MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09590e393fa08d0c6f99e9f5df1235c700e53f48f0c0941ed1a4a5e4035a5624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	09590e393fa08d0c6f99e9f5df1235c700e53f48f0c0941ed1a4a5e4035a5624
SHA3-384 hash:	e6d6255ac136f229f0d6880f896cf09cb9f78cc901d86aa06dd4093c7207c73a5848c4aad38f224757432c9c9a73800f
SHA1 hash:	c0c7b91b4206c079aa2c5f0111a26b82018b7558
MD5 hash:	9375215f31c650820c9697a6a358746f
humanhash:	lima-stream-cola-carbon
File name:	New_ Order.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	807'936 bytes
First seen:	2021-02-24 06:31:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:0xw/9umjhMtvM3TSZ8dD4FcHm9XWtWhcS/h/jPmCDTkuNpfxKJcuduuFxhSGe:1h5TSZ8dD4FcHm9tj7llxfu5iGe
Threatray	11 similar samples on MalwareBazaar
TLSH	3205AE2432885B6DF47EBB3A6105180FA3F6BA47D719CACBBCC541CF5C26E848795B12
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

abuse_ch

Malspam distributing SnakeKeylogger:

HELO: sandvik.com
Sending IP: 193.142.59.131
From: Info<info@sandvik.com>
Subject: PURCHASE ORDER
Attachment: New_ Order.img (contains "New_ Order.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New_ Order.exe

Verdict:

Malicious activity

Analysis date:

2021-02-24 06:38:23 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/08bfd489-26f3-41a3-88f2-93c9c3c52d91

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/118801/

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/616506

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09590e393fa08d0c6f99e9f5df1235c700e53f48f0c0941ed1a4a5e4035a5624/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-24 06:32:11 UTC

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bfmq4oj7ucgqy34z5h256ervy4aokp2i6dajihwruss6ia22kysa._file

Verdict:

unknown

SnakeKeylogger

1c20cd63f9cd5546ea34171525e5410d5b00b4dec1431f6d3025a872a613ad60

SnakeKeylogger

6e027a958577efeae259befdc9aabf5656088885342e896673d005e748367743

SnakeKeylogger

98a53af9d196562466ac85faa2c1c4c62d4646f9c3e1040df4396e08adbe3a1f

SnakeKeylogger

ae1bb452d80ac991a91861b13755c4f5c13b006c714cddcc5e03ae7263092e01

SnakeKeylogger

bc88c73fda9a2ef51f979d2368a1039a04a0ce8199dc46b9f992a9ffacf58d8c

SnakeKeylogger

c8c864915e84ba7ec98eed5ed70893bcb5b328e59751694595a71b303ea587aa

SnakeKeylogger

cd92e28557e13a857a9166209afd4f5e64f477e25a4189904f54063b69847013

SnakeKeylogger

e16e2748ad4a210f438886c9a564feb8e43e3f1396446fbcdda1512a648955d0

SnakeKeylogger

fc3b3ec5757f584d1fe42cbba44a0cc2f70e11f02811a074b05003230e8cb657

SnakeKeylogger

+ 1 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210224-z4zm8lpxyj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44

MD5 hash:

b6ce7c1d81b9271eab825ea63de154c3

SHA1 hash:

0e7b89555314f8908c1098b652c9bf50e5ecc27b

Link:

https://www.unpac.me/results/575ab459-b7f4-4a1c-a172-20e57f0b2d05/

SH256 hash:

09590e393fa08d0c6f99e9f5df1235c700e53f48f0c0941ed1a4a5e4035a5624

MD5 hash:

9375215f31c650820c9697a6a358746f

SHA1 hash:

c0c7b91b4206c079aa2c5f0111a26b82018b7558

Link:

https://www.unpac.me/results/575ab459-b7f4-4a1c-a172-20e57f0b2d05/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img 2ce04bb82d0e8bcc2c98fd6d1dc6ce55a01abf4a1276e3a887a6d066ab349a9e

SnakeKeylogger

exe 09590e393fa08d0c6f99e9f5df1235c700e53f48f0c0941ed1a4a5e4035a5624

(this sample)

Dropped by

MD5 3056d329b825acbcf827e0c5964961b1

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 2ce04bb82d0e8bcc2c98fd6d1dc6ce55a01abf4a1276e3a887a6d066ab349a9e

Cape

https://www.capesandbox.com/analysis/118801/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample