MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0dde862dd7e9ed610faa451e843eb51a05e9708fa8fd3605d267f811ba9e268. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0dde862dd7e9ed610faa451e843eb51a05e9708fa8fd3605d267f811ba9e268
SHA3-384 hash: 20427c287ad600ccfb82fa51d3058175fe8baf72032a5a749ebdf491281dca2208ef1eff67fbf9c7a8485eea2bb63f4d
SHA1 hash: 62994a49f11b489d3c9128a3217e148261b5a89d
MD5 hash: e9de908f8df5f4352f5a22f0eadfe623
humanhash: four-autumn-oregon-rugby
File name:vbc.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:645'632 bytes
First seen:2022-08-12 13:49:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AsJPDvpc++I2iNWRG6OJnkqPb0AemXQSvOJBxN7yDT/0:dJPzpSI10RmnrQXmE
Threatray 6'645 similar samples on MalwareBazaar
TLSH T148D4C0EFA758001FCD608B76D94C917A4FE8DC223422DDEFBEA37875A5202AD641DD12
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Optical Quotation 20221208.xlsx
Verdict:
Malicious activity
Analysis date:
2022-08-12 09:34:38 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/24deac91-83e5-4534-87e8-ae63018907b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298236/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f65b02080024921b6de077/reports/02f2a4ea-4bd8-4fea-b07a-bebd0e02dfa8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e48e07c4-1d67-4cd6-9f56-72ff2c9f7d4f
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050598
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0dde862dd7e9ed610faa451e843eb51a05e9708fa8fd3605d267f811ba9e268/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-08-12 13:48:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6do6qyw5p2pnmeh2uri6qq7lkgqf5fyi7kh5gyc5ez7ycg5j4jua._file
Verdict:
malicious
Similar samples:
15b8325df5457903aa6a8f86ddd64b7ea2fca232231e2e63044a1a0f9cc3f73b
SnakeKeylogger
218c08cec6f1611911718ce26eb572771eaf353c7cec7b2b32f11e1dad2c466d
SnakeKeylogger
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
SnakeKeylogger
a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31
SnakeKeylogger
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
SnakeKeylogger
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
SnakeKeylogger
+ 6'635 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220812-q489gagbe9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
18eb60c0eb3e1c610526d9f4b42684ac36a2ebb521514a8770dca2f2afd7f471
MD5 hash:
7ca239778f9f46d28b08876564dba525
SHA1 hash:
973b0d0d98a83b7dfcf1bfce04a179b0f070b98c
Link:
https://www.unpac.me/results/c93d5c5c-48e2-49e9-ba91-998eebc7f26e/
SH256 hash:
d64aa198bc6a4c7ff42d69299ffeb2f823cceebe5a9aefac86ece10a87ae528b
MD5 hash:
6269ca1e0f231e94afa774ab2179b956
SHA1 hash:
77b3b1c47ea730dcfd46ab0017645858df25fcd5
Link:
https://www.unpac.me/results/c93d5c5c-48e2-49e9-ba91-998eebc7f26e/
SH256 hash:
95bd1f80a3d601631c33e1f6b28de461ba77b5936e86dfde2aeb707af389cdb9
MD5 hash:
73c685b29b4a941ee4cadaf96470565b
SHA1 hash:
74f345c858972a47b998e86fbf6271fad599ed1d
Link:
https://www.unpac.me/results/c93d5c5c-48e2-49e9-ba91-998eebc7f26e/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/c93d5c5c-48e2-49e9-ba91-998eebc7f26e/
SH256 hash:
1c65487408317c5e2720f0b9830ae2d3ba91c2bfa0cf69a7355015079f69c949
MD5 hash:
5fd63f04ccf6e74c654531a01e121c8c
SHA1 hash:
1a40bb006181a24d46d308a7f653e051fcb2fecd
Link:
https://www.unpac.me/results/c93d5c5c-48e2-49e9-ba91-998eebc7f26e/
SH256 hash:
f0dde862dd7e9ed610faa451e843eb51a05e9708fa8fd3605d267f811ba9e268
MD5 hash:
e9de908f8df5f4352f5a22f0eadfe623
SHA1 hash:
62994a49f11b489d3c9128a3217e148261b5a89d
Link:
https://www.unpac.me/results/c93d5c5c-48e2-49e9-ba91-998eebc7f26e/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0dde862dd7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f0dde862dd7e9ed610faa451e843eb51a05e9708fa8fd3605d267f811ba9e268

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/298236/

Comments