MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7524b245486ef504703db2ecb54579de49a47ad607f89f0e4f8331da991f2bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7524b245486ef504703db2ecb54579de49a47ad607f89f0e4f8331da991f2bde
SHA3-384 hash: f897d514fbe9659ae1efe32a24a31121a972a0943125b678e933012c57fe5af06c9cc6a8102acf12ba36db548927d4a8
SHA1 hash: 43ee666bb4fa9c11140afccab30b2ccdea4684d6
MD5 hash: 904ab0940df2401c06238d452887b936
humanhash: kilo-fillet-dakota-glucose
File name:2021Mar01_9073782913, pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:741'888 bytes
First seen:2021-03-01 06:47:07 UTC
Last seen:2021-03-01 08:53:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:VR/0WF6G50eVG4DQpxC6HskN9nbvpnB2FRdnf:pz60dmYsskN9nbRnC
Threatray 6 similar samples on MalwareBazaar
TLSH 15F4E73421FA634EC43776B217D0801F9BE12F55DE8BE71BD0A015D76E12EC1AB8692B
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: mail.rgfischer-verlag.de
Sending IP: 87.230.18.126
From: DHL Express Cargo <NoReply.ODD@dhl.com>
Subject: Re: DHL Cargo Delivery
Attachment: 2021Mar01_9073782913, pdf.iso (contains "2021Mar01_9073782913, pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2021Mar01_9073782913, pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-01 05:49:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e762cff-241a-4c83-84f1-4ab532365edc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120110/
Detection(s):
SecuriteInfo.com.Artemis904AB0940DF2.12428.21180.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/621692
Signature
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7524b245486ef504703db2ecb54579de49a47ad607f89f0e4f8331da991f2bde/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 06:48:08 UTC
AV detection:
12 of 49 (24.49%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ouslerkin32qi4b5wlwlkrlz3ze2i6wwa74j6dspqmy5vgi7fppa._file
Verdict:
unknown
Similar samples:
108cb7635bf4bc25a3697216643065e5b58738b1c1d68c3d7ef5ecc51b72f6cb
SnakeKeylogger
1b3da0f883c24b91508fa490013c10763b6dc410a322cf31b8eb53916037add1
SnakeKeylogger
356d48dcbc6f8a3ed6d047ee20fe0177979a5e5f74a991dbcad06f8a7c70625a
SnakeKeylogger
60aeecc57072d7f9718fbe58b2202b60776dccee6c13fc1404c1973a436530da
SnakeKeylogger
91915a12e602254583676a35b861ac18bff0f5b52a9c447dd6c3a72ec4becc6d
SnakeKeylogger
fbafe5fa2f6ecd89710dd3aaa947518ecc7bc767a2dd0415377a61ab99f7ddac
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210301-ea7a4mknca/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
cc4cc67bdd765c714649e152f1f3d5ca47ae7b7e749b73fa36989edf28ac4d38
MD5 hash:
f468d6902b88d59785b1840486ad37f3
SHA1 hash:
520cf119b5c71bb5ce4360b9893bc06dac646fb9
Link:
https://www.unpac.me/results/81d5a1ee-e343-4702-b3ee-3fb09e685450/
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
Link:
https://www.unpac.me/results/81d5a1ee-e343-4702-b3ee-3fb09e685450/
SH256 hash:
12a9d298f3f0971d9a8e1bf9770b5f9785af28aceccd4afb3f74456c8f9b8d14
MD5 hash:
fca965172900d792ffdd0f4ce6462ef5
SHA1 hash:
000604fdb0bfa15636c972d30ef7dc7bb5793a26
Link:
https://www.unpac.me/results/81d5a1ee-e343-4702-b3ee-3fb09e685450/
SH256 hash:
7524b245486ef504703db2ecb54579de49a47ad607f89f0e4f8331da991f2bde
MD5 hash:
904ab0940df2401c06238d452887b936
SHA1 hash:
43ee666bb4fa9c11140afccab30b2ccdea4684d6
Link:
https://www.unpac.me/results/81d5a1ee-e343-4702-b3ee-3fb09e685450/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7524b245486ef504703db2ecb54579de49a47ad607f89f0e4f8331da991f2bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

iso 8dc685ef69c0a88a68079effbebbcf3f491d100fa839665e4f96fc458a6f482b

SnakeKeylogger

Executable exe 7524b245486ef504703db2ecb54579de49a47ad607f89f0e4f8331da991f2bde

(this sample)

  
Dropped by
MD5 881c5682f58ee6a568d21cdb2cf68001
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120110/
  
Dropped by
SHA256 8dc685ef69c0a88a68079effbebbcf3f491d100fa839665e4f96fc458a6f482b

Comments