MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e
SHA3-384 hash: 608f93ffeded6149346ee63fe96455c8ba66b401143f45d18a7c77342c79a7ca8111840efc967c327d193e20864d0db8
SHA1 hash: bc5414af0bf6cabe07b0088a306a06f6f3dd5407
MD5 hash: af891ae0d2ec4596cd000335cfb9bbcc
humanhash: ink-pluto-north-stairway
File name:09000000000000h.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:607'232 bytes
First seen:2021-01-13 07:27:43 UTC
Last seen:2021-01-13 09:38:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Mu5HDogFzqD4xujjRHWr9Snmo7eI5/DM5JjU:Mu5HDogFzqD4xujjQInn39DM5hU
Threatray 86 similar samples on MalwareBazaar
TLSH 86D4B026E9FAD9C2CEE16DB34A2255D80323AC6C480737D456E936A691777F3D1CCB20
Reporter abuse_ch
Tags:ESP exe geo SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: r.abouldahab@emis-int.com
Subject: CotizaciĆ³n de factura
Attachment: 09000000000000h...pdf..z (contains "09000000000000h.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09000000000000h.exe
Verdict:
Malicious activity
Analysis date:
2021-01-13 08:51:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/709d9243-b5b1-43e5-8b43-b41d95c30ce7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111716/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.34658.12504.23526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579959
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339022 Sample: 09000000000000h.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 6 other signatures 2->52 7 09000000000000h.exe 3 2->7         started        11 I$s#$lT3ssl.exe 3 2->11         started        process3 file4 28 C:\Users\user\...\09000000000000h.exe.log, ASCII 7->28 dropped 54 Injects a PE file into a foreign processes 7->54 13 powershell.exe 15 7->13         started        17 09000000000000h.exe 15 2 7->17         started        20 I$s#$lT3ssl.exe 2 11->20         started        22 powershell.exe 18 11->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 13->30 dropped 32 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 13->32 dropped 56 Drops PE files to the startup folder 13->56 58 Powershell drops PE file 13->58 24 conhost.exe 13->24         started        34 checkip.dyndns.org 17->34 36 checkip.dyndns.com 216.146.43.70, 49712, 49713, 80 DYNDNSUS United States 17->36 44 2 other IPs or domains 17->44 38 checkip.dyndns.org 20->38 40 162.88.193.70, 49743, 49745, 80 DYNDNSUS United States 20->40 42 104.28.4.151, 443, 49746 CLOUDFLARENETUS United States 20->42 60 Tries to steal Mail credentials (via file access) 20->60 62 Tries to harvest and steal ftp login credentials 20->62 64 Tries to harvest and steal browser information (history, passwords, etc) 20->64 26 conhost.exe 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 19:01:01 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0760d3239a1163436238b85852142f3477a87dba6f222737db19d99aa48092a7
SnakeKeylogger
08a9b841c509bb0171f6899c3357e6b2cc47ce64e352315c4a8aaa4961ad0673
SnakeKeylogger
5b5242b822fbc961a9b3135ed169399695ab26ee429196917b12a8d651292981
SnakeKeylogger
7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03
SnakeKeylogger
a5cb0bac5412691a38b91ccb27b7cc476eb61c9d58f4828a7219f80d2286a4d3
SnakeKeylogger
ad3b71cf9d53af23de0805e4d2eb68955c250296b60ea44beac0b3cbb18b64a5
SnakeKeylogger
b246071c05dec2f4838b27fd6c11548e90f7deaaeb658530864d10efdb129c37
SnakeKeylogger
c26fae9be09bc2ae42201aa17d14288a797ed398c1476246a41366c78961668e
SnakeKeylogger
dcfaf32061b7ac3546b3d618dfea1372195cc4d57ff21de2cf6c918797cfa788
SnakeKeylogger
ea78060a7dd7e2df3a47591cc7503c7dd637c3169ec4c78250a43f3bd3d4a290
SnakeKeylogger
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210113-y796qbfpy6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e
MD5 hash:
af891ae0d2ec4596cd000335cfb9bbcc
SHA1 hash:
bc5414af0bf6cabe07b0088a306a06f6f3dd5407
Link:
https://www.unpac.me/results/415eeb83-e016-4bbd-82c7-48c6cbe9c766/
SH256 hash:
98bd16e75894e9d24391a3783d13315d5bd96ce8160a592f50fb2e3741eb8489
MD5 hash:
7e7fa993043b2f4fdf7555f43632808d
SHA1 hash:
553b5b47b36f9d54c8e192657e1ba4dbc990e4a1
Link:
https://www.unpac.me/results/415eeb83-e016-4bbd-82c7-48c6cbe9c766/
SH256 hash:
33ef00f77fd4158840941b42d98fa59de86582a9635a38a679e992226e12c9dd
MD5 hash:
a1f986ee435ee36bcde3f4754c179b4b
SHA1 hash:
a8bcb7b74a838d4b08668bd1c3cd805ca08f7cd9
Link:
https://www.unpac.me/results/415eeb83-e016-4bbd-82c7-48c6cbe9c766/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/415eeb83-e016-4bbd-82c7-48c6cbe9c766/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 1beed8f2fa2a885ac6722ddf59e109dd277a4a149e33f20200d82f5ae8a249df

SnakeKeylogger

Executable exe 5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e

(this sample)

  
Dropped by
MD5 7f71dbfd4c5438259261e72897f28028
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1beed8f2fa2a885ac6722ddf59e109dd277a4a149e33f20200d82f5ae8a249df
Cape
Cape
https://www.capesandbox.com/analysis/111716/

Comments