MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed70d26100b509a7b74ae7b12260c679a05a6bad291a5e40ef6a44a9fb3fdef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed70d26100b509a7b74ae7b12260c679a05a6bad291a5e40ef6a44a9fb3fdef7
SHA3-384 hash: df725e16ef17934ad3bf1ebaae6f2f91edfc69cc8e67cf751b6a88a7627c34aafd830709fcaa63c1748583142353bc89
SHA1 hash: c3cc3069def00c580afa04bf911d1b04a0204d4c
MD5 hash: 8ed06fbf3b32cf9527d6997156590190
humanhash: double-green-bakerloo-maryland
File name:Ziraat Bankas Swift Mesaj.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:755'957 bytes
First seen:2022-11-08 15:35:46 UTC
Last seen:2022-11-08 17:45:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:eferyoul/Zg6YuA3bIUE1FH4PJZhr3MKnkUqwSlJZRQbLv5BnPg5qC3hnuMd9A3+:emr1ul/zYuOboLHSfhDMKnkUTgZGLvbI
Threatray 339 similar samples on MalwareBazaar
TLSH T142F4234399A5E107FC8A4A3986665735DBE2CE87102F4E5F079CF76B67F7302A12201B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankas Swift Mesaj.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-11-08 15:46:13 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/34e58e16-fd1a-4aff-8075-81543ff3bf28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330657/
Detection(s):
SecuriteInfo.com.W32.Trojan-Gypikon-based.DM2Ma.17386.12002.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50129/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636a7768c0dbe6b5f9a4b46c/reports/d29a760b-eb13-49f1-990b-78f7fe522734/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f8e24a9-57e4-4ac4-8bcd-e39ec0816f39
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1108430
Signature
.NET source code references suspicious native API functions
Detected unpacking (creates a PE file in dynamic memory)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 741094 Sample: Ziraat Bankas Swift Mesaj.pdf.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->44 46 9 other signatures 2->46 7 Ziraat Bankas Swift Mesaj.pdf.exe 19 2->7         started        10 ijgufse.exe 2->10         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\qthht.exe, PE32 7->24 dropped 12 qthht.exe 1 2 7->12         started        process5 file6 26 C:\Users\user\AppData\Roaming\...\ijgufse.exe, PE32 12->26 dropped 48 Detected unpacking (creates a PE file in dynamic memory) 12->48 50 May check the online IP address of the machine 12->50 52 Maps a DLL or memory area into another process 12->52 16 qthht.exe 15 2 12->16         started        20 qthht.exe 12->20         started        22 qthht.exe 12->22         started        signatures7 process8 dnsIp9 28 checkip.dyndns.com 193.122.6.168, 49715, 80 ORACLE-BMC-31898US United States 16->28 30 checkip.dyndns.org 16->30 32 2 other IPs or domains 16->32 34 Tries to steal Mail credentials (via file / registry access) 16->34 36 Tries to harvest and steal ftp login credentials 16->36 38 Tries to harvest and steal browser information (history, passwords, etc) 16->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed70d26100b509a7b74ae7b12260c679a05a6bad291a5e40ef6a44a9fb3fdef7/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 13:48:06 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
24 of 40 (60.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vyneyiawue2pn2k46yseyggpgqfu25nfenf4qhpnjckt6z7333q._file
Verdict:
malicious
Similar samples:
16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6
SnakeKeylogger
26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951
SnakeKeylogger
67dfdca1a2d42035d8ef9bde053531051793e2f13e30b8f1fe0a81fdd52e99fb
SnakeKeylogger
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571
SnakeKeylogger
8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
SnakeKeylogger
d731757d3bddc5f1c8c0430dff8bc434b4406d02b0e46916cf7a975a3f5db196
SnakeKeylogger
e15347eeeba6fb5f12440c9c2720d8055747cd973fde267d7e159f40efa62ab5
SnakeKeylogger
+ 329 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence stealer
Link:
https://tria.ge/reports/221108-s1ydxaeba6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
7c95559c527cd378c584c04e28f5a342538a3744e0781f5a4046bf591e5e41f4
MD5 hash:
d4bde1ff4068508a437d0d9fb2eda94b
SHA1 hash:
7811ed8ca22e79fdee6e2ecff495c0f447b68c62
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6cbe84b2-c003-459a-a2a9-645f326721d8/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/6cbe84b2-c003-459a-a2a9-645f326721d8/
SH256 hash:
5902c3ea4bf5e23073f85742bb21f11d71e339c22e0b21915a59cd2bdc7700fc
MD5 hash:
74547dd16cf02a6759e26c20c655f9c5
SHA1 hash:
311e6586b081c6f52a3c67bd4a7deaebe8ac154e
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6cbe84b2-c003-459a-a2a9-645f326721d8/
SH256 hash:
ed70d26100b509a7b74ae7b12260c679a05a6bad291a5e40ef6a44a9fb3fdef7
MD5 hash:
8ed06fbf3b32cf9527d6997156590190
SHA1 hash:
c3cc3069def00c580afa04bf911d1b04a0204d4c
Link:
https://www.unpac.me/results/6cbe84b2-c003-459a-a2a9-645f326721d8/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed70d26100b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330657/

Comments