MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 989c030b081f6e98a43d2641e8f9f27db6a9875d060f308f1191e5f2bbd201e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	989c030b081f6e98a43d2641e8f9f27db6a9875d060f308f1191e5f2bbd201e2
SHA3-384 hash:	4070758df228af76702e47ba6bdf0befc241404d3ec0a4cf35dbbf6d853632c2eba36102ba415ec1b9a8ce5476638e17
SHA1 hash:	634c8cb01c1f4a180a24bdac3b155bdb565f4e3c
MD5 hash:	6807041323285761bef96494160fafce
humanhash:	victor-hydrogen-kitten-butter
File name:	G&G GROUP OF COMPANIES - INQUIRYRFQ.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	142'718 bytes
First seen:	2021-06-29 13:26:05 UTC
Last seen:	2021-06-29 13:42:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	3072:iBkfJpRXATwMdFCcGbECyrqycOF0/LUCV7hEzWs0D479187APhykPL8y0:iqjIKyqhEzWVc79RZdYy0
Threatray	66 similar samples on MalwareBazaar
TLSH	F8D3126376E0D4F7CBBF07B10E355A50AFD6D72422AA0B036F502F693925297B50F192
Reporter	Anonymous
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

G&G GROUP OF COMPANIES - INQUIRYRFQ.exe

Verdict:

Malicious activity

Analysis date:

2021-06-29 11:42:41 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/73fcb239-68f1-4aad-beed-9c108b6064e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/168766/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.27208.9218.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e865a1aa-ebb8-44f6-bdd1-c285a81840cc

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/809350

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/989c030b081f6e98a43d2641e8f9f27db6a9875d060f308f1191e5f2bbd201e2/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-06-29 11:45:28 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Verdict:

malicious

SnakeKeylogger

2912b7d443b702c966317e139c682c5f9cac0adbc3c1e9477677ccb4c5a68691

SnakeKeylogger

4ee7793ced917a0ae8b3928b869b23d9165376e03d818cfd9a0e5e9e82d37e45

SnakeKeylogger

8b1702fd70eb89fd46daedb3bfb9dd421ed059b6d6e8acdfb04ddc360481e081

SnakeKeylogger

92517b173ea0fcaebaaa41bb74ac2dbf25b826b35bc3dc3735e1091ae0d4fe85

SnakeKeylogger

9e8d789bdd6599838705ca1a56845c0d00ea269ea74bc4655942ab06fa5bafd6

SnakeKeylogger

a36916873dbf1ca41d386367277ac89d8f4174939b81a15d7c6e5b7db5bd9909

SnakeKeylogger

d981f5daf1c87e05ad0839dffeed418798980f349c76ff0d6a12e2d538f3ae5d

SnakeKeylogger

e4023297b3b3918787683d59c9ebf0c5786cdf50f42f54c50aa5571e7dae29f7

SnakeKeylogger

ebd24502078f9395ed6fe4cf53a9506e9c087d500b5c8ae0c962cd0b4b4be498

SnakeKeylogger

+ 56 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210629-72vjetwvms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Snake Keylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot1571127866:AAHguuj9aCz9TkpsxoITEb4kppcpFXvmHzI/sendMessage?chat_id=930818258

Unpacked files

SH256 hash:

0de64df0234671f45f2af739b0164ab67c15472fea823aa97a1015aa83ddf648

MD5 hash:

ee977a5d2649fa86d9281cc5c468863c

SHA1 hash:

bebf22eea3cb0f4164acd0706aeccf1c75e91234

Link:

https://www.unpac.me/results/f30d57e7-0b3d-4868-a44f-a1fe7656511f/

SH256 hash:

393fe9034cc1aecbe0f74c4d47dc12139f8939b1888f05a9c17466db0acdd71a

MD5 hash:

085c3a037902963df755122a09da95d8

SHA1 hash:

381ea23468fb843c2fc99a05c3ed3da11ecb8432

Link:

https://www.unpac.me/results/f30d57e7-0b3d-4868-a44f-a1fe7656511f/

SH256 hash:

989c030b081f6e98a43d2641e8f9f27db6a9875d060f308f1191e5f2bbd201e2

MD5 hash:

6807041323285761bef96494160fafce

SHA1 hash:

634c8cb01c1f4a180a24bdac3b155bdb565f4e3c

Link:

https://www.unpac.me/results/f30d57e7-0b3d-4868-a44f-a1fe7656511f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/989c030b081f6e98a43d2641e8f9f27db6a9875d060f308f1191e5f2bbd201e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Choice_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/168766/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample