MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9
SHA3-384 hash: 4f814d2a2acd8d1d6a041b94e5f37d3e81f8c12e0a7daf11b40f2d2385d3f9ee5175260065a3af3acfa943f8b0418340
SHA1 hash: 1a9b020fe2e21e9ab341643c8f9e96bd8a5da095
MD5 hash: fdc10b0a79f5e2d47f81c4f81ad4ac07
humanhash: november-arkansas-cup-batman
File name:dekontMPS20231003.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:430'080 bytes
First seen:2023-10-03 18:19:09 UTC
Last seen:2023-10-03 18:38:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:vQ/VsmwXLT+jUl+cQMFY523fXbfqfc/3ubyMN:4/VsdXLKjUl+cQMFYU3fXbf2c/3J
Threatray 13 similar samples on MalwareBazaar
TLSH T18F946A047F4B6643C1AE177F9081144897B1D8116BEEFB0F9C4677F85A67302EB0AA9B
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 7c6c746cf0f0f0c8 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.KeyloggerX-gen.18606.7170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651c5b5640343f27c671634c/reports/1b63a85e-14d1-4790-a626-496ada0fd4fa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/73e2bbd0-7b6a-4fc2-8b8e-fbae0c3555a9
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318960
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318960 Sample: dekontMPS20231003.exe Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 8 other signatures 2->53 6 Igyvmega.exe 14 5 2->6         started        10 dekontMPS20231003.exe 15 5 2->10         started        13 Igyvmega.exe 4 2->13         started        process3 dnsIp4 55 Multi AV Scanner detection for dropped file 6->55 57 May check the online IP address of the machine 6->57 59 Machine Learning detection for dropped file 6->59 15 Igyvmega.exe 6->15         started        25 cdn.discordapp.com 162.159.135.233, 443, 49772, 49821 CLOUDFLARENETUS United States 10->25 23 C:\Users\user\AppData\Roaming\Igyvmega.exe, PE32+ 10->23 dropped 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->61 63 Modifies the context of a thread in another process (thread injection) 10->63 65 Injects a PE file into a foreign processes 10->65 19 dekontMPS20231003.exe 2 10->19         started        27 162.159.129.233, 443, 49823 CLOUDFLARENETUS United States 13->27 21 Igyvmega.exe 13->21         started        file5 signatures6 process7 dnsIp8 29 checkip.dyndns.org 15->29 31 193.122.6.168, 49827, 80 ORACLE-BMC-31898US United States 15->31 33 checkip.dyndns.org 19->33 35 api.telegram.org 149.154.167.220, 443, 49811, 49828 TELEGRAMRU United Kingdom 19->35 37 checkip.dyndns.com 158.101.44.242, 49803, 80 ORACLE-BMC-31898US United States 19->37 39 checkip.dyndns.org 21->39 41 132.226.8.169, 49829, 80 UTMEMUS United States 21->41 43 Tries to steal Mail credentials (via file / registry access) 21->43 45 Tries to harvest and steal browser information (history, passwords, etc) 21->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 12:08:26 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
26
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mjj3eze776e7easquqbc5zyobl6hvwi6nhjhkvywcho4w2e3s4q._file
Verdict:
malicious
Similar samples:
007cfdd9d19a225b749811f15daee02016824bfd2fbb63934ff4df18ed59eeff
SnakeKeylogger
50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242
SnakeKeylogger
55d62602fbaca82ec54e520aa021690a91a0d5d1f6783747a4a2a97f282231c3
SnakeKeylogger
5b58b0a97dac112b439fde1aa15dff60527dec77a0caa4d059e9b6121bb7db95
SnakeKeylogger
6490e5498bf6ca3c0b3cb40d581e019e8c4135fd8bc49580c30160f6b02450c6
SnakeKeylogger
65c423ef88f86b07c5429ab4ebc8c89b7d6c39a032e8b7465f7b84bac91d3da9
SnakeKeylogger
790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198
SnakeKeylogger
b9d4088106a3a557fb5d909c8c5b921971704d7b764306ee4190cefd9b8d89b0
SnakeKeylogger
eafdaa03650a22399281102a25abc8b5dcb3de2388bb13db78c94215f7fe1716
SnakeKeylogger
+ 3 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/231003-wyrp5agf88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6559576673:AAE6veQ5mMCrHEUknXuYdCi8fCjm4p3sg-0/sendMessage?chat_id=1467583453
Unpacked files
SH256 hash:
eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9
MD5 hash:
fdc10b0a79f5e2d47f81c4f81ad4ac07
SHA1 hash:
1a9b020fe2e21e9ab341643c8f9e96bd8a5da095
Link:
https://www.unpac.me/results/4a6611c8-f9c4-473b-bbcc-0eaf33f84d62/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb129d9324ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments