MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52ad6d72fe71e037848ecdb2b349e125aca3982353b82e70e179dc2c61122c85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52ad6d72fe71e037848ecdb2b349e125aca3982353b82e70e179dc2c61122c85
SHA3-384 hash: 5f0e81325eafde260284793f2a35eca2596278927f909399198c8f03da4059e51933f7c6cd84e7bb38b7ffcd563321a6
SHA1 hash: 6131617ad4d77da7e0832f8757e332aa686d7c45
MD5 hash: afeb630b76eccf18d6c4ad396f8f55e7
humanhash: red-football-alabama-potato
File name:UPDATTED SOA.zip
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:591'187 bytes
First seen:2022-10-02 13:40:00 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:8ReNpZPg2iP3XZqzrqn2ZjS9NJoW0BEJMAFjn+F3GRwSpt:8RexI1PX8zeuRmJMQ+F3gP
TLSH T14DC423B2BE73093C264B56E73C0E1D3F58593A0654AB87EC1E7BB7811DFAF401666488
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:SnakeKeylogger zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""ringo"<ringo@nbgreentrans.com" (likely spoofed)
Received: "from nbgreentrans.com (unknown [185.222.58.80]) "
Date: "01 Oct 2022 09:21:08 +0200"
Subject: "RE:Statement Of Account"
Attachment: "UPDATTED SOA.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:UPDATTED SOA.exe
File size:1'054'720 bytes
SHA256 hash: 8c456876915598dc988732791d60ea7129c1f03f9eabd10951ce2996c9c0997f
MD5 hash: 7a6b0980328902701e46b0e67288b565
MIME type:application/x-dosexec
Signature SnakeKeylogger
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20221001-0636.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/52ad6d72fe71e037848ecdb2b349e125aca3982353b82e70e179dc2c61122c85
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52ad6d72fe71e037848ecdb2b349e125aca3982353b82e70e179dc2c61122c85/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 00:50:54 UTC
File Type:
Binary (Archive)
Extracted files:
38
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkww24x6ohqdpbeozwzlgspbewwkhgbdko4c44hbphocyyisfscq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/221002-qyh54aafdp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52ad6d72fe71e037848ecdb2b349e125aca3982353b82e70e179dc2c61122c85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 52ad6d72fe71e037848ecdb2b349e125aca3982353b82e70e179dc2c61122c85

(this sample)

SnakeKeylogger

Executable exe 8c456876915598dc988732791d60ea7129c1f03f9eabd10951ce2996c9c0997f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8c456876915598dc988732791d60ea7129c1f03f9eabd10951ce2996c9c0997f
  
Dropping
SnakeKeylogger

Comments