MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4158eda852ee2f9ccbeceed05ff97af35dac101ed395f622ba41d93ef2ddfedc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	4158eda852ee2f9ccbeceed05ff97af35dac101ed395f622ba41d93ef2ddfedc
SHA3-384 hash:	be6603df25263d270546689f4c5b8d958ff9d7e2044eb5db66b5a523f2c2cd4c71957f0182b0b84bafe883b3733eb177
SHA1 hash:	9afc061ba2043457e1c21bc35a7ab7cd563bc158
MD5 hash:	61d01682aed9dcc9a289043f40c1a41a
humanhash:	georgia-early-july-bakerloo
File name:	v2.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'307'648 bytes
First seen:	2021-02-23 07:19:22 UTC
Last seen:	2021-02-23 08:46:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:BLPjGZS7JQ3Krcrlhiz6021uysy5wJUGG71WKTerXMaRPg6:hPjGZdKrcBgp2IyJNcueRo6
Threatray	106 similar samples on MalwareBazaar
TLSH	2C557A31B3B15FD1E8659E778D069104FFE64E529974E28FE8A824E22123F4DC64C4FA
Reporter	abuse_ch
Tags:	DHL exe SnakeKeylogger

abuse_ch

Malspam distributing unidentified malware:

HELO: upbeat-moser.91-92-128-140.plesk.page
Sending IP: 91.92.128.140
From: DHL <dhl@dhl.com>
Subject: DHL Waybill Number 5901370451
Attachment: DHL contact form.xxe (contains "v2.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/118490/

Detection(s):

SecuriteInfo.com.FileRepMalware.9743.12795.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/615045

Signature

Allocates memory in foreign processes

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected Beds Obfuscator

Yara detected MultiObfuscated

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4158eda852ee2f9ccbeceed05ff97af35dac101ed395f622ba41d93ef2ddfedc/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-02-23 07:20:11 UTC

AV detection:

13 of 47 (27.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ifmo3kcs5yxzzs7m53if76l26no2yea62ok7miv2ihmt54w573oa._file

Verdict:

unknown

SnakeKeylogger

199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd

SnakeKeylogger

77922c4a501aecfc8e78b5fcaa7c2ac1e97c70abc5f955407e7c72d918ce43f2

SnakeKeylogger

8956cef2ded0f77c7f61c06c800e8d2a7cb26539da78dbfad307ec143e1eee3b

SnakeKeylogger

8a5b53a6e1f5a39007cf25fc8a13838b345123546ca8d0360859a70179ff358e

SnakeKeylogger

9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4

SnakeKeylogger

ae2820f20d20e5dc262e7e018e027646b4e5e4fcbc58cc6663dd077890b27e64

SnakeKeylogger

b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607

SnakeKeylogger

c2ccef24c19ee0890b6125f7de60b1e048dfa7da47766d1767e698e63ac08d83

SnakeKeylogger

dd5f8efd0456d76594e52eaff220830d3d507a7774560639ec826a3d3d535aa9

SnakeKeylogger

+ 96 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210223-jv24rbgl6e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

4158eda852ee2f9ccbeceed05ff97af35dac101ed395f622ba41d93ef2ddfedc

MD5 hash:

61d01682aed9dcc9a289043f40c1a41a

SHA1 hash:

9afc061ba2043457e1c21bc35a7ab7cd563bc158

Link:

https://www.unpac.me/results/27b3b19b-4a42-4fb5-ac6c-4439b7d3709d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/4158eda852ee2f9ccbeceed05ff97af35dac101ed395f622ba41d93ef2ddfedc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

22f5c680762474a8a17b563032c1b94d59d1b83a1b7bf554ed30d2ddf3463df0

SnakeKeylogger

exe 4158eda852ee2f9ccbeceed05ff97af35dac101ed395f622ba41d93ef2ddfedc

(this sample)

Dropped by

MD5 bb81bb161969c0a2115d7d085e9a93e0

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/118490/

Dropped by

SHA256 22f5c680762474a8a17b563032c1b94d59d1b83a1b7bf554ed30d2ddf3463df0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample