MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 481a2f072eaae9c3c725c8fab30f50714eac1302964239e0e3b1d37e19654fbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	481a2f072eaae9c3c725c8fab30f50714eac1302964239e0e3b1d37e19654fbe
SHA3-384 hash:	fc8019360aba66bb79ab67ecb97a24e4843171e390d3c9582a7c3f4dcf2c6951109eeb524d447bbb554abd24819ed7af
SHA1 hash:	0c8dce66f8bdc5c448e909ddb115a03543779824
MD5 hash:	375a99e8afe229e1cdca34c5c358933f
humanhash:	steak-fourteen-zebra-king
File name:	Payment Slip.zip
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	610'618 bytes
First seen:	2022-07-25 08:39:01 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:wL2m56Q0VA3omqLNH51fj4tAV5mxBXS1hHmhEsAp:wh56VVCU5rdkCbGm
TLSH	T1CBD423FE12FA0D6414627A4C83D41F4EF9B5433168D1BB1E2B670BC90EFD863987A499
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	payment SnakeKeylogger SWIFT zip

cocaman

Malicious email (T1566.001)
From: "finance<finance@popularsystems.net>" (likely spoofed)
Received: "from popularsystems.net (unknown [45.137.22.115]) "
Date: "25 Jul 2022 05:17:45 +0200"
Subject: "Swift For Old Banlance & Outstanding"
Attachment: "Payment Slip.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs435.UNOFFICIAL

SecuriteInfo.com.Trojan.MSIL.AgentTesla.EYM.MTB.31921.17967.UNOFFICIAL

Sanesecurity.Malware.21785.ZipHeur.UNOFFICIAL

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62de56baa2f481deb965928b/reports/f1a2ec9d-b6c2-498e-b923-a2c8f6909b7a/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/481a2f072eaae9c3c725c8fab30f50714eac1302964239e0e3b1d37e19654fbe

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/481a2f072eaae9c3c725c8fab30f50714eac1302964239e0e3b1d37e19654fbe/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-25 03:18:33 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=janc6bzovlu4hrzfzd5lgd2qofhkyeycszbdtyhdwhjx4glfj67a._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/220725-kkanxaagh8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5495243543:AAG3XPeGW7yqfXF6_EXjGSfO9SWHJTpqVsU/sendMessage?chat_id=1128973051

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/481a2f072eaae9c3c725c8fab30f50714eac1302964239e0e3b1d37e19654fbe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 481a2f072eaae9c3c725c8fab30f50714eac1302964239e0e3b1d37e19654fbe

(this sample)

SnakeKeylogger

exe a4f6d6e7308496c06e3ad10e0cddbc4bc24744eb5127624b1e707b4adfa75e06

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 a4f6d6e7308496c06e3ad10e0cddbc4bc24744eb5127624b1e707b4adfa75e06

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample