MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85054a226af92e19e2129ed5f16aeec5df18c31bce7a1cdef61e481791d8811d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85054a226af92e19e2129ed5f16aeec5df18c31bce7a1cdef61e481791d8811d
SHA3-384 hash: 79cdc72d76d02e85fbffa8025574122843da6c23e2a01288eb6824c0c1f0cb035105395a512950bd76ebad30a4b0f6aa
SHA1 hash: f1b5a7fc0424ad3484c95cf256563750bfb801a7
MD5 hash: 751e382c0a22c0429c04badabddb290b
humanhash: four-asparagus-jersey-illinois
File name:deme Tavsiyesi.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:3'342'336 bytes
First seen:2021-02-12 18:51:24 UTC
Last seen:2021-02-12 21:03:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:Nb4vaPkWgT6O8IWS2kZh2zsb9VYdhP5qUAZ4WnMaHsixESTeAkI302s+J+THifFk:NUtg
Threatray 8 similar samples on MalwareBazaar
TLSH 22F53A329CF37A91EAFB969053C8B00C87B7B72BD9A01E5F1581A75B01475328E99F13
Reporter abuse_ch
Tags:exe geo HSBC SnakeKeylogger TUR


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: mail.good-hills.co.jp
Sending IP: 153.120.2.71
From: HSBC Danışmanlık Hizmeti <info@kansan.com>
Subject: Ödeme tavsiyesi-tavsiye Ref: [0LV126518514] / ach kredileri / Müşteri Ref: [PSI INCONTROL SDN] / ikinci Parti Ref: [1122041-D]
Attachment: deme Tavsiyesi.zip (contains "deme Tavsiyesi.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
deme Tavsiyesi.exe
Verdict:
Malicious activity
Analysis date:
2021-02-12 18:57:47 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/d4ecbe73-93e6-4d86-b690-781fc644586d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116952/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.20136.8454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Creating a window
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607080
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352572 Sample: deme Tavsiyesi.exe Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 9 other signatures 2->64 6 deme Tavsiyesi.exe 3 5 2->6         started        10 deme Tavsiyesi.exe 2->10         started        12 deme Tavsiyesi.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 32 C:\Users\user\AppData\...\deme Tavsiyesi.exe, PE32 6->32 dropped 34 C:\...\deme Tavsiyesi.exe:Zone.Identifier, ASCII 6->34 dropped 36 C:\Users\user\...\deme Tavsiyesi.exe.log, ASCII 6->36 dropped 66 Creates an undocumented autostart registry key 6->66 68 Injects a PE file into a foreign processes 6->68 16 deme Tavsiyesi.exe 15 2 6->16         started        70 Creates autostart registry keys with suspicious names 10->70 72 Creates multiple autostart registry keys 10->72 20 deme Tavsiyesi.exe 10->20         started        22 deme Tavsiyesi.exe 2 12->22         started        24 deme Tavsiyesi.exe 12->24         started        26 deme Tavsiyesi.exe 14->26         started        28 deme Tavsiyesi.exe 14->28         started        30 deme Tavsiyesi.exe 14->30         started        signatures5 process6 dnsIp7 46 3 other IPs or domains 16->46 52 Tries to steal Mail credentials (via file access) 16->52 54 Tries to harvest and steal browser information (history, passwords, etc) 16->54 38 checkip.dyndns.org 20->38 48 3 other IPs or domains 22->48 40 freegeoip.app 26->40 42 checkip.dyndns.org 26->42 50 2 other IPs or domains 28->50 44 checkip.dyndns.org 30->44 signatures8 56 May check the online IP address of the machine 40->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85054a226af92e19e2129ed5f16aeec5df18c31bce7a1cdef61e481791d8811d/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 09:52:10 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qucuuitk7exbtyqst3k7c2xoyxprrqy3zz5bzxxwdzebpeoyqeoq._file
Verdict:
malicious
Similar samples:
4c2c051d8ea24e46f9c53284795ca4518140e1ce2161694b97353b5e53776d8e
SnakeKeylogger
52b4e3238f2b9b1ad37e8a8af0961fb563ac10025aa54341e2481bff248b74d9
SnakeKeylogger
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
SnakeKeylogger
8e4431d4a51d7fe22c1fba157abfbd47249cc0ef0abe980e099ff3002839c777
SnakeKeylogger
a5291cb72effd442ca566ea6d4035f508e97184f506a2eb20d035347532708bc
SnakeKeylogger
e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d
SnakeKeylogger
efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3
SnakeKeylogger
fc95c84eb428f263fef3220d512a2f602570f2acb41a46114244c30af48fd51b
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210212-5xkk4dej5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
ebb9997944a94eebfde7ea231d115f53f8d0ebf1f99c8c76167ccdc347ca6589
MD5 hash:
ff5e3f4e2e45678d7c8472cf58a5e209
SHA1 hash:
30a7700a7606d10c35da092cae40a6a159525eea
Link:
https://www.unpac.me/results/37684682-5381-4d5c-8561-5018a8e5c10a/
SH256 hash:
21b4a263c4e241f82a532655854daf4f3732c0ffb1d5c00eda71f8071b9ed00a
MD5 hash:
245f8242057cff067829d7608acb90c1
SHA1 hash:
114e1514937089bbc59c56086a0ff2bdb3c5c3d1
Link:
https://www.unpac.me/results/37684682-5381-4d5c-8561-5018a8e5c10a/
SH256 hash:
85054a226af92e19e2129ed5f16aeec5df18c31bce7a1cdef61e481791d8811d
MD5 hash:
751e382c0a22c0429c04badabddb290b
SHA1 hash:
f1b5a7fc0424ad3484c95cf256563750bfb801a7
Link:
https://www.unpac.me/results/37684682-5381-4d5c-8561-5018a8e5c10a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/85054a226af92e19e2129ed5f16aeec5df18c31bce7a1cdef61e481791d8811d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 008d6db735489695c161d1f18adb62f9e0541763a76a37a3243d58df63acfdfd

SnakeKeylogger

Executable exe 85054a226af92e19e2129ed5f16aeec5df18c31bce7a1cdef61e481791d8811d

(this sample)

  
Dropped by
MD5 930acf042c83233e37cb46177c6f5257
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116952/
  
Dropped by
SHA256 008d6db735489695c161d1f18adb62f9e0541763a76a37a3243d58df63acfdfd

Comments