MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b8a84aa8fab0523c38305cd57874778beda7e51c3e6217fbb1ddedde47048e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49b8a84aa8fab0523c38305cd57874778beda7e51c3e6217fbb1ddedde47048e
SHA3-384 hash: 801f9b09177ddcf5be4021ed21b08339ca25fdc2cb9e95b97859ace367d626adca07adaebc0b0d4c3437c669e5b1c581
SHA1 hash: 4ae21bab1796cb381a7d97e410b0f7437361e6b1
MD5 hash: 728aecd777bc291551b50f4d7a53668e
humanhash: oklahoma-single-kitten-jersey
File name:SwiftCopyTT.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:548'864 bytes
First seen:2021-02-22 07:10:18 UTC
Last seen:2021-02-22 08:41:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xrswE5kA86mmi0vGEBl3wpUxtdUdn4ZaJiPpqLf3Oxe:xIrkDvwXJEctd8fX2x
Threatray 13 similar samples on MalwareBazaar
TLSH 6FC4125422E82B05F4BE37F7A2B11A845BBB3855A431FB4C5EC060DF5866B90D7A0F93
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: etr0.320.gvuwx.ml
Sending IP: 165.227.55.27
From: Laura <anjali@insightwithin.com>
Subject: SWIFT Transfer (103) SE07802102110016
Attachment: SwiftCopyTT.cab (contains "SwiftCopyTT.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118211/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42850.29174.25756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613698
Signature
Binary contains a suspicious time stamp
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49b8a84aa8fab0523c38305cd57874778beda7e51c3e6217fbb1ddedde47048e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 07:11:10 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jg4kqsvi7kyfepbygbonk6duo6f63j7fdq7gef73who63xshasha._file
Verdict:
unknown
Similar samples:
4a9558166c80c188e48a382edbe91a387a7e3aa877d035420bb0e7b198eccdfe
SnakeKeylogger
6118f0c08d35a0dacc436ecc89379620c5d966f7cba43a6148684dd4a06c81ad
SnakeKeylogger
6e0b67c69b922762b4dd074cb6669f1080e78577b115bb9dd673df1b44937c6b
SnakeKeylogger
73ea7d88674eb985176347ebac51ec05a763eb59d39b072a6ce1eb495383a9db
SnakeKeylogger
758ed7414002a966ebe4bb96fd93b745cec7fd274a2bdfccf07e40b3f8a48b5c
SnakeKeylogger
7d66022b23aa84304657d92e2594f56331036896d42538a6aed0f24c9db6ded9
SnakeKeylogger
872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4
SnakeKeylogger
9af6ee7679b5e12c34b0530a2b7639c65b1ff8449930ed9a6156338a2eebbb98
SnakeKeylogger
e7a4a4b30f3fbf4f31548ae91975f0b9c866045e65a370d9c775433689db1adf
SnakeKeylogger
fd2144d3699612e4c7a1e975a495c772781b9df28be88231efcb98f54c1e86ee
SnakeKeylogger
+ 3 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210222-3dmxagqlr2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
a8e0172514a39b55b9fde8c387b3a873f4bf2f2753e1d2f935784972eff1b7c5
MD5 hash:
9bea53dca11659bf26c6f104fbe95ef6
SHA1 hash:
843077f941b57308f97470f46794c3237609da04
Link:
https://www.unpac.me/results/8a6e8686-2ca3-40d8-8dbf-413ec6075884/
SH256 hash:
02c1bb48f24f6d31da6fef7f84ef4d3c14de24906e053fc33c3de4d0047cf5db
MD5 hash:
b6ebdf035a032afdc6ea319104352ca6
SHA1 hash:
8193b7d0314331176862c925042f1369823ecbd6
Link:
https://www.unpac.me/results/8a6e8686-2ca3-40d8-8dbf-413ec6075884/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/8a6e8686-2ca3-40d8-8dbf-413ec6075884/
SH256 hash:
49b8a84aa8fab0523c38305cd57874778beda7e51c3e6217fbb1ddedde47048e
MD5 hash:
728aecd777bc291551b50f4d7a53668e
SHA1 hash:
4ae21bab1796cb381a7d97e410b0f7437361e6b1
Link:
https://www.unpac.me/results/8a6e8686-2ca3-40d8-8dbf-413ec6075884/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

cab 85fc35f8de28ee530e2dd9cf3555816d82875969d3870eab65da21e5f475efeb

SnakeKeylogger

Executable exe 49b8a84aa8fab0523c38305cd57874778beda7e51c3e6217fbb1ddedde47048e

(this sample)

  
Dropped by
MD5 dbc2bdd326d386b0f956cb79ce6deb26
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 85fc35f8de28ee530e2dd9cf3555816d82875969d3870eab65da21e5f475efeb
Cape
Cape
https://www.capesandbox.com/analysis/118211/

Comments