MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c349bac8fd1f52d509f18c49d73c963a6b836b31a574311f42b472381e1d45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55c349bac8fd1f52d509f18c49d73c963a6b836b31a574311f42b472381e1d45
SHA3-384 hash: 12e8735a50ded190754927aa0115fadc2e3f5dcf92b7d99abd4307a268d5892500f9558aa488cfba7611abb9b55c33f5
SHA1 hash: 628b3d782514f4900e55b200986492cd0bc57679
MD5 hash: b601e19aa7158624770769618ae9a7a5
humanhash: butter-muppet-item-uncle
File name:MV ACE SHIPPING TBN.zip
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:346'479 bytes
First seen:2022-02-03 11:00:21 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:fo4w3VKiOCG/mUrXcKzZFOgl0QnvJJc9Mbmz0uQvHHrXiNIuTj7At+rYmy6sp+:QFKiOHX7cKzTOKvJJc9CmKnrUTj0graS
TLSH T15574234D5BA385DDFE85B9DE3B33EA241735C9EE00B60687CB1DC44F02F4AB95268218
Reporter cocaman
Tags:zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Ace Shipping A/S <chartering@aceshipping.com>" (likely spoofed)
Received: "from aceshipping.com (unknown [180.214.237.149]) "
Date: "3 Feb 2022 02:27:36 -0800"
Subject: "MV ACE SHIPPING TBN 1 & 2"
Attachment: "MV ACE SHIPPING TBN.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/55c349bac8fd1f52d509f18c49d73c963a6b836b31a574311f42b472381e1d45
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55c349bac8fd1f52d509f18c49d73c963a6b836b31a574311f42b472381e1d45/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 06:29:24 UTC
File Type:
Binary (Archive)
Extracted files:
30
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger persistence spyware stealer
Link:
https://tria.ge/reports/220203-m4ne8agbeq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Sets service image path in registry
Looks for VirtualBox Guest Additions in registry
Snake Keylogger
Snake Keylogger Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55c349bac8fd1f52d509f18c49d73c963a6b836b31a574311f42b472381e1d45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 55c349bac8fd1f52d509f18c49d73c963a6b836b31a574311f42b472381e1d45

(this sample)

SnakeKeylogger

Executable exe 7651401ef8594540124a5a42c64653b9d8a977c331fe96aacb0a82e13e04be5d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7651401ef8594540124a5a42c64653b9d8a977c331fe96aacb0a82e13e04be5d

Comments