MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6
SHA3-384 hash: d1f1bc7fae64127074d2182f4d1cd755815e71daa25a8dd1899e08f9d5b33414983c6ba086eb8fde7b8e2858d7cd1281
SHA1 hash: 6bf5e3f1f9bacdfb4b2eadb37cb6085de93cbd88
MD5 hash: 377f8031bd6e60006b1e68d1773d54d3
humanhash: hamper-nebraska-iowa-stream
File name:Mitra Order.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:808'960 bytes
First seen:2022-10-12 07:28:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:HwLKpglh/uAaIektmzOJmvQsOZb/HbZwdNFfmmZbDFGMXQgnDt5Xj+c+50+j5Nuh:qp/HaIxtlTUp1QgnrXj+RfjXu3FMj
Threatray 2'898 similar samples on MalwareBazaar
TLSH T1BC0548BA12D64507E4193175C8C3D2F32AFBAD607061D1C7AAD76F6FBC440BFA612286
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319235/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63466cc3316b332dfca8dddd/reports/8d3e6934-cd1a-41e5-8334-e2109e43d68c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34f020db-a8ed-4f16-85be-b3727f6a0fc3
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089438
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722036 Sample: Mitra Order.pdf.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 15 other signatures 2->59 7 miDmdsTh.exe 5 2->7         started        10 Mitra Order.pdf.exe 7 2->10         started        process3 file4 61 Multi AV Scanner detection for dropped file 7->61 63 May check the online IP address of the machine 7->63 65 Machine Learning detection for dropped file 7->65 13 miDmdsTh.exe 7->13         started        17 schtasks.exe 1 7->17         started        35 C:\Users\user\AppData\Roaming\miDmdsTh.exe, PE32 10->35 dropped 37 C:\Users\...\miDmdsTh.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB8BB.tmp, XML 10->39 dropped 41 C:\Users\user\...\Mitra Order.pdf.exe.log, ASCII 10->41 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 19 Mitra Order.pdf.exe 15 2 10->19         started        21 powershell.exe 20 10->21         started        23 schtasks.exe 1 10->23         started        25 MpCmdRun.exe 10->25         started        signatures5 process6 dnsIp7 43 132.226.247.73, 49708, 80 UTMEMUS United States 13->43 45 checkip.dyndns.org 13->45 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal ftp login credentials 13->73 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 27 conhost.exe 17->27         started        47 checkip.dyndns.com 193.122.130.0, 49699, 80 ORACLE-BMC-31898US United States 19->47 49 checkip.dyndns.org 19->49 51 2 other IPs or domains 19->51 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 01:04:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gilzr6h2ogtdbknpxoakftdyxrkeropre7oqdsox77l2ouavh33a._file
Verdict:
malicious
Similar samples:
2b0f398cbf4b1b5389902edb124ed7dff609fc9d96942aaba149ed03942bbf2c
SnakeKeylogger
672dfe85ece65a72aab50b726b15e61ae7b562f19de89ef17e5fe988abc85823
SnakeKeylogger
68869812f8a2684414348ecc16579fb740a8bfc179957641ee2c39db6ad271d1
SnakeKeylogger
70730de8e215d6d1ddebe78090badefd43ae78d50a646c317579b49265e76832
SnakeKeylogger
93e390a0b385cbe75e53b89b22f597e9cbb339c33fccebba1a7c1d3a05b48cf9
SnakeKeylogger
a06e29202c62a82a9b16220854210aabb48c2cdbd6c63db226e68338346c860b
SnakeKeylogger
bbfe7d997d95f5693051b2c6bb3cfe9150ea690329ac0c51131c0825358892bd
SnakeKeylogger
d40f32f81438c0c6bad28f8b8b08ebb452871640a691cb879ea1a4220b452017
SnakeKeylogger
+ 2'888 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221012-ja8yaacha4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5329095121:AAFSFpQnawO74t7fSzMiKqIEblJz6OoR2PM/sendMessage?chat_id=1856108848
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2e0a7cb4-7c66-404b-b743-5331affef962
Unpacked files
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/b98d937c-19c9-47f0-81d7-66de94f37a87/
SH256 hash:
8ff9b733f3c2e9b8f1196425892f7673fa353caa61c5e910fe7637f282509b75
MD5 hash:
c789b70ca9f2c06c39c041b74be85d90
SHA1 hash:
c13268c44b3b5cb7a3a996d77f6b6fb0a1ce01d7
Link:
https://www.unpac.me/results/b98d937c-19c9-47f0-81d7-66de94f37a87/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/b98d937c-19c9-47f0-81d7-66de94f37a87/
SH256 hash:
0ae11cd5bb21c7dac0c755c129be0445644e114d6794cdfe75037e7970622727
MD5 hash:
9e198d05b97e37915ac27d056662b774
SHA1 hash:
47b39f18b63d11c20cad342b8422679c07dfc3b5
Link:
https://www.unpac.me/results/b98d937c-19c9-47f0-81d7-66de94f37a87/
SH256 hash:
590ee019261178784d51d323323761346f705275a20581084a6bc38dfc540236
MD5 hash:
d39eb799d383e2e4306cffde2a57b0eb
SHA1 hash:
33ef59fe12d990d501c7c6108c4f127affd11b8f
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/b98d937c-19c9-47f0-81d7-66de94f37a87/
Parent samples :
b502ce5bdf6d7ca5ef654b5d5c4e878c76a308fb0b624ef9b223168454eb65e2
321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6
SH256 hash:
321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6
MD5 hash:
377f8031bd6e60006b1e68d1773d54d3
SHA1 hash:
6bf5e3f1f9bacdfb4b2eadb37cb6085de93cbd88
Link:
https://www.unpac.me/results/b98d937c-19c9-47f0-81d7-66de94f37a87/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/321798f8fa71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 321798f8fa71a630a9afbb80a2cc78bc5448b9f127dd01c9d7ffd7a750153ef6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319235/

Comments