MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62
SHA3-384 hash: 1f2c26544018a8b54c619fd441d47ab6304762e4c1d3cd485886609a59b8fa0da3ef692c1bb20342147ad1476ff2bb11
SHA1 hash: de9010c10393eee358ef477738a47cc4c52a60f4
MD5 hash: 6335171da476638eee04501aaaabd50f
humanhash: music-tango-uncle-jig
File name:PU Request Form Hardware.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:792'576 bytes
First seen:2023-03-23 14:48:25 UTC
Last seen:2023-03-23 18:48:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:48Qe2UZGT1JyrXc421iAhzLWKNyrb2eSkN:JQepZcMcpLWwgT
Threatray 4'795 similar samples on MalwareBazaar
TLSH T10FF4DF04BD7A0D73F8DAE7B41160533A0364BBA25062E6898EFA68993CCFF6305D155F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PU Request Form Hardware.exe
Verdict:
Malicious activity
Analysis date:
2023-03-23 14:59:03 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/8a92bbde-01ea-48c1-9a41-1a7538c02635

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/376869/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/641c66e4009023b71dc2851c/reports/137b3899-03e8-4877-97d1-c16fc6d2afbe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf6b2af5-1491-4b3d-912a-04fe352f3fe8
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200654
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 833561 Sample: PU_Request_Form_Hardware.exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 42 checkip.dyndns.org 2->42 44 checkip.dyndns.com 2->44 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 7 other signatures 2->62 8 PU_Request_Form_Hardware.exe 7 2->8         started        12 bLRDTSqpVEj.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\bLRDTSqpVEj.exe, PE32 8->34 dropped 36 C:\Users\...\bLRDTSqpVEj.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp5BDE.tmp, XML 8->38 dropped 40 C:\Users\...\PU_Request_Form_Hardware.exe.log, ASCII 8->40 dropped 64 May check the online IP address of the machine 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 PU_Request_Form_Hardware.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        22 PU_Request_Form_Hardware.exe 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 24 bLRDTSqpVEj.exe 14 2 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 46 checkip.dyndns.com 193.122.6.168, 49699, 80 ORACLE-BMC-31898US United States 14->46 48 checkip.dyndns.org 14->48 50 192.168.2.1 unknown unknown 14->50 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        52 193.122.130.0, 49700, 80 ORACLE-BMC-31898US United States 24->52 54 checkip.dyndns.org 24->54 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 32 conhost.exe 26->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 14:49:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5t4aag5s3p2ajvrxpuj3s6wnlbmtf54xeodprm7d33jbdb34bvra._file
Verdict:
malicious
Similar samples:
31f26627d71b58fe5accc2077b600f8b7f25a8cdc75b4a538207c170d6275590
SnakeKeylogger
3a5c0b17747016230e623adf8adb30348549d3f7a90c708ff36d79f76f97c07b
SnakeKeylogger
61a349777acbeb0e99b96e08642c2967da2d60a65f2ca511461e642129462c5b
SnakeKeylogger
659d786131454bee09b1cf35abfbec971dd4d3bed16b34805332be4ddd33202b
SnakeKeylogger
66579846dd9c447d5af0d729c9cb00dd9703f784e9b08a10fc54a1d841ab28a8
SnakeKeylogger
8b1b5fea910a93b2ac0a5a245e21796e1cda2bf180e665419ca369d167775552
SnakeKeylogger
e52bcbeaffe46a94b7dec2d73f1560e80c30061ddb845dcc50b57a3d2d9f7f65
SnakeKeylogger
f9e09542f11fe29c6598025e604cca4e09b2ae75738e40fd143bc7b13f93b1e9
SnakeKeylogger
+ 4'785 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230323-r61wjsgd43/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/4f49359a-090a-4bc3-bb0e-9d6f777aae81/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
cde0d3400cd787fce5d1b95fa52908d64831430cc90dafddbaa79ae0d03bb3d0
MD5 hash:
06a5bc1d3143bcac174d81c5ffc09def
SHA1 hash:
650fb4549fb98ee4c7be5e03bf670241e6339cd0
Link:
https://www.unpac.me/results/4f49359a-090a-4bc3-bb0e-9d6f777aae81/
SH256 hash:
87e525e6ad692baba19915afdce75519dfbcc01a4a1b329f38c9fe128d8917f3
MD5 hash:
0ab687365807c3c075c4064ed1625814
SHA1 hash:
2492ddcadccedaafbe6e6ab55f27d1009d8d4122
Link:
https://www.unpac.me/results/4f49359a-090a-4bc3-bb0e-9d6f777aae81/
SH256 hash:
b6e5e66fb1623c9f27965fa42810d5088485eba7105171f68180f9dd6731b55f
MD5 hash:
ee8d47615787e4d793cd0843d69deb19
SHA1 hash:
0e7c65d8ffe986e68cc008024c168ef7e96297f0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/4f49359a-090a-4bc3-bb0e-9d6f777aae81/
Parent samples :
385b0dc759da9aa986880e3652447db19686c359b11b27efac77200c2e48544f
67768864f24ba7a78e166bdc7e88eda674c67728645be4126b19202118bfdd07
cc252929bc3564bcf17ef0df09801dfff3f8d6b8e71d00b449a920ac2380596a
2b781ae6ff39d255f2e608de9ac6519a7644df12f13f574aa8caafa0123927a3
2f723e39cf2fcb28e858a0002e6945fe0e7266e16ec272fe9c9deb1b49309a57
31f26627d71b58fe5accc2077b600f8b7f25a8cdc75b4a538207c170d6275590
e52bcbeaffe46a94b7dec2d73f1560e80c30061ddb845dcc50b57a3d2d9f7f65
221e4f5c1f12b340bde3be53c3ab9bdbf4940b4d9d22aa5a451a06a06572c171
ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62
SH256 hash:
099bcf542a82cf30bd69e9c47e7afd704cbae21f05ba041e4418271abdb0730f
MD5 hash:
70235aef6dc8a5015558193139fabebc
SHA1 hash:
023e4eeac7da56533c697e3cc78ac5381b62857f
Link:
https://www.unpac.me/results/4f49359a-090a-4bc3-bb0e-9d6f777aae81/
SH256 hash:
ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62
MD5 hash:
6335171da476638eee04501aaaabd50f
SHA1 hash:
de9010c10393eee358ef477738a47cc4c52a60f4
Link:
https://www.unpac.me/results/4f49359a-090a-4bc3-bb0e-9d6f777aae81/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ecf8001bb2db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe ecf8001bb2dbf404d6377d13b97acd585932f7972386f8b3e3ded211877c0d62

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/376869/

Comments