MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172
SHA3-384 hash: a7dd36ec7bd09c796bae981dfce402b0f9caff68962e7f4fe99264b45b6a8b92faad9982a97f79fab2adec35a56f36e3
SHA1 hash: b8930c3d6821375da085422e2cfbe0a30e1000c9
MD5 hash: cdefe2f6e98e11a790dbf7e5f5c627d9
humanhash: kilo-nineteen-jersey-vermont
File name:SxiT40WAvUwfKxF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:676'864 bytes
First seen:2023-05-05 11:26:16 UTC
Last seen:2023-05-13 22:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:2lU7tpVGMjBKY2Vi/0582aqZoWzZ4P5+x7yMgv:2U7dGuBhf2anoyR+EMg
Threatray 5'366 similar samples on MalwareBazaar
TLSH T126E4E15533B9BBA1DCE583F8720CE5015F706C20A3B9F7E88DCBE0D89158B19E6506A7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
229
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SxiT40WAvUwfKxF.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 11:34:56 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/02040202-537f-4cde-9c81-2925c332658e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386814/
Detection(s):
SecuriteInfo.com.Variant.Barys.351838.8683.9788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6454e808eb65188ee4ceb205/reports/fe1eb833-66c7-47bb-bd0a-fc054d383dd4/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66b013e8-e143-4530-9fff-fd9a823ddc7d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227230
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 11:27:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=54r4lhqb2tvntxnpsmasymb6l2xuls2gtmvnwzhd4l4vb3o2afza._file
Verdict:
malicious
Similar samples:
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
SnakeKeylogger
08e04faa04ed269f7378476ccf3296ef3ed403817ca6ec26277a4d4fe82bce3e
SnakeKeylogger
37060f2c77a3ef9365f60835a9a3c2e7f524095952a18bb805c6acbbd6388cd6
SnakeKeylogger
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
SnakeKeylogger
606157eb85fa1f90ad5b6def0cbddc1445298156aecb9da21bcc925e6cd7638c
SnakeKeylogger
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
SnakeKeylogger
d3277817e3f5dd9265d3797ceb8db5316f75c7f708f9ba2186d8380c7a6530c1
SnakeKeylogger
+ 5'356 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230505-nkgn1ahg87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5869797424:AAFj7jfdzfUw1CCCNzehFXiYeFWrzxnHnAs/sendMessage?chat_id=1715191138
Unpacked files
SH256 hash:
f4e9cc47225d19f05fe05b7e80dda21d7850f5344b8aa4bbabf11722979dc822
MD5 hash:
1df230e78af5084c086a977cb35bb2e8
SHA1 hash:
f6144903d5bfab0e095c3753eb07a0789cbeb156
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/b4bb1f46-61fd-4c47-8d50-a8078f5c4744/
Parent samples :
105564f796b71e908a08ce7cdac01b5e441569cc03cf14293f7e482790ad51dd
790f8d85765401dc539584fc2075b326e306982adc99010f06637a769bb9443e
ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172
823a206dcc8e78823dd154d935da7c7ba7029b9b51adfa1caaaca282fc7df829
c74b241653dd2fbda789f9198ab86773d71603ff64cce3356a4cbbd7f01ce2a4
afd8c936337691ea9b680f253002d428ca216c2056dcf3009ecb566f1e67395c
78875bd0e64072dd764f4de0b576eb4f9bba96db457422699986e9542bde530b
7ade52d9d7e7aa377a7855a6effe236cebdccf32661cbf1329ea4da9951f2df7
80a3bcecad3c5b6fe13c41124af786341400fec9cec151490d7861a3fc83be75
ac18f1cbdf0303e840e4da9594405257df6300374d748956c8378b07181c6129
SH256 hash:
a991063ed1f1cdafc8b985068c97a575a4c9b8d31f96dea80f6d10e722fad555
MD5 hash:
38fcbb7f24fe8affd971287f975d5cf8
SHA1 hash:
f059ad5502da7cc592c1d6bae165dae0e1807b8f
Link:
https://www.unpac.me/results/b4bb1f46-61fd-4c47-8d50-a8078f5c4744/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/b4bb1f46-61fd-4c47-8d50-a8078f5c4744/
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/b4bb1f46-61fd-4c47-8d50-a8078f5c4744/
SH256 hash:
3973256b76e9ee75074d91b7838757610bb7bf10699766cdea8a887ef3f94611
MD5 hash:
ac74fe139ebcedb209d62c363af71487
SHA1 hash:
ace67e6415fb563169f442018d3c42e19aebf507
Link:
https://www.unpac.me/results/b4bb1f46-61fd-4c47-8d50-a8078f5c4744/
SH256 hash:
ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172
MD5 hash:
cdefe2f6e98e11a790dbf7e5f5c627d9
SHA1 hash:
b8930c3d6821375da085422e2cfbe0a30e1000c9
Link:
https://www.unpac.me/results/b4bb1f46-61fd-4c47-8d50-a8078f5c4744/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef23c59e01d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe ef23c59e01d4ead9ddaf93012c303e5eaf45cb469b2adb64e3e2f950edda0172

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386814/

Comments