MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a3393ffe5813c8e6bee08a49e52f16dbb3b3b65f5e0ab6652a864c19c8bce50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a3393ffe5813c8e6bee08a49e52f16dbb3b3b65f5e0ab6652a864c19c8bce50
SHA3-384 hash: b00fdaa07b363ea90d1760287798b328145cf685314ab7deeb31308f332140f2df47896660931a394dbff1eaf4e3d75b
SHA1 hash: d3d71d912fd22dc041f20d08ee733e613a1e188c
MD5 hash: 1204335e39c4b14e702f6dcb4e57f7f7
humanhash: beer-lima-apart-summer
File name:PURCHAS ORDER.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:3'440'640 bytes
First seen:2021-02-08 16:31:47 UTC
Last seen:2021-02-08 18:55:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:UaCfOgmUIeo3t+h0uRf5n1I4uB8YmsRIpG7VTbQqo+DB45ePNBREgua2EKUrKmHj:
Threatray 3 similar samples on MalwareBazaar
TLSH 33F514B64FCB1E55BF77F626D3F3F61D121A3309209067CE1A04CA89366B4D99C84DA8
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: vps.tecp0s.com
Sending IP: 203.159.80.121
From: office1@tecp0s.com
Subject: PURCHASE ORDER
Attachment: PURCHAS ORDER.r00 (contains "PURCHAS ORDER.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHAS ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-02-08 16:38:13 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/67a343e6-b7d5-4105-8d20-94b110a0593c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116079/
Detection(s):
SecuriteInfo.com.Artemis1204335E39C4.20279.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602058
Signature
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350045 Sample: PURCHAS ORDER.exe Startdate: 08/02/2021 Architecture: WINDOWS Score: 100 59 checkip.dyndns.org 2->59 61 freegeoip.app 2->61 63 checkip.dyndns.com 2->63 75 Yara detected Snake Keylogger 2->75 77 May check the online IP address of the machine 2->77 79 Machine Learning detection for sample 2->79 81 5 other signatures 2->81 8 PURCHAS ORDER.exe 3 5 2->8         started        12 PURCHAS ORDER.exe 3 2->12         started        14 PURCHAS ORDER.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 dnsIp5 53 C:\Users\user\AppData\...\PURCHAS ORDER.exe, PE32 8->53 dropped 55 C:\...\PURCHAS ORDER.exe:Zone.Identifier, ASCII 8->55 dropped 87 Creates an undocumented autostart registry key 8->87 89 Hides threads from debuggers 8->89 91 Injects a PE file into a foreign processes 8->91 19 PURCHAS ORDER.exe 15 2 8->19         started        23 cmd.exe 1 8->23         started        25 WerFault.exe 23 9 8->25         started        27 PURCHAS ORDER.exe 12->27         started        29 cmd.exe 12->29         started        31 WerFault.exe 12->31         started        93 Creates autostart registry keys with suspicious names 14->93 95 Creates multiple autostart registry keys 14->95 57 192.168.2.1 unknown unknown 16->57 33 cmd.exe 16->33         started        35 cmd.exe 16->35         started        37 2 other processes 16->37 file6 signatures7 process8 dnsIp9 65 checkip.dyndns.org 19->65 67 checkip.dyndns.com 216.146.43.71, 49715, 49717, 49729 DYNDNSUS United States 19->67 69 freegeoip.app 172.67.188.154, 443, 49721, 49731 CLOUDFLARENETUS United States 19->69 83 Tries to steal Mail credentials (via file access) 19->83 85 Tries to harvest and steal browser information (history, passwords, etc) 19->85 39 conhost.exe 23->39         started        71 checkip.dyndns.org 27->71 73 216.146.43.70, 49727, 49728, 49739 DYNDNSUS United States 27->73 41 conhost.exe 29->41         started        43 timeout.exe 29->43         started        45 conhost.exe 33->45         started        47 timeout.exe 33->47         started        49 conhost.exe 35->49         started        51 timeout.exe 35->51         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a3393ffe5813c8e6bee08a49e52f16dbb3b3b65f5e0ab6652a864c19c8bce50/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 16:32:13 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tizzh77fqe6i427obcsj4uxrnw5two3f6xqkwzssvbsmdhelzzia._file
Verdict:
unknown
Similar samples:
001bf57ded55236e2f1f0bbf7bf313b5397d955a9ce80009b2ac61b3f84e5544
SnakeKeylogger
7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b
SnakeKeylogger
c079b62cce0d0718c3b1f26c3f0f359a7df94acf7e75aea710979fe338ea1f4f
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210208-fepx3gg3sx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
31660f65ff0f8d10060724fdbe63186082015464692903189bdb109098440b57
MD5 hash:
c0b0cea521f2cdc31d083977fd3582ca
SHA1 hash:
27e141a53d2ee3e22e363e3541594ddfb4d138ff
Link:
https://www.unpac.me/results/5f858d24-6d98-466d-a873-9554ccead805/
SH256 hash:
9a3393ffe5813c8e6bee08a49e52f16dbb3b3b65f5e0ab6652a864c19c8bce50
MD5 hash:
1204335e39c4b14e702f6dcb4e57f7f7
SHA1 hash:
d3d71d912fd22dc041f20d08ee733e613a1e188c
Link:
https://www.unpac.me/results/5f858d24-6d98-466d-a873-9554ccead805/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a3393ffe5813c8e6bee08a49e52f16dbb3b3b65f5e0ab6652a864c19c8bce50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a5a0616a6b783dba2f810016e1b8890a

SnakeKeylogger

Executable exe 9a3393ffe5813c8e6bee08a49e52f16dbb3b3b65f5e0ab6652a864c19c8bce50

(this sample)

  
Dropped by
MD5 a5a0616a6b783dba2f810016e1b8890a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116079/

Comments