MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0
SHA3-384 hash: c50661a7c59ce6502a7cb9ae91c410371b435fe3ce701eb40d15a2e9932e53fd5fe5fe7788de56f12fb286bff17312e7
SHA1 hash: 86249a0d6ffafbf73a1339909f44f851c962ff85
MD5 hash: 26ed080def875b35da216620b549fcfa
humanhash: glucose-october-rugby-grey
File name:Revised Invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:596'480 bytes
First seen:2021-02-02 07:47:37 UTC
Last seen:2021-02-02 09:31:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:DqeuO2yTKI5/DX85JopCaAzuunDJtfGHIJbk49Hocz4HC4EJk3P4GR2D:Dq+eI5/DM5Jjpu8DXfRJ40oucC4T4D
Threatray 7 similar samples on MalwareBazaar
TLSH 16C4BE34868CCE23D4282BF64A562B5E17F3C1959041D72E42D996FA1CA23ED95E03FF
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rim-tele.com
Sending IP: 188.128.84.2
From: <anup.khamkar@ultramaxit.com>
Subject: RE: REVISED INVOICE.
Attachment: Revised Invoice.r00 (contains "Revised Invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Revised Invoice.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-02 07:56:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/33961d4c-12fa-46b1-ad82-5052610f6fb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115072/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Creating a file
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/596233
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 07:48:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cl2vsug4kkvj4yd7zqcnhuwsuwditj5nrqnnx5mnaswayrjo2xaa._file
Verdict:
unknown
Similar samples:
0c3d1e60a1f6caa8bc2c84704ccf93ff2096891b6b5693952f5417c5aa577ee1
SnakeKeylogger
1dd86f0bc8a9e1a5a7286cc1503b0713f3a44ff4050265da57d5ad8a26f9f46f
SnakeKeylogger
a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e
SnakeKeylogger
d79ff402299dcf2d71c104beb763f0e3893eb857622cc07d8969aa08541950f9
SnakeKeylogger
edb743711a79b22830152304a71da9c88c4803ceb7081d88f326173857287bb7
SnakeKeylogger
ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6
SnakeKeylogger
ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210202-ljmpgk9are/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Beds Protector Packer
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/76d789f4-0f83-4f22-abb7-e145b53ae247/
SH256 hash:
933ac417cbd6cfde7f1adba2d6732df2fff9d943ca8afb7b6e4c6cdb18acceba
MD5 hash:
36e8fb9f80c77b3efb7813a44578cfee
SHA1 hash:
f796e91877e39b2ac476bad5b5b268ba4dbd0db9
Link:
https://www.unpac.me/results/76d789f4-0f83-4f22-abb7-e145b53ae247/
SH256 hash:
48d9a535fa1731c32824032cbcc727d9126f1c05495e20df0deab595fc4d80b8
MD5 hash:
bb1944dc9121c3b29350e1394f09d036
SHA1 hash:
696f2876c91a423726adadd6641e672f12296b9b
Link:
https://www.unpac.me/results/76d789f4-0f83-4f22-abb7-e145b53ae247/
SH256 hash:
12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0
MD5 hash:
26ed080def875b35da216620b549fcfa
SHA1 hash:
86249a0d6ffafbf73a1339909f44f851c962ff85
Link:
https://www.unpac.me/results/76d789f4-0f83-4f22-abb7-e145b53ae247/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

r00 cf2c67175d6565dbaa0ac5d801fc31f483bedf7df310b5d356fde745f6941d67

SnakeKeylogger

Executable exe 12f55950dc52aa9e607fcc04d3d2d2a58689a7ad8c1adbf58d04ac0c452ed5c0

(this sample)

  
Dropped by
MD5 a5e3c689d7ea4deed87a6a3a35425c31
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115072/
  
Dropped by
SHA256 cf2c67175d6565dbaa0ac5d801fc31f483bedf7df310b5d356fde745f6941d67

Comments