MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA3-384 hash: 60bc2adedb70399650533baf7e80b24861e3a90f709be1474eff9c2bdffaa611d9e1c70e8205d133e2b64f765b596147
SHA1 hash: ee9d604c54a4450a6bfa071a2f23aaae5114e680
MD5 hash: a4326b69873c799207e4c9d30c2ed3ac
humanhash: whiskey-four-lake-kentucky
File name:SecuriteInfo.com.Variant.Bulz.440290.18036.1686
Download: download sample
File size:251'392 bytes
First seen:2021-04-20 13:01:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:EkleFpw2X0T1bOB9fLbk72DqZjDYSMRZqVH668MQ:1EjXKiVbk7wqZjDYB/qVH668
Threatray 17 similar samples on MalwareBazaar
TLSH E23401042555C270DA22C470E8A1617182B06D1FAA66CB8ED94D7F3F793A39DFC2127E
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order From Hanon systems Ltd.doc
Verdict:
Malicious activity
Analysis date:
2021-04-19 10:54:23 UTC
Tags:
ole-embedded exploit CVE-2017-11882 loader evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/06d8dc03-5353-4d61-a5f7-6d827b739cc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/139658/
Detection(s):
SecuriteInfo.com.Variant.Bulz.440290.18036.1686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/689108
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected Costura Assembly Loader
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 393497 Sample: SecuriteInfo.com.Variant.Bu... Startdate: 20/04/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 6 SecuriteInfo.com.Variant.Bulz.440290.18036.exe 16 7 2->6         started        process3 dnsIp4 29 www.yoursite.com 172.67.133.191, 443, 49710, 49712 CLOUDFLARENETUS United States 6->29 31 yoursite.com 6->31 21 SecuriteInfo.com.V...lz.440290.18036.exe, PE32 6->21 dropped 23 C:\Users\user\AppData\Local\.notepad.exe, PE32 6->23 dropped 25 SecuriteInfo.com.V...exe:Zone.Identifier, ASCII 6->25 dropped 27 SecuriteInfo.com.V...40290.18036.exe.log, ASCII 6->27 dropped 47 Creates an undocumented autostart registry key 6->47 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Injects a PE file into a foreign processes 6->53 11 SecuriteInfo.com.Variant.Bulz.440290.18036.exe 2 6->11         started        15 SecuriteInfo.com.Variant.Bulz.440290.18036.exe 6->15         started        17 SecuriteInfo.com.Variant.Bulz.440290.18036.exe 6->17         started        19 2 other processes 6->19 file5 signatures6 process7 dnsIp8 33 checkip.dyndns.org 11->33 35 checkip.dyndns.com 216.146.43.70, 49737, 49738, 49748 DYNDNSUS United States 11->35 37 2 other IPs or domains 11->37 55 Tries to steal Mail credentials (via file access) 11->55 57 Tries to harvest and steal ftp login credentials 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 61 Multi AV Scanner detection for dropped file 15->61 63 May check the online IP address of the machine 15->63 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72/
Gathering data
Verdict:
unknown
Similar samples:
029626fb22c7446fc6f2abd2551252a08507c68fd035d41694e2c77b6e868698
197ed80f0364dd0571eddbde8fb859b36c91771a1ff0f12ca69aa8a4503781d6
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
3f0fa5c8ebb2640afc948bfd5c8bb0ba644222b3bc15c095085d718843d59915
78baec19444d923fde30977dacb85fada9247b9e3ae150f32a1137e7fc0b8dfb
82a4d8eb8b002755e42621fe0a3370f7356c1116c4e6d977e4b853bcff32898b
9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445
a77a3638d5c7d0c986f01af3db3f8e92b0acb6c8311c9c20bcca49658c09c975
b87b28a8f83442cb616dd3da7e520617a8b57280ca0098fb3721d6142978cc5f
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
+ 7 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210420-krgar9s4ts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/139658/
  
URLhaus
https://urlhaus.abuse.ch/url/1143669/
  
Delivery method
Distributed via web download

Comments