MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03
SHA3-384 hash: 5a54406ec6ac2dc33080f4fae960ac3bb5fa26c3a54c7fd81b8b34b61c356c84db7553501427b90a7f07ee89b57e3c0a
SHA1 hash: 70328cd60d353020bd17cda4a2b5cf6a637d3054
MD5 hash: f9f1b66a0e3694995e4c4b6cae771929
humanhash: twelve-charlie-shade-whiskey
File name:00000000000900SA.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:606'720 bytes
First seen:2021-01-12 06:20:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:viBVlAJHKi9sCH/EYHWAEt1L0EW/hYLOA77+igTo5mCs1dDYkw7GRxHp2Pse+r5j:viRABKvS+W39DM5h0
Threatray 79 similar samples on MalwareBazaar
TLSH CED4D0C233098744E3B4B2FD4719B48D119F3C0791ADDAA472F1BA6E47BC2692948BF5
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: r.abouldahab@emis-int.com
Subject: Re: URGENT REQUIREMENT
Attachment: 00000000000900SA.z (contains "00000000000900SA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00000000000900SA.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 06:28:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66094bb8-bc91-499d-aede-936171098b48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111378/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.hc.1812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578614
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338354 Sample: 00000000000900SA.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 6 other signatures 2->50 7 00000000000900SA.exe 3 2->7         started        11 I$s#$lT3ssl.exe 3 2->11         started        process3 file4 30 C:\Users\user\...\00000000000900SA.exe.log, ASCII 7->30 dropped 52 Injects a PE file into a foreign processes 7->52 13 powershell.exe 15 7->13         started        17 00000000000900SA.exe 15 2 7->17         started        20 00000000000900SA.exe 7->20         started        22 I$s#$lT3ssl.exe 2 11->22         started        24 powershell.exe 17 11->24         started        signatures5 process6 dnsIp7 32 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 13->32 dropped 34 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 13->34 dropped 54 Drops PE files to the startup folder 13->54 56 Powershell drops PE file 13->56 26 conhost.exe 13->26         started        36 checkip.dyndns.org 17->36 38 checkip.dyndns.com 216.146.43.70, 49723, 49726, 49736 DYNDNSUS United States 17->38 40 freegeoip.app 104.28.4.151, 443, 49727, 49745 CLOUDFLARENETUS United States 17->40 42 checkip.dyndns.org 22->42 58 Tries to steal Mail credentials (via file access) 22->58 60 Tries to harvest and steal ftp login credentials 22->60 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 28 conhost.exe 24->28         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-12 04:13:50 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcjkebtqi5km66qjjmclfljofdfxz7jrbljjp4hqbja3yvq6x4bq._file
Verdict:
suspicious
Similar samples:
329b10943314d1e2013f44dcb3ad15ae390bc5d15cec294592c465075e77a5b7
SnakeKeylogger
3a5a66b2f29435ad611565f00708761bce6c3fbd6729a44b8b0b172065ddae42
SnakeKeylogger
44163384a787d9f25f4c2616dfec47d802e129b3d99464d23288667188d2ac49
SnakeKeylogger
59bd5cd505abfbbfa179000812546405d0f81191bdb7656ef5cb04f41da84594
SnakeKeylogger
a5cb0bac5412691a38b91ccb27b7cc476eb61c9d58f4828a7219f80d2286a4d3
SnakeKeylogger
ad3b71cf9d53af23de0805e4d2eb68955c250296b60ea44beac0b3cbb18b64a5
SnakeKeylogger
aee3e4545426bbee306c79e3a2578ac45873f340116f13908394735244721e73
SnakeKeylogger
b246071c05dec2f4838b27fd6c11548e90f7deaaeb658530864d10efdb129c37
SnakeKeylogger
b55e720e758380f2f8eeac13e99fcb926dfb107949ea5796bce4d433139c8aea
SnakeKeylogger
b6d839d0fd381a0996c85002c76a763ecb400e44f81fee8d61efe80da6275a81
SnakeKeylogger
+ 69 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210112-lg9h58eqsn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
40d4d775760861b5b901cf280b4ca0d30d465045204c2f28df2a4a0e4d158712
MD5 hash:
01b0ce2eec178c4bec3b3e862b910aeb
SHA1 hash:
a13939b313e4138ef8f096fd2b9de6e2b09e450e
Link:
https://www.unpac.me/results/3247ae66-14d3-41d7-9260-33b3fa8642e9/
SH256 hash:
66b31c435d6e8d985300c6a6d0e4f9e9ed6056d7ab1e3c774b1700a12951f162
MD5 hash:
f8b4cc9b75214fdd7be95085dbc6891d
SHA1 hash:
c901611347a1fb4579177b8bc1671c62bce6d24b
Link:
https://www.unpac.me/results/3247ae66-14d3-41d7-9260-33b3fa8642e9/
SH256 hash:
7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03
MD5 hash:
f9f1b66a0e3694995e4c4b6cae771929
SHA1 hash:
70328cd60d353020bd17cda4a2b5cf6a637d3054
Link:
https://www.unpac.me/results/3247ae66-14d3-41d7-9260-33b3fa8642e9/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/3247ae66-14d3-41d7-9260-33b3fa8642e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 0e7f372c51c2da2aca429842e38e8fdf72f598f0ff812e3c51bfd958198ec36d

SnakeKeylogger

Executable exe 7892a206704754cf7a094b04b2ad2e28cb7cfd310ad297f0f00a41bc561ebf03

(this sample)

  
Dropped by
MD5 56a2d01a314b8e27b2f081e0df10e36c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111378/
  
Dropped by
SHA256 0e7f372c51c2da2aca429842e38e8fdf72f598f0ff812e3c51bfd958198ec36d

Comments