MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 13 File information Comments

SHA256 hash:	241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35
SHA3-384 hash:	88aa855fab1acc42a220f718ffe607a3b58bfd46d598c559fbacf85c027da2829cdc9b1040605d7a082035d63636070d
SHA1 hash:	f0e6fe9ae846bb7769437bb079e1f467c4e84921
MD5 hash:	9165274d1fe53a3529567d7edfc0579c
humanhash:	venus-fourteen-fourteen-lima
File name:	SWIFT COPY.zip
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	910'554 bytes
First seen:	2024-09-24 11:31:14 UTC
Last seen:	2024-09-24 13:05:33 UTC
File type:	zip
MIME type:	application/zip
ssdeep	24576:nt7Y8R39qYXC6ruzW1I7N4GtqWx3XpxxZ:nt7Y89qYXC6ruzWaNqenpxxZ
TLSH	T1EB15332995BCADCF55EAB50533A4E2D0603FE378663BDBB42D5AF126F59C361982300C
Magika	zip
Reporter	cocaman
Tags:	payment SnakeKeylogger SWIFT zip

cocaman

Malicious email (T1566.001)
From: "Asem Al Natour <office@kalderae.com>" (likely spoofed)
Received: "from aosoc-esp.com (unknown [185.81.114.250]) "
Date: "Tue, 24 Sep 2024 13:16:50 +0100"
Subject: "RE: RE: USD PAYMENT"
Attachment: "SWIFT COPY.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	SWIFT COPY.exe
File size:	1'272'221 bytes
SHA256 hash:	b265a1d4698c08fe197c6cfed56a7a23adae05fdd25a4917ff5354e537f698d9
MD5 hash:	d138e7f7d5e29f416b7b04e4f7567d11
MIME type:	application/x-dosexec
Signature	SnakeKeylogger

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3327.UNOFFICIAL

Sanesecurity.Malware.21744.ZipHeur.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66f2a3355346c7b922ad9fe6

Tags:

Encryption Execution Network Stealth Trojan Autorun Emotet

Result

Verdict:

Suspicious

File Type:

PE File

Link:

https://app.docguard.net/241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc overlay packed shell32

Link:

https://www.filescan.io/uploads/66f2a3371d8effc31dc563d1/reports/d1b9445d-f319-4a14-8eee-87d3cd36f0e2/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger discovery keylogger stealer

Link:

https://tria.ge/reports/240924-pvmhnsvfjq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Looks up external IP address via web service

Drops startup file

Executes dropped EXE

Loads dropped DLL

VIPKeylogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIt Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	AutoIT packer

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	AutoIT_Script Create hunting rule
Author:	@bartblaze
Description:	Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35

(this sample)

SnakeKeylogger

exe b265a1d4698c08fe197c6cfed56a7a23adae05fdd25a4917ff5354e537f698d9

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 b265a1d4698c08fe197c6cfed56a7a23adae05fdd25a4917ff5354e537f698d9

Dropping

SnakeKeylogger

Dropping

MD5 d138e7f7d5e29f416b7b04e4f7567d11

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample