MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097
SHA3-384 hash: 92cf8ac7177e43578e368636abeb689dc09be77f8b7975e11ec3b240b36e11fb0d12baeace2d8432be19209fef2d3cf2
SHA1 hash: 67b090a0aab7e6452d4fba12f2d625e276402096
MD5 hash: 4c7fe9c4af3c08960d1490c0ba409694
humanhash: orange-timing-sierra-sad
File name:090008000000000000.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'212'928 bytes
First seen:2021-01-20 14:02:16 UTC
Last seen:2021-01-20 15:53:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:0ehseo4PzLv0haNk1Wpa6rf6qIwVw8wvwdwGw4wFwwwowXw9w4wNw7w7wlwUwvwD:PLo47Lo41rfBQLWHi
Threatray 2'220 similar samples on MalwareBazaar
TLSH 9845E056A399E319E0BC08355C09FA1D6AD9B6DCB6290006CE96F16C7F397C3BC27706
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: "Sareera Nunnuck"<sales@hplanners.com>
Subject: PO-INVOICE-0900000
Attachment: 090008000000000000.doc.z (contains "090008000000000000.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
090008000000000000.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 14:36:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fbdeb3aa-6037-43d8-9201-8064b41a048d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113091/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.507.2963.25502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Connection attempt
Sending a UDP request
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Matiex Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586217
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Matiex Keylogger
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342145 Sample: 090008000000000000.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 65 srvc13.turhost.com 2->65 67 nagano-19599.herokussl.com 2->67 69 2 other IPs or domains 2->69 87 Found malware configuration 2->87 89 Antivirus detection for dropped file 2->89 91 Sigma detected: Capture Wi-Fi password 2->91 93 11 other signatures 2->93 10 090008000000000000.exe 3 2->10         started        15 I$s#$lT3ssl.exe 2->15         started        signatures3 process4 dnsIp5 85 192.168.2.5, 443, 49676, 49677 unknown unknown 10->85 63 C:\Users\user\...\090008000000000000.exe.log, ASCII 10->63 dropped 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 103 Injects a PE file into a foreign processes 10->103 17 InstallUtil.exe 4 10->17         started        20 powershell.exe 15 10->20         started        23 InstallUtil.exe 15->23         started        25 powershell.exe 15->25         started        27 InstallUtil.exe 15->27         started        29 InstallUtil.exe 15->29         started        file6 signatures7 process8 file9 53 C:\Users\user\...\bilgi snake 2021.exe, PE32 17->53 dropped 55 C:\Users\user\...\MATIEX GODISOD 4.0 .exe, PE32 17->55 dropped 57 C:\Users\user\AppData\Local\Temp\4.0.exe, PE32 17->57 dropped 31 4.0.exe 2 17->31         started        34 MATIEX GODISOD 4.0 .exe 17->34         started        37 bilgi snake 2021.exe 15 2 17->37         started        59 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 20->59 dropped 61 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 20->61 dropped 95 Drops PE files to the startup folder 20->95 97 Powershell drops PE file 20->97 39 conhost.exe 20->39         started        41 MATIEX GODISOD 4.0 .exe 23->41         started        43 bilgi snake 2021.exe 23->43         started        45 4.0.exe 23->45         started        47 conhost.exe 25->47         started        signatures10 process11 dnsIp12 105 Antivirus detection for dropped file 31->105 107 Multi AV Scanner detection for dropped file 31->107 109 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->109 121 2 other signatures 31->121 71 checkip.dyndns.org 34->71 81 3 other IPs or domains 34->81 111 Tries to steal Mail credentials (via file access) 34->111 113 Tries to harvest and steal browser information (history, passwords, etc) 34->113 115 Tries to harvest and steal WLAN passwords 34->115 49 netsh.exe 34->49         started        73 checkip.dyndns.org 37->73 83 2 other IPs or domains 37->83 75 checkip.dyndns.org 41->75 77 37.230.107.14, 49758, 587 AEROTEK-ASTR Turkey 41->77 117 Tries to harvest and steal ftp login credentials 41->117 79 checkip.dyndns.org 43->79 signatures13 119 May check the online IP address of the machine 73->119 process14 process15 51 conhost.exe 49->51         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 09:12:54 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfhwjrxw7nhgu263sezto44xee43ceutpp7wuixbtsnf2kb3qclq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
SnakeKeylogger
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
SnakeKeylogger
3fd2c91007c4b1429d70710853232018e8da2528d375af5d64b79901254e52f0
SnakeKeylogger
5a9e1ff007254cb77b90545f61dd8ea00eddc37b080950563b95d1bfbe70bb26
SnakeKeylogger
7596db7593e9571f3cfdb3003fe0001054abddfb57dd8390bc05d458cbef0be3
SnakeKeylogger
8a3c02f3f221e3874e057b7a98a43560d291f886f4b5351051f2876bc2f8c4e6
SnakeKeylogger
8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7
SnakeKeylogger
95eaed904a48a580a9ba80eb8193b178f08b3da26d830b7a8b2fa8f5e3b5186e
SnakeKeylogger
aefa2f5a8448c792183fedf9d025becfb782102b749c0fe3be273975f2dc3b61
SnakeKeylogger
c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363
SnakeKeylogger
+ 2'210 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:matiex family:snakekeylogger keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210120-n24lkzsqnx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Matiex
Matiex Main Payload
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142
MD5 hash:
e33e63bda6a3976ecadfa9ee6f096944
SHA1 hash:
68b683bb325ae9c21f471593f007c797a02dc497
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
5a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e
MD5 hash:
bd5fe63e3666a489e7a221647f6f3807
SHA1 hash:
52a8db03aa3db1b9a287688afeffa9f041c3811c
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
3fbc1a7a11a0fde2721df44878925884ddb76be0ad494d14fba8d986c2406a56
MD5 hash:
7aa3530964ff6c1d82b513055a9649a2
SHA1 hash:
2f95617d7857f1bd17085c254f46eec941bfdb6c
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
7670cd0bd65262b718cfdd15385829a06ddba1ea28a12ecc13e6521bf0d31094
MD5 hash:
0f5adb477779aad16328af35e02d49c9
SHA1 hash:
2c5239e714221ab7d724ffc8c237c6ba37fb9dae
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b
MD5 hash:
f615aa95251fc14492843942a588614c
SHA1 hash:
296669e81c271762d5068f8a9ecbb354ffc335c9
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
SH256 hash:
614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097
MD5 hash:
4c7fe9c4af3c08960d1490c0ba409694
SHA1 hash:
67b090a0aab7e6452d4fba12f2d625e276402096
Link:
https://www.unpac.me/results/a17dc033-f179-452b-afb3-2f025efb2a5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 16239fd023bc9cf3b827ff8e52e15b97b504eac112924550b34e38b04e44889d

SnakeKeylogger

Executable exe 614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097

(this sample)

  
Dropped by
MD5 ff5f0a439e56b1a27ad7443ac5b671fa
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113091/
  
Dropped by
SHA256 16239fd023bc9cf3b827ff8e52e15b97b504eac112924550b34e38b04e44889d

Comments