MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 File information Yara 4 Comments

SHA256 hash:	92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3
SHA3-384 hash:	39cd5604bdb14196754ee416b039ac5df8ea85d23084e18ad1d51a6e937b526cee4d5bb97103dde67cb648f40c1fa30c
SHA1 hash:	7e027a9fadf5f4d9c1bb65c68db34cc5318353b0
MD5 hash:	e47851c94fdefd958cfe16af2af3661a
humanhash:	idaho-saturn-berlin-pennsylvania
File name:	(appproved)WJO-TT180,pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	831'488 bytes
First seen:	2021-02-23 06:57:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep	12288:MzPTExm6YzF0k8Ljz3WZcuZ+JLbvs2zlyAKp:M+gR0k8L/WiouzzlWp
Threatray	17 similar samples on MalwareBazaar
TLSH	6C055B1062F88645F1FA2BB0ACBFDE702B713C8AA879D25D2AC136DF29717408565737
Reporter	@abuse_ch
Tags:	exe SnakeKeylogger

@abuse_ch

Malspam distributing SnakeKeylogger:

HELO: cloudhost-2248786.us-midwest-1.nxcli.net
Sending IP: 8.36.41.62
From: Nguyen Thi Loan <loannt1@imecovn.com.vn>
Subject: 新订单_WJO-TT180
Attachment: appprovedWJO-TT180,pdf.iso (contains "(appproved)WJO-TT180,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Mail intelligence

Geo location:

Global

Volume:

Low

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/118458/

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/614895

Signature

Found malware configuration

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3/

Threat name:

ByteCode-MSIL.Packed.Generic

Status:

Suspicious

First seen:

2021-02-23 01:52:57 UTC

AV detection:

6 of 47 (12.77%)

Threat level

1/5

Detection(s):

Malicious file

Link:

https://www.spamhaus.org/query/hash/sise56chpv4cgyoyp52xcrmlzt4n4kxuzth5oof54i2nseqw7prq._file

Verdict:

unknown

SnakeKeylogger

019dce879f64d1a5a23de8ae1d0eac08200954b26665232507187e7f524b4f24

SnakeKeylogger

01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0

SnakeKeylogger

6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

SnakeKeylogger

81a55c090e393d16206c84927988831ce4165f36b632b385ebaacd2c7fde4bf9

SnakeKeylogger

8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c

SnakeKeylogger

99d9179d5cc5b01e6443fa02575432f1b3b61a78bd32b608e315ca856c17cc32

SnakeKeylogger

9f7dc89d5a1d5ab9026a61f873ee9ed0b6cc7a1e51c192f96c06c192eb6ed8ff

SnakeKeylogger

b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816

SnakeKeylogger

bd73ad131c83be14fbbd0a852f0410189da8cfa043a84f343acb2f3f3ed07458

SnakeKeylogger

+ 7 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210223-nb3ctb5w42/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

9a49d633e3e56335efbec99df11c017f825141c31bb08bb8c20264696d2654cc

MD5 hash:

3b680d521bc85534bd9344326c0c3e33

SHA1 hash:

54a502c280ae60b0c229bcbefbc99b5acf3b2e43

Link:

https://www.unpac.me/results/335ba2cb-9f5b-4699-ad4b-82c238e8a557/

SH256 hash:

cc4cc67bdd765c714649e152f1f3d5ca47ae7b7e749b73fa36989edf28ac4d38

MD5 hash:

f468d6902b88d59785b1840486ad37f3

SHA1 hash:

520cf119b5c71bb5ce4360b9893bc06dac646fb9

Link:

https://www.unpac.me/results/335ba2cb-9f5b-4699-ad4b-82c238e8a557/

SH256 hash:

f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671

MD5 hash:

f984a71581f6da5732110be2a569a392

SHA1 hash:

10de05b6b35fc5dbc00c42d59a4b850bcaae01e6

Link:

https://www.unpac.me/results/335ba2cb-9f5b-4699-ad4b-82c238e8a557/

SH256 hash:

92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3

MD5 hash:

e47851c94fdefd958cfe16af2af3661a

SHA1 hash:

7e027a9fadf5f4d9c1bb65c68db34cc5318353b0

Link:

https://www.unpac.me/results/335ba2cb-9f5b-4699-ad4b-82c238e8a557/

AV coverage:

18.31%

AV detections:

13 / 71

Link:

https://www.virustotal.com/gui/file/92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3/detection/f-92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3-1614060063

Threat name:

Kryptik

Score:

1.00

Yara Signatures

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	RSharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	identifiers for remote and gmremote

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

iso 54b5ef609a4ae9539404f24c1279f4108d867e5db9af231c79e2fbae5ad4db87

SnakeKeylogger

exe 92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3

(this sample)

Dropped by

MD5 02969d006c3f0735e1af5ec228e41506

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/118458/

Dropped by

SHA256 54b5ef609a4ae9539404f24c1279f4108d867e5db9af231c79e2fbae5ad4db87

Comments

Login required

You need to login to in order to write a comment. Login with your Twitter account.

No comments found for this malware sample