MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad
SHA3-384 hash: db0da044a4da77accc158a23573e99c32b77ad020eba66404f5e687c66fe34113902263e2e104159af07161c1ebc062f
SHA1 hash: fbc277222d6971e42acaf87975b7b565b9b63a9e
MD5 hash: e9698d7f3a85335c8610cde2fecc54e8
humanhash: video-fourteen-ack-kansas
File name:ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'524'650 bytes
First seen:2024-10-29 12:06:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 24576:K5xolYQY6afmMv6Ckr7Mny5QLvmVib5B6lhswkKa59PK01LnRiaZ:dY53v+7/5QLvmG6lh8KmrLf
TLSH T18B65D022B7C5507AD86379F02977E36BAB353D150722C88B67E02F665D31102BA7632F
TrID 41.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
28.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.2% (.EXE) Win64 Executable (generic) (10522/11/4)
2.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon e8963369653296e8 (1 x SnakeKeylogger)
Reporter Anonymous
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe
Verdict:
Malicious activity
Analysis date:
2024-10-29 12:07:27 UTC
Tags:
evasion snake keylogger telegram smtp
Link:
https://app.any.run/tasks/695ea7f6-620d-4ea4-8a92-a415bcd1c2ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6720cfeb5928ee28d55ea14f
Tags:
Autoit Emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Setting a single autorun event
Launching the process to create tasks for the scheduler
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit explorer hook lolbin overlay packed packed packer_detected shell32 visual_basic
Link:
https://www.filescan.io/uploads/6720cfe62734cb737d8fac55/reports/fc7751d0-21d4-4172-ae91-8e3a15f2cd06/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9c64f41-9393-4071-9814-ef1ec01bf6be
Result
Threat name:
CryptOne, Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1544451
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544451 Sample: ZAPYTANIE OFERTOWE ST-2024-... Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 76 reallyfreegeoip.org 2->76 78 api.telegram.org 2->78 80 11 other IPs or domains 2->80 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for dropped file 2->106 112 15 other signatures 2->112 12 ZAPYTANIE OFERTOWE ST-2024-S315  CPA9170385.exe 1 4 2->12         started        16 explorer.exe 2->16         started        signatures3 108 Tries to detect the country of the analysis system (by using the IP) 76->108 110 Uses the Telegram API (likely for C&C communication) 78->110 process4 file5 72 zapytanie ofertowe...315  cpa9170385.exe, PE32 12->72 dropped 74 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->74 dropped 148 Installs a global keyboard hook 12->148 18 icsys.icn.exe 4 12->18         started        22 zapytanie ofertowe st-2024-s315  cpa9170385.exe 1 12->22         started        24 conhost.exe 12->24         started        signatures6 process7 file8 64 C:\Windows\System\explorer.exe, PE32 18->64 dropped 114 Antivirus detection for dropped file 18->114 116 Machine Learning detection for dropped file 18->116 118 Drops executables to the windows directory (C:\Windows) and starts them 18->118 124 2 other signatures 18->124 26 explorer.exe 3 72 18->26         started        120 Writes to foreign memory regions 22->120 122 Maps a DLL or memory area into another process 22->122 31 RegSvcs.exe 22->31         started        signatures9 process10 dnsIp11 82 vccmd01.zxq.net 51.81.194.202, 443, 49716, 49719 OVHFR United States 26->82 84 108.177.15.82, 49707, 49734, 49801 GOOGLEUS United States 26->84 90 3 other IPs or domains 26->90 68 C:\Windows\System\spoolsv.exe, PE32 26->68 dropped 70 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 26->70 dropped 136 Antivirus detection for dropped file 26->136 138 System process connects to network (likely due to code injection or exploit) 26->138 140 Creates an undocumented autostart registry key 26->140 146 3 other signatures 26->146 33 spoolsv.exe 3 26->33         started        86 api.telegram.org 149.154.167.220, 443, 49733 TELEGRAMRU United Kingdom 31->86 88 mail.tlakovec.si 212.44.112.138, 49778, 49809, 587 DHH-ASSI Slovenia 31->88 92 3 other IPs or domains 31->92 142 Tries to steal Mail credentials (via file / registry access) 31->142 144 Tries to harvest and steal browser information (history, passwords, etc) 31->144 file12 signatures13 process14 file15 62 C:\Windows\System\svchost.exe, PE32 33->62 dropped 94 Antivirus detection for dropped file 33->94 96 Machine Learning detection for dropped file 33->96 98 Drops executables to the windows directory (C:\Windows) and starts them 33->98 100 2 other signatures 33->100 37 svchost.exe 229 4 33->37         started        signatures16 process17 file18 66 C:\Users\user\AppData\Local\stsys.exe, PE32 37->66 dropped 126 Antivirus detection for dropped file 37->126 128 Detected CryptOne packer 37->128 130 Creates an undocumented autostart registry key 37->130 132 4 other signatures 37->132 41 spoolsv.exe 37->41         started        44 at.exe 37->44         started        46 at.exe 37->46         started        48 27 other processes 37->48 signatures19 process20 signatures21 134 Installs a global keyboard hook 41->134 50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 23 other processes 48->60 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad/
Threat name:
Win32.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2024-10-29 12:16:45 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oiusvgdtqpyapgqkqrv24txggrpqbd4zdjipl5wx73jmvwithgwq._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
unknown_loader_036
Create hunting rule
vipkeylogger
Create hunting rule
admintool_powerrun
Create hunting rule
Similar samples:
error
SnakeKeylogger
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery evasion keylogger persistence stealer
Link:
https://tria.ge/reports/241029-paandatphs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
trojan
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/3d7c3b6d-8b9b-475a-b085-8c0a94abadca
Unpacked files
SH256 hash:
6ee7e918082bf9a5e7c027a507ef691fd1607c747568d38772e359c0126cb1b6
MD5 hash:
73218bc62bb175ed004738dc983106be
SHA1 hash:
2cc7aed0a51b2f7de93dc827ab20042d78373601
Detections:
win_404keylogger_g1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Link:
https://www.unpac.me/results/0497a9ad-7778-4432-b30c-c0df7acc16ef/
SH256 hash:
93cc2f136468628ba9151c59f99905bc0ec97fcb995934e1ac1952157643a98e
MD5 hash:
3bc25d2ea6480707a1694ef0238c87f5
SHA1 hash:
bca4ece4710718abcb3930431dbcc0b5d2d4d01c
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/0497a9ad-7778-4432-b30c-c0df7acc16ef/
SH256 hash:
72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad
MD5 hash:
e9698d7f3a85335c8610cde2fecc54e8
SHA1 hash:
fbc277222d6971e42acaf87975b7b565b9b63a9e
Link:
https://www.unpac.me/results/0497a9ad-7778-4432-b30c-c0df7acc16ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments