MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b
SHA3-384 hash: 49be3913e19dd89158c2b07ff55d6a8cb9257c9dc81e981d8fb8d7353c6c0537a0b5ebc74df8381f208ab1f9cea777d0
SHA1 hash: ad59e1e80d448f841cd0d117a27bc14e95442101
MD5 hash: 13a65234aedb8b8b2c40c91c429d473d
humanhash: quiet-item-berlin-bakerloo
File name:purchase order.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:567'808 bytes
First seen:2021-02-23 07:00:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:xSdP4f2k2cRvqGpCoaIiHXzfirqjqEMMg9Sdn6zzIetpW:m4X2cAUBaLHXzcMXp6nX6
Threatray 44 similar samples on MalwareBazaar
TLSH 15C4CF30168CAB0EE03EBB795120120F47F1A656D727E68FBDE541DB7D92F404B72A62
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: vps.tecp0s.com
Sending IP: 203.159.80.121
From: office1@tecp0s.com
Subject: PURCHASE ORDER
Attachment: purchase order.gz (contains "purchase order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118467/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614875
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 03:03:16 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=advfx5tik6tgtfywq2273qpkbsxghforbopeyre2uh2tayttmwnq._file
Verdict:
unknown
Similar samples:
07dda01539775e2875eb4f74f9b9a5b0452706f68ba536b102c102adacb5f514
SnakeKeylogger
41cda64e265a121f8e57506fc5b51466e431786304e15216b567e01374522a25
SnakeKeylogger
58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb
SnakeKeylogger
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
SnakeKeylogger
80622d6bf536ca1e21f411864d3c4af7f4ebded98ea3aeeb6c99b964b247e3ca
SnakeKeylogger
860203ed69fb482c0d80e484e302612a13ec876f1a591ccce9ef7f6371fef197
SnakeKeylogger
95d7e599e9a76497dd73084440554dfcf4a94974d49e88c43f23611d4bce5d12
SnakeKeylogger
c024e649afaafd4d1a1ebc2c5a2c457eecd2b5994c2b78e32312eb5289b5c093
SnakeKeylogger
cb145909667bd181409f1e14b6b2fd00ec9f8894ffaba82bd2b1888065e6a22a
SnakeKeylogger
d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
SnakeKeylogger
+ 34 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210223-11t9wsq2z2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/078c47e4-6c31-4aee-946c-bfbd39d1b135/
SH256 hash:
00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b
MD5 hash:
13a65234aedb8b8b2c40c91c429d473d
SHA1 hash:
ad59e1e80d448f841cd0d117a27bc14e95442101
Link:
https://www.unpac.me/results/078c47e4-6c31-4aee-946c-bfbd39d1b135/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz 7da72b59e3fc2e372568fedc6946d4c251cc15b209acc9f7d4f24b7633bfc9d9

SnakeKeylogger

Executable exe 00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b

(this sample)

  
Dropped by
MD5 aacf32c8322e963f80ad28ac57d51aa8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118467/
  
Dropped by
SHA256 7da72b59e3fc2e372568fedc6946d4c251cc15b209acc9f7d4f24b7633bfc9d9

Comments