MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760
SHA3-384 hash: 1b104b211b836902a524afe8627f304bf9713c52ddcd737c11b3dbf933e75155c6f27388cd716dd35f9cf7f01aafedda
SHA1 hash: 923b85a00c2d4d27e10972e88e9093c7f107f9a7
MD5 hash: 27ac8e4b9d0e618f17bf79f07eca1b38
humanhash: happy-cold-south-angel
File name:Foreign_Bank Account Details.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:729'600 bytes
First seen:2022-10-18 11:05:42 UTC
Last seen:2022-10-24 07:21:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gFy0EQYg6sDJap4SEHPNrUBrXZYu0l64orXGM2TmYE3XxUJNk:R0EQtNAS5N4rYu0l6v0i3XxGk
Threatray 4'831 similar samples on MalwareBazaar
TLSH T106F438E94352DE02CBAC413D8A6080834EF49E539699E5BEBFB5B4C3CDB8A5803D1375
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c2cacaa2d2c6c6d2 (4 x SnakeKeylogger, 2 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321337/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Blocking the Windows Defender launch
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634e889e66721ebd9b2efd4f/reports/e858909c-46ad-46f8-bd07-81524bd50dd2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1fbf714d-453c-4930-b82e-99df1e3b6c96
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092888
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725513 Sample: Foreign_Bank Account Details.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 10 other signatures 2->51 7 KzdeNr.exe 5 2->7         started        10 Foreign_Bank Account Details.exe 6 2->10         started        process3 file4 53 Multi AV Scanner detection for dropped file 7->53 55 May check the online IP address of the machine 7->55 57 Machine Learning detection for dropped file 7->57 13 KzdeNr.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        31 C:\Users\user\AppData\Roaming\KzdeNr.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\tmp4B36.tmp, XML 10->33 dropped 35 C:\...\Foreign_Bank Account Details.exe.log, ASCII 10->35 dropped 59 Injects a PE file into a foreign processes 10->59 19 Foreign_Bank Account Details.exe 15 2 10->19         started        21 schtasks.exe 1 10->21         started        23 Foreign_Bank Account Details.exe 10->23         started        25 2 other processes 10->25 signatures5 process6 dnsIp7 37 193.122.130.0, 49703, 80 ORACLE-BMC-31898US United States 13->37 39 checkip.dyndns.org 13->39 61 Tries to steal Mail credentials (via file / registry access) 13->61 63 Tries to harvest and steal ftp login credentials 13->63 65 Tries to harvest and steal browser information (history, passwords, etc) 13->65 27 conhost.exe 17->27         started        41 checkip.dyndns.com 132.226.8.169, 49702, 80 UTMEMUS United States 19->41 43 checkip.dyndns.org 19->43 29 conhost.exe 21->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 07:18:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56yicwp4roybswrsfzzbxqe5lpmawvcrzfdlejdt2ebd2pyay5qa._file
Verdict:
malicious
Similar samples:
2395d7c0f0f0a4034de2b9371519d95ca14bbb81d74afdd44111a1a5eb7497d6
SnakeKeylogger
3bade52b6953a1b9cd97f97b501be84042b440b3e2a316673b3e9c993cd12e41
SnakeKeylogger
4b8c422424da67396c509a69146fea0c028e4a85994413205ae933c4a9a5bd5d
SnakeKeylogger
a186d098f99b61a1324320f36aa4cad9df64d0352543e4179be075d2dab6ee5a
SnakeKeylogger
bc7a7312a0b437df65d203117337461ac6fb0db097fe24f9e9acdb4c42480c6c
SnakeKeylogger
ccbe221a1b6dcd936a03136f1dc2741d086ae4513a903389dc789b540143ced2
SnakeKeylogger
ffc51f2ef0542e31be26668f49bf65a719ea827188707a83ca5421d2ad8b6fbc
SnakeKeylogger
+ 4'821 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221018-m7d1ysfgdj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot1644755040:AAGRTnph6BdO8-t1bJaOyVu9aeuJErmisqs/sendMessage?chat_id=1637651323
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2724ba8a-854f-4804-ac25-d18f5085f18b
Unpacked files
SH256 hash:
adf5132844797507cbb4e1ee8bbb22d9b4ec6db0712be4883223787db7a48022
MD5 hash:
86282acd13ba09bb961607f49b7ab868
SHA1 hash:
7fa70b4b2df403c5c00f25d4bc1e212123639739
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/efc3af12-de67-406b-a2e0-ff43bab17188/
Parent samples :
ac7809299f6df99e82dde4adaabc3a5a48913c9c74f1bea07c5e3a6429eae703
603bbecc297ef3cc8ccb9c8b7497340b69599f4240ffb2723302bf4cf9e5bd2d
f893574bb0276d768d42531d27b51d546273b64c462493dc1787e646b988a6bb
e76f7a65b556163a73fb12368e9bd8eed74a1dab077ef7ef0016b2a63415d8d1
134000901cc7459ab3f5138fa0875d5e575568773b557b09206aa8ad1c61f99d
2432646637216c713e7605247b59cd65ac829360a29151a4551bbf50ae089e29
1c5933af77d575f80dc8e9a48b9ef594adab4053cca69f6838cf9bd96f8fb7fd
b201da197269f0040719bfaa75dbb960beaa80afd2a88cf0eaf6fffb00a75508
604f7fcf4a5fe22e2296b474893f6ff43ce6d0ac9dcad9c072ca40c63f7489b1
675374d30c3680c4c9323b8baa97e7419f0dfd7ed9b4f8a8f871a7f61c75c7d7
2d8db77499cedf9115b0d6f48a22543a1bdea8cd50b72f074b5d740c42e89c47
087aebbdfb77329742253993b8a9c9f8a9adb71f27941dbca560de30d84c41bf
efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760
4183c2795e2f2d7396cfad818b6b5125515b1696090b3bb3847af480ad425173
a2acce2c3d3e7b8772ae7dc3a2ad0fadfd53b58e37c091bd04961b5fd44c38ba
e9e4317a89ca227ca7a5cec8b3b1a0dc86285373ef067159f6db934ea0bda8e3
0d74f63d46e26419da4bb14b8513457ff4228655a300256055d147f6959c81f0
bdb420f8343c084ba57ab7b38eaa082f6197700180c9f0f5e5ac67e50014da98
7fba946dda2157b6113ed06e8a94e507a838001df2bab501c227490010d1dab2
8aa42907da90d0fde344aa426b76f3fa447b180870b6bfb750144cde04524175
e2b3c5b20d3f794d4030c911b6f50c32ba009cbe7d74d14879c530b1407cd112
7982f56fbeecf24db90a98a4467e7305d34557c9ad5b53dd6a5f52ece8641ad4
374006f04dcc0d09672953d3ed075ba569cecbaa1135764717bf4e6678fde42c
8399c2071ae9e9f742ef97c5e218fcc20c8787dccf867a658e328f8e2f2b7eff
fc692587b027b7079b3d977ce7d2a0ee54c7d871d396bd255a82baed734eb158
8149c65930ce8cb22dfae9e6d18506abeefd8164fa13351e034c6fc9f844308e
9c5f4f464204dee9f965c7a9649abda3cc2c374fb445937427779ad7f0a3bba9
767c5838c6250f066fe8089e2d77b998a61a626b20080b1606791af987120c06
9e5207e95ce6fafe501ea7030164023c37ac2bab285590f684d635156f1e3306
d56047b88b1cfba06f14b2bb216a34d249d852152d7cd34a6da1a1cd24750036
3b6283a00901c0709734f4d16a2fb4ad3fb93c913dbf45637664c74320c2d385
4d4be5a0fb152cb0f795f6ce36b1b3e4e69234681e36c41f3760858b4d38aa31
f7a13d11b8aee33d82ffd5a688a551b284c09bfa383b8c0159ffcb5be590dbe1
3e387ef02103719b3edb95d2e827d1bce42a66af2236d2a780bbd92fa15e07c0
4387b0fba57e249fc0d452331bc90cd3eed21bf288a56e7c447d1fa9b24adc30
015de794323aa2af01429c09f06f4e1be15cde8821788e6dc65b15c050fb9747
ce9b4ca8ce7c267993c433a2e1beffe25dc52fb167aa07519be3672b2c81f9cf
c7c4fe957dcaaa05d68315cb79441eb9159d4b4f224c4cd84d8ed8fb5d9ddfb0
9f7c7e1931a15c6306a18be0b7c6524b3fec3320517b688278856a249f04e07b
2df2f95d0b480aa7d2f86ee162298a55d7f24dbdaef2e06664ce992c35a5ab03
5257052626b2ddf18d7747e19be5425748344cc57e4b297a4d862ff5eee84e46
03fd685f6762da376a437a4c98da717c491765d6b215a01d894517abfaeaf38a
3a0b6787796ffb3c82882fff1951c0c2fd2925fc5f0d4cd2e92c0d058dfa8c10
b85aa63d88b84be274b0b6017a96d45c00e92ca0fbd3e00adbe7105f5997ec37
54f4b6fef3fb5b55f34b131be3551dfae93ff74d1946d41e8ca226d24ef6a888
a165161bb944f3bfeeeabcd2407912f651f70ca7ec558ac39f5d208854affc81
7b71dd79f9b04b7696c34eff69d3708cba187bc4b0700a18ad0ce0d1f38d4f8c
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/efc3af12-de67-406b-a2e0-ff43bab17188/
SH256 hash:
219ae3c96dfcdafd16e6ec990a2110f5b28a4768e6d447b6ca37db49490bebac
MD5 hash:
885d1eaf3bf1be9824a30a653def2338
SHA1 hash:
501864f0d24054b6879f63b5d16564a6a29535c8
Link:
https://www.unpac.me/results/efc3af12-de67-406b-a2e0-ff43bab17188/
SH256 hash:
efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760
MD5 hash:
27ac8e4b9d0e618f17bf79f07eca1b38
SHA1 hash:
923b85a00c2d4d27e10972e88e9093c7f107f9a7
Link:
https://www.unpac.me/results/efc3af12-de67-406b-a2e0-ff43bab17188/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe efb08159fc8bb0195a322e721bc09d5bd80b5451c946b22473d1023d3f00c760

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321337/

Comments