3ff263f3a2f4f2d8325ef94fe3f20e6d74c3f1e72f6aa6
65efb49d06fdea64e43eeeae547c1fa7febd855ea9aa1e78536f62239117746a
ccf29345b53dd399ee1a1561e99871b2d29219682392e601002099df77c18709
88b838cc854132e243dc0e2d3ca34f49f0de3c96d5b2bf15b0901bed270702c1
3aab9854341050b969aa81bb5ba790767b3c50a4053368e90e70f9c68260473c
a239e5544a81a4b552f1ff3b273a60b04f527e940e39a7981c135f7088b9597d
b994e8cd9cfc2cd2151b70947c845e529bc13cc2a90b4f0633fbe1eea8d50783
bea5e2297d603061b7622f0a4203b9698b708564c38fd53307de832542b2c8e9
2859b17355ef33a6ea0a639ce6be65c279f63e446ceed134999619893667ee9a
9957870d8b4fb238246540cf95e7c1b0a3a5d1ddb4d94628c4d6c11be9c7503e
042d135796e15d95ea837efb356fea090375320e569d9dee4b88a5f1b82bcb63
2f4337e60d9fb98342035e3b6233af010cc1a6c8801b1a3b23a59b60025e680f
e40ed83719528313ef5d65bb1ab4db9226a5e3d7421863f3375d94243db78049
0cfce3e53dcdb056caf79f5cdb13fbe512e824945e5e1ee09b241cef476ff971
44d56ea314118afc4fa5fc409f4f1e4a8a232ff410de243c4fa14ada2365cae7
1dfeb104751544afbe70f792ef95535246eba683cdf47f21cb62038f8b5d86d6
e652137d75dc278b1867671a62661276100afd0e3f7d62ed07b6bc27e5a1277f
6ef10a2b79a761a18c6351d623cc52ef989a6ab06b37fdb07f5fb473b1c05c2b
f00ddfca55cd75dc518bbddafd3f5c7327916d430fb2575e3c87cf93ac5c2db8
2c35c24bdd434cf329bb45dce96e7499cdd231f182c9e679a01770fc006aac69
a7f7a2ba4874202dd3c17d81618c0f5f03421b13fe9b48a81f475025f97f2fd3
5885dbee75437bb8e608840aa4cebc3c81652b4998babf704ac5890718186d1e
aaa5b20a90d1f1755d39e6e228f8d4a4060d9da1451d9dd54a6e85fa2dd9ceef
26e7f73744ff89320d8e9c39760db8dc4f4e0865c1e18423d60926b3de522b47
07924634d6e74e7f4393526ff39fdc1b39bbc766cbd36df0ae2ef14ffa1e7727
e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641
4c73f816972fa1cef7fa8c1d7cc9ca77e3e95e9c883942f159b3e041fe71ba0b
17776164a56b367dda9a0a376e10049105ee2bbf8f939e55c768e912557a6687
68dd97817032c05c6123e53bb7e4139e5c2d4895aaa343d4cff5ba2ab7f257b6
617bf6800d42409a74ae0539d3e3ffc412e6c4bb137c232159c3ca946bc0fcdd
b0be564eb26f9cf2f58ea450d43194f3a4fb7dd2ca16375e3ecbfd636e5e7c13
ca55a6a768df04b644890a40073018ca6938c836b316522f3ef9785eaa5d3589
5f9211510339c99b3b0dcf99aa5ed3ab7958bfb37117551c9eae256dec0cf181
078cabe3f98bbf49468d898d869cd8f58df0ff0a1bddd9d00524ac49dd04f3af
b35104d529e14b811a2295109a9500fd036a8ec4bb65936ab67068346c4a6b23
4620e415f8bcd713bdfbcba4e710e79c2e057d2e15dbbe2c3a39e8a229563038
877ce367ca9c8219fec30540624b7ffe9a57123d91d8346bd30d050a19afafb4
7d5718f94426596391dbe10e7158b7ac153b649e34b209e504098b697f7d5ed9
53823787f8cd69b1887e545c1130de4c77a6939fed24d2753634704ae6aa1c90
e54824f3c53758443e21d10af036b26e6ecf9dcfeb2179c459277325075c261c
fba7995cbf66a769e14608c6c1c499704f2fb7fbcbeae67407476e97f983b8fa
1140784c476e403857dbda36c5091358e6ba70b140a0d3ce438abff8f705d79c
602caaecd7dca945a17cbe1522c89c7e6cb52330d2865f77637652009271553c
23679efa5468f8e0e11d24d4a2e6408f13c5982664fc3025c6e3c2e8b34a4660
9aaec65c036d7b320fb31cbc73bff93e135eb2e8d3780c4a6dff2b4a5421ec9c
37f4c5e75ad2232303971fc700edc714e87e3b097399d12942929da2c93994b0
e69f506fb5549fac407a4e5e7c3400e73adfe40329a262771d7bae9a5ab1ba17
f038491715d1d1b55c9227612ccf55089b771bbcadcf053dbf2fc939715dfd9f
cd96ca7a5b5ea72b4c03e9b2363296307ea826dc504c2dd54df89c3aeae94d5d
14bedcf25ba0fa354fc7b8adf059130db692b7ccb54276bd43930f02aed4d9b6
593b2dd3e7a1806f5f97341c297792834c28f57fb95e33c4528c733a9fed4c73
2b8d8c6e96c86f8b79186d479e8a1b6f70c01db3668bc526f8bd62a825a68f49
96a0774fc25c036056be449766e6829678457f642381dbbd99525f4866e55f70
7369f1ecdd1305ca16ce7bf837f0fff74acde94cb2fa2a5b3dc9500c061f6077
b8d639465f33fa8d4dd8ed11a6c2d5e4ce849c4a8f4acb0fc6b6b030163c4eb2
d04cf401daa99d9633590e81aa8b4985b7de8193394d1422088ecd68ed933d2a
bd9e08075d83ae69399f6c11bbf50729cab0cff666754b1b015b26ca5030324d
bf5acaab38bf4dfdb4266f9b7605e04f7fb7790577ecffa586bd0dbc793ebee8
79f29e19a0a27f7619fd475614f372433b26c95e9f8c11c1622ec9cc3c16eca5
456ee8fa9e43318342e6258f90cf5a9f7e58e6ff2105a1716248125a73d42fe3
57b8d1f1afc63450aff6f6c4a3ac9af5c7f7e1ea8de0187987df2ce051cd2ea5
de98c233b168483faa99395c4308b612a4399b89b69aeacc4244045f05802b4f
04db52801a029ba84f762b0a3b67266db401976423b729bf13008de64758ab4b
ba8cc276a98e4822f672e7655d88829ce6b243cbf01e31cc4eb6c28544a9b86b
4af4bfe88694bf614e359708a724e3db08d3abd6abddba24ca10e82c4420d88a
14d544afc723fdbda5021743448b807968e5ba3a68310885e7aeb9f2b8cb8fa1
e054c2fc74e0788e698df9e69fed9d8fe975df61fe699281508e4a097e43c8d2
c0f5dd3cd5939bb1f1c392c49bd474bd5987c07010b2528f3fe29d8906bf0460
134bb1561e4210782481eff2ee97e71f70770f39e000d2c0318049947ba16da9
5240a9ff514c4c31fa548a21ef76f684efb7b62edb0b2db9cc5fbaa00e73b87b
2c0de5892bb8da11f6f34b06040050e3d4bed71fba0f7eb331845b34cbfb658e
a1c44bbae92cfe93be55c8fc0b950b96b238ef92fac6fed6f32157161d8cc573
a5a963a25476eff3698330300593c52d0ecfa83a868eb20ad11142bac47e9f27
67e03eb72e16a3c18d1b9479134dc821b280044c274d32b0dd1b431c67cd8b5f
3837602761789d5b258bbe4dbd66c19de4e60e3ec4809049d2f52269b948f079
cb790da32e10f49e2380dee82c875487e378e23175ef7f124f437a3ae4413ecf
dd7b6747eff9ecc3bc9da710f215953252224974824298ef8d77009bf9b0dbef
fea19e2a8ec0ae79fb6f25deec6ac647a53027ee3d4861be780daf205d49a718
9fec7314757f83b63eed9d9cbb0908d8d7291adf72e2f3fce4fe290afa9ece1a
05604b71c9fb599088d38ea5973add829af7c0a29d8434996dc6fb9ac93a58f4
53b1100f0b09af2d37c8df2bcd77aaf844c4424bf17d71854a5d14130881ba10
272fbf9d620d1c0f1b2a0bb224709516ec9e5d5874807588f363451f8a2df268
1608d1238888d30c34f6d72b2874de8fb543126eaa75973b1a75cba95094a973
87a78bd27eda1a7c573d260e007d7740032b102d7487b77048f23276f365e64f
SH256 hash:
6a0022b7e3527c4f09875aae8391ed61b5d75f4224caa3066d041a0102a412f5
MD5 hash:
23c6a2c3b8ea07d4e5ca4a60096a0f0e
SHA1 hash:
b3851288296206b701b1bf167cb7dd0617702f67
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/736096a6-87a1-468b-8831-8502f2f2cd53/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e977eaac2235/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e977eaac22357b3abb6ffa980fe631719b661135af6a8fdf5e8ddd3bce6de641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22063/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments