MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8
SHA3-384 hash: 08f24ba6934b506d4837eb598980d7196184ddc1ddbc698ceefbf64af0de9455ebc4c1d98cd575f55c6834b43b5a65e1
SHA1 hash: 34f187b6af07aac2607199cd2ee93b14af226743
MD5 hash: a4a97351978c1166898fee27719ab01b
humanhash: xray-mockingbird-robert-sweet
File name:Kfndfdrf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:806'912 bytes
First seen:2023-07-24 09:06:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:DZy5Acbp9xYYCf2J0ZNLLneLzysJTHAi86cQzkIZXUS+gqRMeCBNU:qAUyj2SZJLneLGsGHIZX7p3eCBNU
Threatray 5'635 similar samples on MalwareBazaar
TLSH T177051703BA5B86B2DB8D13F6D19A0D168771C693335BD70B7A8E23A91803777BC84617
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d290b4b6c2a6ba40 (3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Kfndfdrf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 09:09:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/444ec404-7456-4e2d-9d62-50692673e2d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/430637/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.1388.17624.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20599d21-3d28-42eb-b39f-8ca50629abdd
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278177
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected MSILDownloaderGeneric
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278177 Sample: Kfndfdrf.exe Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 6 Kfndfdrf.exe 15 5 2->6         started        11 Membjt.exe 14 2 2->11         started        13 Membjt.exe 2 2->13         started        process3 dnsIp4 23 cdn.discordapp.com 162.159.135.233, 443, 49701, 49707 CLOUDFLARENETUS United States 6->23 19 C:\Users\user\AppData\...\Kfndfdrf.exe.log, CSV 6->19 dropped 21 C:\Users\user\AppData\Roaming\Membjt.exe, PE32+ 6->21 dropped 47 Writes to foreign memory regions 6->47 49 Modifies the context of a thread in another process (thread injection) 6->49 51 Injects a PE file into a foreign processes 6->51 15 MSBuild.exe 14 2 6->15         started        25 162.159.130.233, 443, 49708 CLOUDFLARENETUS United States 13->25 file5 signatures6 process7 dnsIp8 27 checkip.dyndns.org 15->27 29 api.telegram.org 149.154.167.220, 443, 49706 TELEGRAMRU United Kingdom 15->29 31 checkip.dyndns.com 193.122.6.168, 49705, 80 ORACLE-BMC-31898US United States 15->31 33 May check the online IP address of the machine 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 07:28:53 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55ru6qirpd2ojmlxkfoybxjwgfmkomae3izctmdxrhljnv6i32ua._file
Verdict:
malicious
Similar samples:
1e32754c58c05364d4948c25cb1a1bc6ca99e63353dd5980b52ba3d5cc02fd6c
SnakeKeylogger
32710d6d01f3d637eea39e90247dce8e2007bd9acb91c685713c7f0a1df5ed76
SnakeKeylogger
56b4be20e581a3fec3c1a1c48e0d3f54501e87baba88fd2eda735e9f9725ce81
SnakeKeylogger
5b58b0a97dac112b439fde1aa15dff60527dec77a0caa4d059e9b6121bb7db95
SnakeKeylogger
735d68ae6995dc7bf164853989cbe9b1bc3c1ee94802f78256e7c2e389fcfc04
SnakeKeylogger
73e288b96b3f5a85046fc0ad2d5864b65c01d1f673943f0b35179af4ce39eff5
SnakeKeylogger
85558abd2b8c7a64ebb96f8c5bdd4e18f93fdd3a9c124df63d4be671eee7871c
SnakeKeylogger
cacc7162b9c5dacdd807215b37e7a0325c8d98de656b5845dc69d4cc467b0ab7
SnakeKeylogger
+ 5'625 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger persistence stealer
Link:
https://tria.ge/reports/230724-k3a3dscb52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Creates a large amount of network flows
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6306936009:AAFTFaUDjiWcGYilKFcAPgZDb1vX2NLFZCM/sendMessage?chat_id=5716598986
Unpacked files
SH256 hash:
ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8
MD5 hash:
a4a97351978c1166898fee27719ab01b
SHA1 hash:
34f187b6af07aac2607199cd2ee93b14af226743
Link:
https://www.unpac.me/results/b3695a0e-00f0-4306-8d2e-113d9376d8f7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef634f411178/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe ef634f411178f4e4b177515d80dd363158a73004da3229b07789d696d7c8dea8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430637/

Comments