MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea
SHA3-384 hash:	2c963b6818e0e6011b285fe4054e62975378c2aa7b7be615c4a27531097241b8e7663d7ea60a3d9fd051b9a5cc087e12
SHA1 hash:	cea50c4ab3c551b60c2a806e78b8d1b7aca8fa5d
MD5 hash:	f3f7d01818ca5056ccc76bdd38dc540f
humanhash:	aspen-leopard-leopard-nevada
File name:	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	785'920 bytes
First seen:	2021-04-08 09:47:21 UTC
Last seen:	2021-04-09 08:31:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VOg9IIK2eESh/NpyJpdS56rOQta9cTRO2EPCQu5oMavBL+VvjNa:VeIVS/N0JLS5QntacO2eDG7N
Threatray	432 similar samples on MalwareBazaar
TLSH	0BF4A0D17118BA3ACC0B37FA385EE8D2C6A23C1F9739C39D27967E852D57162482F215
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

abuse_ch

Malspam distributing SnakeKeylogger:

HELO: ru01.random.com
Sending IP: 109.237.103.11
From: Roy Zheng <biz2@oshpg.com>
Subject: RE: 回复: 5th Hire Payment
Attachment: MT103_YIU LIAN08042021_Xerox Scan_202104_.img (contains "MT103_YIU LIAN08042021_Xerox Scan_202104_.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MT103_YIU LIAN08042021_Xerox Scan_202104_.exe

Verdict:

Malicious activity

Analysis date:

2021-04-08 17:36:59 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/af95d602-7849-4709-a4f3-656458f5d46a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/133162/

Detection(s):

SecuriteInfo.com.ArtemisF3F7D01818CA.20567.7975.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/669880

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-08 09:48:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hf5eewoot4wctrcdl2x6u6odly3mgrdekegwhex6jktbzb76a7va._file

Verdict:

suspicious

SnakeKeylogger

163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644

SnakeKeylogger

242045c07ffb6427b046939045d9312f3beaa954ef3ec60316247f7dfdfbca3e

SnakeKeylogger

30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e

SnakeKeylogger

56e676fae09b69a9eae221e0590776815f7fa38e7cc90822cd3060ea289d7547

SnakeKeylogger

94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b

SnakeKeylogger

b8d0f5a88fd8d100cc6dc0f63e31c14c9fda07be97422b0ee2355cb73c14bd97

SnakeKeylogger

d04ab5688b6093908786418a2767df4c7b0c99324fad4fba37036df9b7673e01

SnakeKeylogger

e5d8c5c382b01a400205b1477e89b12f9eea14fdf10c5e4d31640954910661b6

SnakeKeylogger

f64ecad45aae27f037e819a6adfaeebbdf0f769690a46a89a29d4f0da22b6cd4

SnakeKeylogger

+ 422 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210408-9dccp3bf86/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

c5519ef771321d62260735c62622297b284e823d97b29eed0dae704d89bb4c5f

MD5 hash:

0158502a4a1ee47ae2abfe604f2fd748

SHA1 hash:

3dec24548c89d943f3fe9a4dd0b8663cbdcf6e0d

Link:

https://www.unpac.me/results/1342ee1f-510f-4c78-ab40-7dd5f4a4681f/

SH256 hash:

397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea

MD5 hash:

f3f7d01818ca5056ccc76bdd38dc540f

SHA1 hash:

cea50c4ab3c551b60c2a806e78b8d1b7aca8fa5d

Link:

https://www.unpac.me/results/1342ee1f-510f-4c78-ab40-7dd5f4a4681f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img 96514931f92dec38e0b01f43796963b8a6802f06bc1b93ff9ecd2998793110e7

SnakeKeylogger

exe 397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea

(this sample)

Dropped by

MD5 adf3d09d18f37669252270a0ed11438a

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/133162/

Dropped by

SHA256 96514931f92dec38e0b01f43796963b8a6802f06bc1b93ff9ecd2998793110e7

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample