MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6
SHA3-384 hash: ef31823b2a21ade5b603bbf62c550dbacd4a544c848550ba27059f569a08c2c2e1578906c701490c689f6485f33af280
SHA1 hash: 779b198fe95c145272b00dc118a44731b10f8847
MD5 hash: c41625a958db8d88d054fd472caf73cd
humanhash: oscar-item-orange-louisiana
File name:PURCHASE ORDER CONFIRMATION.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:37'432 bytes
First seen:2021-02-23 07:20:55 UTC
Last seen:2021-02-23 08:45:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:meqpbVo3CT6Ygqi4LjqdhGA6+5Jn5Ju5J6hF:mRozqBjO4BOJ5JeJw
Threatray 79 similar samples on MalwareBazaar
TLSH FFF284EDAEE37C60DBAF157A4E226F1086B02302D515C23FAC9CA0E5E0D3557FE52A54
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: synergytpl.com
Sending IP: 45.133.116.238
From: <info@synergytpl.com>
Subject: PURCHASE ITEMS
Attachment: PURCHASE ORDER CONFIRMATION.7Z (contains "PURCHASE ORDER CONFIRMATION.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118498/
Detection(s):
SecuriteInfo.com.Variant.Bulz.368783.24115.27096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614918
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356464 Sample: PURCHASE ORDER CONFIRMATION.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Snake Keylogger 2->46 48 9 other signatures 2->48 7 PURCHASE ORDER CONFIRMATION.exe 21 6 2->7         started        process3 dnsIp4 32 coroloboxorozor.com 104.21.71.230, 49710, 80 CLOUDFLARENETUS United States 7->32 34 192.168.2.1 unknown unknown 7->34 30 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->30 dropped 50 Adds a directory exclusion to Windows Defender 7->50 52 Hides threads from debuggers 7->52 12 PURCHASE ORDER CONFIRMATION.exe 2 7->12         started        16 cmd.exe 1 7->16         started        18 powershell.exe 23 7->18         started        20 2 other processes 7->20 file5 signatures6 process7 dnsIp8 36 checkip.dyndns.org 12->36 38 checkip.dyndns.com 131.186.113.70, 49717, 49718, 80 DYNDNSUS United States 12->38 40 freegeoip.app 172.67.188.154, 443, 49719 CLOUDFLARENETUS United States 12->40 54 Tries to steal Mail credentials (via file access) 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        26 conhost.exe 18->26         started        28 AdvancedRun.exe 20->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 01:55:14 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzbrguerduchmis74uqy543222fnavblhe7xt7yibju3iwjkm63a._file
Verdict:
malicious
Similar samples:
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
SnakeKeylogger
2ddbf5aed765723b948699526bc2a9a49864dc1181e21f4c51fe613aa8d0ca7e
SnakeKeylogger
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
SnakeKeylogger
638c7d6859e792cc15836509bd58bf468b755fee3dcf669d2dcf328dd0029f12
SnakeKeylogger
a0f4dd8f54f51cb4d1243ecf21b2e5d578464ec54ba9b8e98b1afdb17465b4bc
SnakeKeylogger
abec75c995b6bac05ca3aa49002dedb12a4fc7194e93f814f3edbb996d9cfa7a
SnakeKeylogger
cdcd7f4c9ccb8eeda9202454f40c32ce208c4943df9f84b56cb08ef600015e31
SnakeKeylogger
d6b54e921467dd688dc63b3019654168fd7e72fb0b902e9b08f8c0c3337af388
SnakeKeylogger
db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
SnakeKeylogger
ea34ce44176906af3dd7ec1e4d9db0df144f5769ce3298d88864698c54164c9b
SnakeKeylogger
+ 69 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210223-gxca6aaea2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Snake Keylogger
Snake Keylogger Payload
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6
MD5 hash:
c41625a958db8d88d054fd472caf73cd
SHA1 hash:
779b198fe95c145272b00dc118a44731b10f8847
Link:
https://www.unpac.me/results/c951e16e-2ee9-4da4-8853-04e4597f72c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

7z 4e28b6299df599366eb78c788123ae3b33f78f51bf73e7ccfa747f6996e2be8b

SnakeKeylogger

Executable exe 56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6

(this sample)

  
Dropped by
MD5 21540719d7fc7d9a3372c740d2f53e4a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118498/
  
Dropped by
SHA256 4e28b6299df599366eb78c788123ae3b33f78f51bf73e7ccfa747f6996e2be8b

Comments