MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126
SHA3-384 hash: 6d1a994d43ad066f7cfd1fcea99d291ae8092f7d8c175a1082e06f026725244447bcd314df96e905de0222a18eb3e821
SHA1 hash: f0ab4a7a0c167815410160599f7c65796d2eded7
MD5 hash: 4993d7e061ffbf3cc910ffd02de8816b
humanhash: tennis-magazine-pasta-batman
File name:Final Purchase Order_0422.ppam
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:47'864 bytes
First seen:2022-04-14 06:29:48 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 768:LIazRD4S0JS00SneSnjS0yS03S0IMS0bS02SC+02/pvrk/QVm2JfIPuTghgb8Sj2:LRlPzodsQgo9AlDAus31pVHu1/K8Nyt5
TLSH T11623CE54C511654AC273A53DE83AC8E109A79C27A125850FC1E67D8F0B98E9F2F4EBCF
Reporter GovCERT_CH
Tags:ppam SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-close macros-on-open masquerade replace.exe
Link:
https://www.filescan.io/uploads/6257bf6c482f2f41caac2daf/reports/4c4a83da-7375-471f-8ba7-efe0e28144ad/overview
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=eef49a07-d083-4edb-8159-22beca90014f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad.troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/976623
Signature
Creates processes via WMI
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (drops PE files)
Drops PE files with a suspicious file extension
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office process drops PE file
Renames powershell.exe to bypass HIPS
Sigma detected: Execution of Suspicious File Type Extension
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609108 Sample: Final Purchase Order_0422.ppam Startdate: 14/04/2022 Architecture: WINDOWS Score: 96 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 Document exploit detected (drops PE files) 2->86 88 6 other signatures 2->88 7 taskeng.exe 1 2->7         started        9 ddond.com 13 2->9         started        14 cmd.exe 1 2->14         started        16 2 other processes 2->16 process3 dnsIp4 18 milon.com 11 7->18         started        22 milon.com 7->22         started        25 milon.com 7->25         started        78 download2170.mediafire.com 199.91.154.164, 443, 49172 MEDIAFIREUS United States 9->78 80 taxfile.mediafire.com 205.196.120.8, 443, 49171 MEDIAFIREUS United States 9->80 54 C:\ProgramData\milon.com, PE32+ 9->54 dropped 96 Drops PE files with a suspicious file extension 9->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 9->98 27 powershell.exe 12 6 9->27         started        29 taskkill.exe 9->29         started        31 taskkill.exe 9->31         started        35 2 other processes 9->35 33 POWERPNT.EXE 9 12 14->33         started        file5 signatures6 process7 dnsIp8 56 download1400.mediafire.com 205.196.123.88, 443, 49176 MEDIAFIREUS United States 18->56 58 104.16.203.237, 443, 49175, 49177 CLOUDFLARENETUS United States 18->58 90 Drops PE files with a suspicious file extension 18->90 92 Creates processes via WMI 18->92 37 powershell.exe 18->37         started        40 schtasks.exe 18->40         started        42 taskkill.exe 18->42         started        48 3 other processes 18->48 60 download1277.mediafire.com 205.196.122.218, 443, 49185 MEDIAFIREUS United States 22->60 68 2 other IPs or domains 22->68 50 C:\ProgramDataSETNONU.com, PE32+ 22->50 dropped 94 Renames powershell.exe to bypass HIPS 22->94 62 download1079.mediafire.com 205.196.122.20, 443, 49180 MEDIAFIREUS United States 25->62 44 powershell.exe 25->44         started        46 schtasks.exe 25->46         started        64 download758.mediafire.com 205.196.120.206, 443, 49174, 49179 MEDIAFIREUS United States 27->64 66 www.mediafire.com 104.16.202.237, 443, 49173 CLOUDFLARENETUS United States 27->66 52 C:\ProgramData\ddond.com, PE32+ 33->52 dropped file9 signatures10 process11 dnsIp12 70 www.mediafire.com 37->70 72 download758.mediafire.com 37->72 74 www.mediafire.com 44->74 76 download758.mediafire.com 44->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126/
Threat name:
Document-Office.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 01:55:17 UTC
File Type:
Document
Extracted files:
43
AV detection:
11 of 25 (44.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=humecuf7pxd62t4erpmphr2xqtuvpwes6ucksakgvavmsz47yeta._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/220414-g9ga7shgb3/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

PowerPoint file ppam 3d184150bf7dc7ed4f848bd8f3c75784e957d892f504a90146a82ac9679fc126

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments