MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97
SHA3-384 hash: b1bf46867dcb6bcdf98fa7039adcaeef94e2f36583e80530a73c1b4f2c359fe2ea74619e25a968e97d9c35839c651b7d
SHA1 hash: 087842a4afade35d4e1de215cacb9b43730ff0df
MD5 hash: 991178d1e7eeb07830957aaf4ad3e11e
humanhash: kitten-sweet-indigo-mike
File name:PR Number 21Y493-KR (CALIBRATION).exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'229'824 bytes
First seen:2021-03-22 07:32:38 UTC
Last seen:2021-03-22 09:35:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:b+A4BYNJNkQs4eJrzQ212A049fkRfJxsiYjeBRbwwtT1UzYuIS01Rkg72W41gZIL:b8YN1qpU21VIJxQjeDvOYuk1v
Threatray 6 similar samples on MalwareBazaar
TLSH 4E45290962EC7FC8E23A1774A575405587F5F50ADA36DBADFD90408A0962B03BFB3722
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: onikom.com.mx
Sending IP: 52.24.102.163
From: Kashif Aziz <tecfluid@tecfluid.com>
Reply-To: info <mt.gov@waad.com.sa>
Subject: MOST URGENT REQUEST FOR QUOTATION WITH REFERENCE -----21Y493-KR(CALIBRATION)
Attachment: PR Number 21Y493-KR CALIBRATION.img (contains "PR Number 21Y493-KR (CALIBRATION).exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PR Number 21Y493-KR (CALIBRATION).exe
Verdict:
Suspicious activity
Analysis date:
2021-03-22 07:43:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1928201a-1fdb-4cc6-a337-f66aace335db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.594.11018.16040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/647477
Signature
.NET source code contains potential unpacker
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372705 Sample: PR Number 21Y493-KR (CALIBR... Startdate: 22/03/2021 Architecture: WINDOWS Score: 84 20 Found malware configuration 2->20 22 Yara detected Snake Keylogger 2->22 24 Yara detected AntiVM3 2->24 26 4 other signatures 2->26 7 PR Number 21Y493-KR (CALIBRATION).exe 3 2->7         started        process3 signatures4 28 Injects a PE file into a foreign processes 7->28 10 PR Number 21Y493-KR (CALIBRATION).exe 2 7->10         started        12 PR Number 21Y493-KR (CALIBRATION).exe 7->12         started        14 PR Number 21Y493-KR (CALIBRATION).exe 7->14         started        16 PR Number 21Y493-KR (CALIBRATION).exe 7->16         started        process5 process6 18 dw20.exe 22 6 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnim7w4a7f3xfp45w5g2lpvkxyt6uqkfthy4oawbuuaumq2bhslq._file
Verdict:
unknown
Similar samples:
2abef54041681b9251673959524c002821e9e90483c7cdc0e3668bf2cc2c91ce
SnakeKeylogger
58626b2130d20a2bacbcefa97d06dc1e4d55b123a86a3f074bd2e8212ee60ae8
SnakeKeylogger
9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80
SnakeKeylogger
96be17cdcc9ea6acc0cb3ff4e463ad708b4abba9e66804040294b7c7dbdaf4a8
SnakeKeylogger
9a312ce83cf5bb827d5a150688db81bc3d423792e452743b904e1006eacdd47d
SnakeKeylogger
c606b9a9266efd06f8db163bced0cea6e69bcaf88185f29bb364289f7a067eaf
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210322-hlnwmhj6js/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
c22b9993fd6abea236edcc1bf476bcd4a09015b4af09eedf660a43bf3d29a16f
MD5 hash:
1d1234ba19c430923b22f531bb19b369
SHA1 hash:
9868c1e97a3be16100a61b5ee1f7d2838b4782a8
Link:
https://www.unpac.me/results/7a45b66a-3c00-43f4-8fbf-f4971444c389/
SH256 hash:
4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97
MD5 hash:
991178d1e7eeb07830957aaf4ad3e11e
SHA1 hash:
087842a4afade35d4e1de215cacb9b43730ff0df
Link:
https://www.unpac.me/results/7a45b66a-3c00-43f4-8fbf-f4971444c389/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img ae3fcb18e6fc63497e3c1484f517e009de7e20c75ad1d94033fe9714ca2ada12

SnakeKeylogger

Executable exe 4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97

(this sample)

  
Dropped by
MD5 990ecfdec5d1cc364677ee2b02ca80a4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ae3fcb18e6fc63497e3c1484f517e009de7e20c75ad1d94033fe9714ca2ada12

Comments