MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57
SHA3-384 hash: fce5db16b9f8de37b13de3b2332fac8e7805643266173c0d5be9fd04b4c4c1db68de01431e0fbc876be39e7ff211602b
SHA1 hash: 234fae4457a9b589f3b7cf783617494787911e26
MD5 hash: bbc7dfecb58d2fbbd51be0979963c3b0
humanhash: montana-vermont-spaghetti-earth
File name:customer Telex Transfer(TT).exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:244'224 bytes
First seen:2021-01-30 12:59:03 UTC
Last seen:2021-01-30 14:59:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:cCrbfAxi+FR1Qx8TLnX6j0/TKA95ISDaJe8qOb9N3+pC1E12oXH1LxvEv+lj/pI+:6ijKTKI5/DX85JopCi1ZEAVB1Nb3
Threatray 17 similar samples on MalwareBazaar
TLSH C934BFBC9BFDDE71C97A033DC5742A042775B882A857D31F51A492ED2E233C18D92A93
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: [172.93.187.39]
Sending IP: 172.93.187.39
From: Account payable <jrramirez@etiqa.com.ph>
Subject: Telex Transfer(TT).
Attachment: customer Telex TransferTT.zip (contains "customer Telex Transfer(TT).exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
customer Telex Transfer(TT).exe
Verdict:
Malicious activity
Analysis date:
2021-01-30 12:59:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae578bcb-209c-4543-9279-626acccf979c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114885/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594546
Signature
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Powershell drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346311 Sample: customer Telex Transfer(TT).exe Startdate: 30/01/2021 Architecture: WINDOWS Score: 100 65 checkip.dyndns.org 2->65 67 freegeoip.app 2->67 69 checkip.dyndns.com 2->69 79 Yara detected Snake Keylogger 2->79 81 Yara detected MultiObfuscated 2->81 83 May check the online IP address of the machine 2->83 85 6 other signatures 2->85 8 customer Telex Transfer(TT).exe 3 2->8         started        12 customer Telex Transfer(TT).exe 2->12         started        14 customer Telex Transfer(TT).exe 2 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 63 C:\...\customer Telex Transfer(TT).exe.log, ASCII 8->63 dropped 103 Injects a PE file into a foreign processes 8->103 18 customer Telex Transfer(TT).exe 18 4 8->18         started        23 powershell.exe 15 8->23         started        25 customer Telex Transfer(TT).exe 12->25         started        27 powershell.exe 12->27         started        29 customer Telex Transfer(TT).exe 12->29         started        31 customer Telex Transfer(TT).exe 14->31         started        33 powershell.exe 14->33         started        35 customer Telex Transfer(TT).exe 16->35         started        37 powershell.exe 16->37         started        signatures6 process7 dnsIp8 71 193.239.147.103, 49720, 49730, 49735 DEDIPATH-LLCUS Brunei Darussalam 18->71 55 C:\Users\...\customer Telex Transfer(TT).exe, PE32 18->55 dropped 57 customer Telex Tra...exe:Zone.Identifier, ASCII 18->57 dropped 87 Creates an undocumented autostart registry key 18->87 89 Injects a PE file into a foreign processes 18->89 39 customer Telex Transfer(TT).exe 2 18->39         started        59 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 23->59 dropped 61 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 23->61 dropped 91 Drops PE files to the startup folder 23->91 93 Powershell drops PE file 23->93 43 conhost.exe 23->43         started        45 conhost.exe 27->45         started        95 Creates autostart registry keys with suspicious names 31->95 97 Creates multiple autostart registry keys 31->97 47 conhost.exe 33->47         started        49 customer Telex Transfer(TT).exe 35->49         started        51 customer Telex Transfer(TT).exe 35->51         started        53 conhost.exe 37->53         started        file9 signatures10 process11 dnsIp12 73 checkip.dyndns.org 39->73 75 checkip.dyndns.com 216.146.43.71, 49726, 49727, 49742 DYNDNSUS United States 39->75 77 2 other IPs or domains 39->77 99 Tries to steal Mail credentials (via file access) 39->99 101 Tries to harvest and steal browser information (history, passwords, etc) 39->101 signatures13
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2021-01-30 13:00:08 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kw4fyudbjxczv4gmuxwsbxdxcp3yjnylc33f7iarmpsi5qagxzlq._file
Verdict:
suspicious
Similar samples:
0e264fd6c9f8b8d5f5765b8cb5e86eb2801a26d3891093954695c688c987b143
SnakeKeylogger
2d2c26b0f3308bda9e00913401761b8b5026edccfbe12bce7a72cd2d324c2f45
SnakeKeylogger
4b6f46c5f5f309d1e5de63307f5e7eed976a56e864f854e53afa6bb1dc671faf
SnakeKeylogger
53a20dc5366856bdd0aa3acc312bae1d6d05678cdf4c4baa2cde14b276a5bf47
SnakeKeylogger
5838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SnakeKeylogger
69dcf72c5f8c1751c5b144899cd43d26c7a639748d4b9a6de53bd4e3a492da3b
SnakeKeylogger
a425255570046eae4b5f02714701bb83fb1ed31220a0437efe362893bbd97bf5
SnakeKeylogger
a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e
SnakeKeylogger
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SnakeKeylogger
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94
SnakeKeylogger
+ 7 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210130-wqsl7c5dhe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Beds Protector Packer
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
420267a17d9f35e76fd735f0d55388a94548763374d3b9c774993a3bb08d6390
MD5 hash:
68ddf6f43eaf55acad06047e63005168
SHA1 hash:
493afea21cd1a342713adcf6beabfe1e979a16ef
Link:
https://www.unpac.me/results/88190a38-07e1-4a3d-b6f7-626110413c07/
SH256 hash:
720cb1327f8c767ab40389e23aeb2b8caedc201a2ec5491b620e7ffd956cd7fc
MD5 hash:
bd68d7aab74be63aaf26defe0b53e291
SHA1 hash:
d0cca364b13b6e5ddae7db5a944047c7b94ab311
Link:
https://www.unpac.me/results/88190a38-07e1-4a3d-b6f7-626110413c07/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/88190a38-07e1-4a3d-b6f7-626110413c07/
SH256 hash:
55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57
MD5 hash:
bbc7dfecb58d2fbbd51be0979963c3b0
SHA1 hash:
234fae4457a9b589f3b7cf783617494787911e26
Link:
https://www.unpac.me/results/88190a38-07e1-4a3d-b6f7-626110413c07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip d426666cec67a972fbacf58222713c9c0610848685cdb3b1aeebe8774efa61b2

SnakeKeylogger

Executable exe 55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57

(this sample)

  
Dropped by
MD5 c0316c45bfcc11df6618200575e318af
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d426666cec67a972fbacf58222713c9c0610848685cdb3b1aeebe8774efa61b2
Cape
Cape
https://www.capesandbox.com/analysis/114885/

Comments