MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227
SHA3-384 hash: a4f80fa6ef9cadcda821d2fea68ea677bfc9ad4f38fbf44963735a8583dcf0f75dc44e371c94b3ff5e88a50499e341bb
SHA1 hash: f0d3546a335ece0ad12f52a7218fd8abd7d83deb
MD5 hash: d8d41e8fa67dace3d02444e7c74ab0d8
humanhash: low-black-batman-missouri
File name:Hesaphareketi-01.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:663'040 bytes
First seen:2023-04-19 16:01:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Dg+eoi1HSC5YZJDRWCaCrJqoRElqe7GsmY:kDHreJvJRXTsD
Threatray 234 similar samples on MalwareBazaar
TLSH T1A5E4BD2E31739F46C16ED7F5106899712BB0A2833A6DD27D6CC703CA9ABAF01178475B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 16:34:22 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/039e22bb-d42f-4cba-887e-e2c9531ae757

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383421/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/6440107f7a31c790ffdbe0c9/reports/0183e927-3dd7-44d7-905f-fd0368ac2f86/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e15646c-233d-451f-b975-5157166b84d7
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217353
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850294 Sample: Hesaphareketi-01.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 9 other signatures 2->57 7 Hesaphareketi-01.exe 7 2->7         started        11 qoCocomrJvYyi.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\qoCocomrJvYyi.exe, PE32 7->31 dropped 33 C:\...\qoCocomrJvYyi.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp9ABC.tmp, XML 7->35 dropped 37 C:\Users\user\...\Hesaphareketi-01.exe.log, ASCII 7->37 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 Hesaphareketi-01.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 21 qoCocomrJvYyi.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 158.101.44.242, 49696, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 43 api.telegram.org 149.154.167.220, 443, 49697, 49700 TELEGRAMRU United Kingdom 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 132.226.8.169, 49698, 80 UTMEMUS United States 21->45 47 checkip.dyndns.org 21->47 49 192.168.2.1 unknown unknown 21->49 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qwe3gg2q6dkrgpippq4dfuygjnn7rxmzto5c7ohumwb3knh6itq._file
Verdict:
malicious
Similar samples:
1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
SnakeKeylogger
5a9397f2ec2a6609708ad1bbbff41e1d6d099d863d0714003d35070be9786edd
SnakeKeylogger
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
SnakeKeylogger
88c2df27f12c638e7ebd866f6e27b9284e1dd90e07c611a2a581426a9ff9bed5
SnakeKeylogger
8c3a54283aca092b244c89ebb641bb372808b3e51b752936dfbea95dc32eeb95
SnakeKeylogger
ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
SnakeKeylogger
bd7cf632807ea761e4decacfe700f54df5729f05ee1a5d3c6ff9117bc3245e1e
SnakeKeylogger
d298c16cc5f3bc92be81294b9d7b4b23d1be22742956b824dac7dc109dde7e35
SnakeKeylogger
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
SnakeKeylogger
fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
SnakeKeylogger
+ 224 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230419-tgtgaabf74/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5905114115:AAEtJ13Y8sU1fQgR9KsdZZhYCIQmu7J2ahU/sendMessage?chat_id=5334267822
Unpacked files
SH256 hash:
7ae208f9dcc6e48c90b7f16aca172bda4aed22bfddde7b8f701ed624a1a56892
MD5 hash:
aec164e58bdd05319500cb31bfb6ff26
SHA1 hash:
ce86251df67051b7681f49ed955248399b1a01e8
Link:
https://www.unpac.me/results/b28e2afd-6619-4294-ab0b-6fe314e009c6/
SH256 hash:
37931bd35c9ccdcb30a808db46c927f6176cab368ae8e68aae172ad50324b633
MD5 hash:
8fc438758604a2110d54a7088a77d495
SHA1 hash:
b062bb208ed4b0d138260145f13217bff0d2f572
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/b28e2afd-6619-4294-ab0b-6fe314e009c6/
Parent samples :
187e9a262dac093e04914b16b11f41adec97c3115f4a6b5e5cf1125d2be8eeca
f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227
0981c7be951e32102a5ea4eac7862654a0979c95b486a491c567ddb2095c679f
a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd
d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6
5631b2c6aa5495d9756f92501442b809e0f004d9fe2c1d423ef8906ca912c69b
d6844e4d321d82b76bd2d9d6b66c6a8edfd695323a741481cddb426825cebc44
SH256 hash:
2aacb90cbca333fc849c01ba65a6994cb09803ec960477e79317161ad1073b2f
MD5 hash:
b01df9f87c138bb4a1cb594e7391a135
SHA1 hash:
b8c0ba18fbd31335afcd81bdc05325bddf6aff10
Link:
https://www.unpac.me/results/b28e2afd-6619-4294-ab0b-6fe314e009c6/
SH256 hash:
b6c82ca301dd4e1382ca8ae857f02323a26e78e4bf9b9a2d35fa83a20a5e2c9c
MD5 hash:
874196c2425683fd227de2e6fdeba1aa
SHA1 hash:
4dbf5f6d5cf95aee949804156ada3bb8d078da56
Link:
https://www.unpac.me/results/b28e2afd-6619-4294-ab0b-6fe314e009c6/
SH256 hash:
c2dc2096ad20a2ffc478e31fe79f46dc8fd5e7c088a7a3d48c8cf159d9d4501b
MD5 hash:
c215ef44efcae8d02c7f227fa9013300
SHA1 hash:
04d84a0240a930fb46a57d430c55890b21eb9738
Link:
https://www.unpac.me/results/b28e2afd-6619-4294-ab0b-6fe314e009c6/
SH256 hash:
f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227
MD5 hash:
d8d41e8fa67dace3d02444e7c74ab0d8
SHA1 hash:
f0d3546a335ece0ad12f52a7218fd8abd7d83deb
Link:
https://www.unpac.me/results/b28e2afd-6619-4294-ab0b-6fe314e009c6/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f42c4d98da87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f42c4d98da8786a899e87be1c19698325adfc6ecccddd17dc7a32c1da9a7f227

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383421/

Comments