MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Maldoc score: 11


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a
SHA3-384 hash: 67e65d0aaf261b80082421119a3dd958c3b98a71e07ad7054c05bae45319936c75af4572844e6d9c1d12feac7b4b0627
SHA1 hash: 0ae631fc1efb4fcce319db8615834b3089062b7a
MD5 hash: d549a968611ad78f98bbef3010689d91
humanhash: april-maine-happy-dakota
File name:Purchase Order List.xlsm
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:105'265 bytes
First seen:2021-10-09 06:28:42 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 3072:Y9OKZu86S3Roy9uFwZlsaFPOHYonHBxqPZnGY:YoYuS/IwZltFPgYonHBxqPZGY
TLSH T11CA30286357FB57EE28F8938440A730BEB9105429A457CB21EADB50F785D8E70343E9E
Reporter abuse_ch
Tags:SnakeKeylogger xlsm


Avatar
abuse_ch
Payload URL:
http://3.70.52.8/R1/Z/UYH302.exe

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
OLE dump

MalwareBazaar was able to identify 8 sections in this file using oledump:

Section IDSection sizeSection name
A1533 bytesPROJECT
A289 bytesPROJECTwm
A3169 bytesVBA/Sheet1
A41043 bytesVBA/ThisWorkbook
A5171 bytesVBA/Workbook
A67 bytesVBA/_VBA_PROJECT
A7228 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_ActivateRuns when the Excel Workbook is opened
IOCershell.exeExecutable file name
IOCJjqafenyzjvrzvlr.batExecutable file name
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousOpenMay open a file

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order List.xlsm
Verdict:
Malicious activity
Analysis date:
2021-10-09 06:30:20 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/dad63cab-5b26-4075-90bd-35dd2e3ab357

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196266/
Detection(s):
SecuriteInfo.com.VBS.Heur.ObfDldr.32.67103E98.Gen.5900.18151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd macros macros-on-open packed
Link:
https://www.filescan.io/uploads/616136b62a37101ae6fe2f63/reports/c9a2e133-4f64-4a5a-bdb8-ef2ac6eac5b5/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867370
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Document contains an embedded VBA macro which may execute processes
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499798 Sample: Purchase Order List.xlsm Startdate: 09/10/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 12 other signatures 2->58 9 EXCEL.EXE 76 18 2->9         started        process3 file4 36 C:\Users\user\...\Jjqafenyzjvrzvlr.bat, ASCII 9->36 dropped 38 C:\Users\user\...\~$Purchase Order List.xlsm, data 9->38 dropped 40 C:\Users\...\Purchase Order List.xlsm (copy), data 9->40 dropped 70 Document exploit detected (creates forbidden files) 9->70 13 cmd.exe 9->13         started        signatures5 process6 signatures7 80 Malicious encrypted Powershell command line found 13->80 82 Encrypted powershell cmdline option found 13->82 16 powershell.exe 12 7 13->16         started        process8 dnsIp9 42 3.70.52.8, 49165, 80 AMAZON-02US United States 16->42 30 C:\Users\user\AppData\...behaviorgraphealrfuviklyex.exe, PE32 16->30 dropped 60 Powershell drops PE file 16->60 21 Gealrfuviklyex.exe 12 3 16->21         started        file10 signatures11 process12 dnsIp13 44 store2.gofile.io 31.14.69.10, 443, 49166 LINKER-ASFR Virgin Islands (BRITISH) 21->44 32 C:\Users\user\AppData\Roaming\...\chrom.exe, PE32 21->32 dropped 34 C:\Users\user\AppData\...behaviorgraphealrfuviklyex.exe, PE32 21->34 dropped 62 Creates an undocumented autostart registry key 21->62 64 Machine Learning detection for dropped file 21->64 66 Writes to foreign memory regions 21->66 68 2 other signatures 21->68 26 Gealrfuviklyex.exe 21->26         started        file14 signatures15 process16 dnsIp17 46 checkip.dyndns.org 26->46 48 checkip.dyndns.com 216.146.43.71, 49167, 49168, 80 DYNDNSUS United States 26->48 50 freegeoip.app 104.21.19.200, 443, 49169 CLOUDFLARENETUS United States 26->50 72 May check the online IP address of the machine 26->72 74 Tries to steal Mail credentials (via file access) 26->74 76 Machine Learning detection for dropped file 26->76 78 2 other signatures 26->78 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a/
Threat name:
Script-Macro.Trojan.SuspectINQ
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 16:56:46 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7efowbztzxs7rjel66ulzh23eijpz44vgwrzpkr6cmo2exkdena._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection macro spyware stealer
Link:
https://tria.ge/reports/211009-g8y5mafbcm/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Office loads VBA resources, possible macro or embedded object present
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://3.70.52.8/R1/Z/UYH302.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/27c85758399e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/1661940/
Cape
Cape
https://www.capesandbox.com/analysis/196266/

Comments