MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef0e235d8f6267b667679f5f610e45b1baf341225237830c06646c6d6198386f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef0e235d8f6267b667679f5f610e45b1baf341225237830c06646c6d6198386f
SHA3-384 hash: 0e9d1dc5db2ddd7f637a0896183e409b70bf3e916acc66677ff4c4621848b8d1f5fa22aca473d904fcc7345eccbcc9e4
SHA1 hash: 6856b37ba4ecabf8c4babd2c849a9089c1491835
MD5 hash: 7c39b5959d91d8f212092ff96d013613
humanhash: oklahoma-hawaii-saturn-sodium
File name:1 Piece ISO-16Z 06B-1.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:940'544 bytes
First seen:2022-03-22 17:20:22 UTC
Last seen:2022-03-22 18:59:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:+Jcoh8sDBI/yXWMOWVj3pBVPx50UzRJLCme1q4Y1PQ:+JcohrBIY5VrpPD0U/ylwY
Threatray 241 similar samples on MalwareBazaar
TLSH T1041523916AE89BB3DEB813719CA1634003FE98755A73CB6DCC0820CB56DE3449B467B3
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/254944/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.27266.8191.19602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/623a058ab94fb38cb4d041eb/reports/ec5d4baf-0625-4e8b-b3b5-e863288a5c76/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962276
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594756 Sample: 1 Piece ISO-16Z 06B-1.exe Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 13 other signatures 2->45 7 1 Piece ISO-16Z 06B-1.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\PoDQpJNED.exe, PE32 7->25 dropped 27 C:\Users\...\PoDQpJNED.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmpBE14.tmp, XML 7->29 dropped 31 C:\Users\...\1 Piece ISO-16Z 06B-1.exe.log, ASCII 7->31 dropped 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 11 1 Piece ISO-16Z 06B-1.exe 15 2 7->11         started        15 powershell.exe 24 7->15         started        17 schtasks.exe 1 7->17         started        19 1 Piece ISO-16Z 06B-1.exe 7->19         started        signatures5 process6 dnsIp7 33 floragumruk.com.tr 37.230.104.41, 49796, 587 AEROTEK-ASTR Turkey 11->33 35 mail.floragumruk.com.tr 11->35 37 3 other IPs or domains 11->37 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef0e235d8f6267b667679f5f610e45b1baf341225237830c06646c6d6198386f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 10:42:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54hcgxmpmjt3mz3ht5pwcdsfwg5pgqjcki3ygdagmrwg2ymyhbxq._file
Verdict:
malicious
Similar samples:
0c5d401cb457030a23fd5afe1ad88ab0ff4f1bdcad1d7307fefd614107daf0f9
SnakeKeylogger
20da9061d97a613081f164a4ace352121755f24a0e0c717d2791e03579daff53
SnakeKeylogger
3889644b588e323f70d1bdd1e91e7870701225bc67977922369b00cb1dbc862c
SnakeKeylogger
3e9c014ef2b5fe85fafc698f4b94d18a3f929c0c812157819afe49ed1ebd6d74
SnakeKeylogger
5ec6a0d19a4333966e28f063d24376c1e071ee0d4580e85153fd354ac239c8ab
SnakeKeylogger
7033c5725ca1167da50532cd257eaf95a6bf2d6be51a9c357ab145b189c7a23a
SnakeKeylogger
78761132bce1be8e7af9c4eafcfbd2fe5d656d3446d4f875d1a28f454c198721
SnakeKeylogger
c586cdae80de6a25dc94c91083dc6468b282767f522d49496f01d6e07e3b7ab0
SnakeKeylogger
fec5cf8ee4db0e8f6303ffbd0c0d2161c73560b1ee1543a74a5e3a87647175db
SnakeKeylogger
+ 231 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220322-vw1pksgde3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e01b5174944ab046b7b3994a181b38a2c244b392e2196c29ca310a57cd80415b
MD5 hash:
573029773eaeae3624e8b3bae6bf33ef
SHA1 hash:
f7a7966926c5823874883a9163bcfce735e5b6d8
Link:
https://www.unpac.me/results/2073a3be-ae40-453a-a517-9fc7c42e1ca2/
SH256 hash:
a63d7104c29433a6a4d662822a1677c018fe250573732b13bdb51b2d81f12782
MD5 hash:
124a95c0f67727a6b820c5de79318245
SHA1 hash:
d25789bcd42f41502c8af434b30573994a6d3e95
Link:
https://www.unpac.me/results/2073a3be-ae40-453a-a517-9fc7c42e1ca2/
SH256 hash:
3dea9832eee17fd39fb30854e38311e8ab1252c2ebe48b06fc46a3a0b9447674
MD5 hash:
20136886a31158681b11de9d239881a2
SHA1 hash:
b4bfcc1aa8d1c1cdf441da2f252cfb3bab2d1a3c
Link:
https://www.unpac.me/results/2073a3be-ae40-453a-a517-9fc7c42e1ca2/
SH256 hash:
301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b
MD5 hash:
f08268ddb5c1236b947fe2864860fc98
SHA1 hash:
772410110fee00fc53939b94c2f64069fa824cf4
Link:
https://www.unpac.me/results/2073a3be-ae40-453a-a517-9fc7c42e1ca2/
SH256 hash:
ef0e235d8f6267b667679f5f610e45b1baf341225237830c06646c6d6198386f
MD5 hash:
7c39b5959d91d8f212092ff96d013613
SHA1 hash:
6856b37ba4ecabf8c4babd2c849a9089c1491835
Link:
https://www.unpac.me/results/2073a3be-ae40-453a-a517-9fc7c42e1ca2/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ef0e235d8f62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef0e235d8f6267b667679f5f610e45b1baf341225237830c06646c6d6198386f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/254944/

Comments