MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f
SHA3-384 hash: 11b528d21825f8b95615a0db90f20af9cccef7c65f57517ab4416506b5038e691d487b92af330f7251dae03780d955cd
SHA1 hash: 94fa9c153d5fb9515298e6e403c1f870cc57df3c
MD5 hash: e506e399b2c8c6296c9783b818787340
humanhash: orange-undress-west-jersey
File name:doc202200101301.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:847'872 bytes
First seen:2022-10-13 10:28:01 UTC
Last seen:2022-10-19 04:22:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:5CRjG0XCBDx1z9zXQJHvf4eyonZP6Yl/1ha5Yew78s/:Yex1z9rQ5vNPtEOe
TLSH T1C605497A11D24507E429327588D3E2F32AFBAE606061D2CB9AD76F6FBC411BF9113346
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/319834/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6347e83d0d2bcf0ff9a2ccff/reports/3a03b2b0-89f0-4a49-bddf-a4535f459f0f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/57ef24e8-edf9-442b-b8e1-293c96b3b1d2
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089716
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722324 Sample: doc202200101301.pdf.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 12 other signatures 2->57 7 doc202200101301.pdf.exe 7 2->7         started        11 ffplVkfNEPuyO.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\ffplVkfNEPuyO.exe, PE32 7->31 dropped 33 C:\...\ffplVkfNEPuyO.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\Temp\tmpE79.tmp, XML 7->35 dropped 37 C:\Users\user\...\doc202200101301.pdf.exe.log, ASCII 7->37 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 doc202200101301.pdf.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Machine Learning detection for dropped file 11->65 21 ffplVkfNEPuyO.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 132.226.247.73, 49695, 80 UTMEMUS United States 13->39 41 checkip.dyndns.org 13->41 43 api.telegram.org 149.154.167.220, 443, 49696, 49698 TELEGRAMRU United Kingdom 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 193.122.6.168, 49719, 80 ORACLE-BMC-31898US United States 21->45 47 checkip.dyndns.org 21->47 49 192.168.2.1 unknown unknown 21->49 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 09:12:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uwnhoa4rwmrpq6yq3ujjn7gkypvahf7n25bruw46rb4wxgalihq._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221013-mhnh4abfep/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5582701255:AAG6EwFmBC6AWDB7ijWIdb3jOpyBEYRlBgU/sendMessage?chat_id=1856108848
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04f77da2-f797-403e-b32b-9ba2cb925d32
Unpacked files
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/8b9fc632-6e44-49e3-9c99-395be25009f8/
SH256 hash:
52705fdd83cdd8088084ca168ac30a5fff8c112b65d5f8d6b9254092b409804b
MD5 hash:
58675c09be60fc3ffbfa39c32bd6463f
SHA1 hash:
dcdf81231acb5113afcc3037bbbb6758aada31b0
Link:
https://www.unpac.me/results/8b9fc632-6e44-49e3-9c99-395be25009f8/
SH256 hash:
507afc3421a148a7588a57236481c2c91bf2ca01f1c4d16146b4fee3ae4db0a0
MD5 hash:
2bbc738bb2c81e4613e2f70ddca09c9d
SHA1 hash:
d8f7d71712201306f70b7728ce251d16aeee0db1
Link:
https://www.unpac.me/results/8b9fc632-6e44-49e3-9c99-395be25009f8/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/8b9fc632-6e44-49e3-9c99-395be25009f8/
SH256 hash:
48dce2631822613e7ceb0ff9100ea0584132cdad07a32467a8c5df90c76b87f2
MD5 hash:
156e9142d2df0ef51b311e0443b50e9a
SHA1 hash:
4f542b57a462526b16f3d9d857b28f792c24ae78
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/8b9fc632-6e44-49e3-9c99-395be25009f8/
Parent samples :
6b010af0223bd5f11bfc896701e2151a2feee5e48127367f2f760d5110af4857
2eb68d9acd4f3bf8816e682b1c87234e909cd8f1d53bc4d6df8a0acb74daea52
ae5aa180e80601126d73c2da070cd4fc5d041d4cbd66566d01569fd1ad33738b
beb54195c2d5f5dd021b8a916b27d6929b6114c2edd311f291b15054d439e7ab
fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f
e08ed6f6f84946bdd5e3d099080330841efe8ce84cc2002d510e3dbe74de3fef
50109664df17c305d63866d276484eff9131d9fb4bbb091275f07d940e7435b5
8e88b06d2325abd6c323cac3064f6ca4f81e4fee843b04efc255a3105f82e507
4a7c732e04071421b16fceefad0a2a2c046d8d59b2ece54f50f89645b4eac10d
081d841583dbdb2d881df7e2ac7d12702518680e5a34a6238cdee2abae76885b
SH256 hash:
fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f
MD5 hash:
e506e399b2c8c6296c9783b818787340
SHA1 hash:
94fa9c153d5fb9515298e6e403c1f870cc57df3c
Link:
https://www.unpac.me/results/8b9fc632-6e44-49e3-9c99-395be25009f8/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd2cd3b81c8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd2cd3b81c8d9917c3d886e894b7e6561f501cbf6eba18d2dcf443cb5cc05a0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319834/

Comments