MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 545c7e58ac6591d343ca1aa988cfb941269f81dea524e427ef59cf9f9bf41a43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	545c7e58ac6591d343ca1aa988cfb941269f81dea524e427ef59cf9f9bf41a43
SHA3-384 hash:	c806b52e33750e9c68ae334370fe73b32228cbbe17c0f6a52736556d428e05f25c79fa23c54b35e6bee1e162761468c3
SHA1 hash:	17b3289625c8e7afdc82717cff2f19e1db48138d
MD5 hash:	6902786e5e4a4ada3ca2821c611a6dcf
humanhash:	orange-maryland-one-spaghetti
File name:	PO2440277- Sipariş PM.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	665'600 bytes
First seen:	2024-07-31 07:31:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (60 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:VsHzOUNUSB/o5LsI1uwajJ5yvv1l2Ii2rDpFQQt5OPUQ0SC:MiUmSB/o5d1ubcvnrDDZ5wUQ0SC
TLSH	T1C7E423579980D89DC1925370C43A8DE0D69179B1AEAB7B770B80F3AFAC32343D512B5E
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO2440277- Sipariş PM.exe

Verdict:

Malicious activity

Analysis date:

2024-07-31 07:47:50 UTC

Tags:

evasion snake keylogger

Link:

https://app.any.run/tasks/426da75d-d34f-4172-b922-f9deaf1c2cba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66a9e876c06bd32e596e90cc

Tags:

Discovery Execution Generic Network Stealth Shellcodecrypter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/545c7e58ac6591d343ca1aa988cfb941269f81dea524e427ef59cf9f9bf41a43

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fa803537-4bf6-481c-a146-a64f15541dd0

Result

Threat name:

PureLog Stealer, Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1485173

Signature

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/545c7e58ac6591d343ca1aa988cfb941269f81dea524e427ef59cf9f9bf41a43

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/545c7e58ac6591d343ca1aa988cfb941269f81dea524e427ef59cf9f9bf41a43/

Threat name:

Win32.Spyware.Snakekeylogger

Status:

Malicious

First seen:

2024-07-31 07:32:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kroh4wfmmwi5gq6kdkuyrt5zietj7ao6uusoij7plhhz7g7udjbq._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger discovery keylogger stealer upx

Link:

https://tria.ge/reports/240731-jcy6vsyaja/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Looks up external IP address via web service

UPX packed file

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot7479517689:AAFZXzeEulm16gwWbLqx5RMoTeKEfX7e5jQ/sendMessage?chat_id=7071568333

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c8e0c17a-f8a8-4189-a421-76755ae73f8a

Unpacked files

SH256 hash:

9e5f3581119d12abd293f73897bf20e268218db307e23e115c8b051f08d634bb

MD5 hash:

e8cc5bb3c562f82e6f1a688ae605b023

SHA1 hash:

d8f49e8a141781f37159e2139baa3d6f22b5135e

Detections:

snake_keylogger

win_404keylogger_g1

MAL_Envrial_Jan18_1

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

Link:

https://www.unpac.me/results/e78a83d7-d8c8-4159-b0bd-d86403f6f6fe/

SH256 hash:

3cf5d0f51a46fcf8c8136a247dab44b55e601e5f1db74b4a5a886f214630fa48

MD5 hash:

2e786affa2de9c225be34b730ad01b1d

SHA1 hash:

c135ee9fafa71accf3d3c130fb9213524d293adc

Detections:

snake_keylogger

win_404keylogger_g1

MAL_Envrial_Jan18_1

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e78a83d7-d8c8-4159-b0bd-d86403f6f6fe/

SH256 hash:

ae70bf3a40c33f4a6979568d6a1d6dd0eff785f8751af928a28d26046d22b338

MD5 hash:

5c608970dffc2ce9a085d32ac767b836

SHA1 hash:

5f8d686b0168f26230fae8e75141672f37c2e954

Detections:

win_samsam_auto

MAL_Malware_Imphash_Mar23_1

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

Link:

https://www.unpac.me/results/e78a83d7-d8c8-4159-b0bd-d86403f6f6fe/

SH256 hash:

4412a736af2eb53fcc156de89b6a5514a1875b6559e78e6a84df19e9e1ad7079

MD5 hash:

456ba54a45798ea4c957c9b3827a546c

SHA1 hash:

b1de7d96a50a2b35be9aed7f9f1b47ac9ace35cc

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/e78a83d7-d8c8-4159-b0bd-d86403f6f6fe/

SH256 hash:

545c7e58ac6591d343ca1aa988cfb941269f81dea524e427ef59cf9f9bf41a43

MD5 hash:

6902786e5e4a4ada3ca2821c611a6dcf

SHA1 hash:

17b3289625c8e7afdc82717cff2f19e1db48138d

Link:

https://www.unpac.me/results/e78a83d7-d8c8-4159-b0bd-d86403f6f6fe/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/545c7e58ac65/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample