MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3
SHA3-384 hash: 13fa5569b2fa9cc29aa7f550c5c2638ef1492f30a99a01b26b1886117e57bfd200d37d4a516484766cfd0110f02a876c
SHA1 hash: 62ad935929c95538c3a4df2d6aaa3e896bd2be33
MD5 hash: b986d0262d0071dda5b710a1e02d11e3
humanhash: sierra-fifteen-july-nevada
File name:PO_1037_Scanned_150.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:821'760 bytes
First seen:2021-03-05 13:01:35 UTC
Last seen:2021-03-05 15:20:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:V+jAXmfBxMa2yJWpZpxlvExocHZu/tmCH/dmZLsqBK3FFZx8:V+j3iy8dlAoc5MtmCH1MZWFZ
Threatray 41 similar samples on MalwareBazaar
TLSH F205AF35572AE85BD91CEB3AE03756BD5D98BB83511BE61B4ADCBC47232C33801E42E4
Reporter abuse_ch
Tags:exe Hetzner SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: static.228.224.217.95.clients.your-server.de
Sending IP: 95.217.224.228
From: BEmma Nevard<website@ctggrocer.com>
Subject: Purchase Order 1037 from Europower Components Ltd
Attachment: PO_1037_Scanned_150.lzh (contains "PO_1037_Scanned_150.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_1037_Scanned_150.doc
Verdict:
Malicious activity
Analysis date:
2021-03-05 13:10:06 UTC
Tags:
ole-embedded exploit CVE-2017-11882
Link:
https://app.any.run/tasks/1985951c-5f90-4458-bb63-b062bf78692d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122454/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.16002.19198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a window
Enabling the 'hidden' option for files in the %temp% directory
Sending a custom TCP request
Moving a recently created file
Reading critical registry keys
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630050
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-05 13:02:08 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=py4ff2no6fkdh2uwvbup3mg2ncvcfeqqrshrw74gsvz2uakfy7jq._file
Verdict:
suspicious
Similar samples:
0de6143e172649d2b1ce97db3e20c168545df98acf7333e82a00c9d69ced79fd
SnakeKeylogger
1268e6e0265bdaf979d45098051a38eaf3915765e6b5ffe928101c68e0065012
SnakeKeylogger
48e554159e6003c59fc3cec6633e274dcd650bbd7067413b6ec8de04aed1b958
SnakeKeylogger
7c784b2b4f0a0601c27580aedc94ceda67153748ef452c722d21726654a1677c
SnakeKeylogger
9d16660c6cbee0c09d8046e43cec9523ca047f7478723c7e04a255c644794c6e
SnakeKeylogger
9ed8b4aa4693089d71da648dcc5a33cb2263d82cd522140e063d3150747a2f6d
SnakeKeylogger
a0b5afcab56631d737decbb0378a3aa681f0d053fba8b829a039b452c0be79ed
SnakeKeylogger
ab644490caafad91cfca11a9f402beabf6e32d2e5a5f9c976231148a539ae008
SnakeKeylogger
c948dcc56b42f0d4c74f972ef4e3af6ae09083af0dbf576ee28e48a93dbd2e7e
SnakeKeylogger
d7036cc5c9cc8d91b86cdd451ecb84351b19c1670b4f34b39190efdb3b7a82d5
SnakeKeylogger
+ 31 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210305-6eyh4awzt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Beds Protector Packer
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
1cf6f734c7b1bd94bd6dea71495a6f7f7c04fae7bac1a1cf082dfb78f799e169
MD5 hash:
e23d91b203861938babb744f7e723463
SHA1 hash:
ffa4d66b0254eec8f192a0cee69470643520908f
Link:
https://www.unpac.me/results/d9ec3b56-9ef3-47c5-8ba3-8e0bdd423a6f/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/d9ec3b56-9ef3-47c5-8ba3-8e0bdd423a6f/
SH256 hash:
94167eec4c1771002aafe7ab8e46e6beedd017e54267500026deab2510d6e8cb
MD5 hash:
639d3c378e328ae8feb3033860e82bf4
SHA1 hash:
e8e574dbbc9fcdbceaa5acba80d573485abd3545
Link:
https://www.unpac.me/results/d9ec3b56-9ef3-47c5-8ba3-8e0bdd423a6f/
SH256 hash:
662b269e38230b694ec9df8e4a9c219d24339740eebc8e4ab1f0cbca11b9b77e
MD5 hash:
9c3a7797105d01a415d9c717273cc9f1
SHA1 hash:
ac09b6e5c6d2700a6eed283572cfa4b336f98810
Link:
https://www.unpac.me/results/d9ec3b56-9ef3-47c5-8ba3-8e0bdd423a6f/
SH256 hash:
5906131cd49d5a31a1a7822ea84b8a663cad2b0020e48548b5d61821a840bb37
MD5 hash:
66a3e859b4c5a574c5007eb78f8adc63
SHA1 hash:
50191feb0e2208f3495d0198b499e6e919cfb7e1
Link:
https://www.unpac.me/results/d9ec3b56-9ef3-47c5-8ba3-8e0bdd423a6f/
SH256 hash:
7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3
MD5 hash:
b986d0262d0071dda5b710a1e02d11e3
SHA1 hash:
62ad935929c95538c3a4df2d6aaa3e896bd2be33
Link:
https://www.unpac.me/results/d9ec3b56-9ef3-47c5-8ba3-8e0bdd423a6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar f340be14c37a33fc12a4bafe257e56000302d8c9839b2e9bcafde248da1c0eef

SnakeKeylogger

Executable exe 7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3

(this sample)

  
Dropped by
MD5 e7c3021540c040ce7ad46ce59c11e8d0
  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/1048598/
Cape
Cape
https://www.capesandbox.com/analysis/122454/
  
Dropped by
SHA256 f340be14c37a33fc12a4bafe257e56000302d8c9839b2e9bcafde248da1c0eef

Comments