MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d
SHA3-384 hash: 225c401703d5c86ddd49ac4046eb68f04f3eb94e72e3ae617114adfcb16d507095045de728d91a686d4ce0e6e244ad9e
SHA1 hash: 81e1f14e30fa437a464d1e068e1963a14212c623
MD5 hash: 59380235fed3c5300b01b07ca70148ca
humanhash: arkansas-eighteen-chicken-oven
File name:IMG_058741601.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:750'080 bytes
First seen:2021-01-29 16:32:53 UTC
Last seen:2021-01-29 19:20:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:VLcHl7llFlqwqwXBPpRJPl/qxF7yRctn:VYHXlFlqs13BliL7yu
Threatray 281 similar samples on MalwareBazaar
TLSH 13F44948A3A4FA64C8C7B2770EA662181353FFD736E187E54765377329393E81B8E484
Reporter abuse_ch
Tags:exe SnakeKeylogger Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic308-1.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.130.40
From: Sudath Kulathunga <wiingroupcom@yahoo.com>
Subject: Purchase Order and Invoice Letter of Intent as shown on attached files (2)
Attachment: IMG_058741601.IMG (contains "IMG_058741601.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_058741601.exe
Verdict:
No threats detected
Analysis date:
2021-01-29 16:36:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/35dff1ed-a4b6-42c3-8599-75a825d4db3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114836/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a process from a recently created file
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594234
Signature
Allocates memory in foreign processes
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346161 Sample: IMG_058741601.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 100 49 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Snake Keylogger 2->53 55 4 other signatures 2->55 7 mnoi.exe 14 3 2->7         started        10 IMG_058741601.exe 15 7 2->10         started        13 mnoi.exe 2 2->13         started        process3 file4 57 Multi AV Scanner detection for dropped file 7->57 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 63 Injects a PE file into a foreign processes 7->63 15 InstallUtil.exe 14 2 7->15         started        27 C:\Users\user\mnoi.exe, PE32 10->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 10->29 dropped 31 C:\Users\user\mnoi.exe:Zone.Identifier, ASCII 10->31 dropped 33 C:\Users\user\...\IMG_058741601.exe.log, ASCII 10->33 dropped 65 Drops PE files to the user root directory 10->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->67 19 cmd.exe 1 10->19         started        21 mnoi.exe 2 10->21         started        signatures5 process6 dnsIp7 35 checkip.dyndns.org 15->35 37 checkip.dyndns.com 216.146.43.71, 49748, 49749, 80 DYNDNSUS United States 15->37 39 freegeoip.app 172.67.188.154, 443, 49750 CLOUDFLARENETUS United States 15->39 43 Tries to steal Mail credentials (via file access) 15->43 45 Tries to harvest and steal ftp login credentials 15->45 47 Tries to harvest and steal browser information (history, passwords, etc) 15->47 23 conhost.exe 19->23         started        25 reg.exe 1 1 19->25         started        41 192.168.2.1 unknown unknown 21->41 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 16:33:57 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tozfexciasp72bnyvvvdtkesiw3kjxsjcqtv7t5nfpxorp5kofgq._file
Verdict:
unknown
Similar samples:
3d9b59ef7e396dcbfbb58069b1876d6b85e111c7e36b6a302cf4e955fb711a29
SnakeKeylogger
55ca4147c94a10c9fc3fe95d3e922546ee796f63ca3b9aad005998f1e1e2b912
SnakeKeylogger
56e07ad691527a959fc383a66ee5ab1ab94fa9d74a330f8946f6fbcc8bb57533
SnakeKeylogger
7df13ffe45b68e7c1920041713d51dd2e7cc562fb95cdc8be181f992c77456a6
SnakeKeylogger
83ee84084d628a921bd29b547f6767e17d8cd89a6132f9d717d5ccab7da72fbd
SnakeKeylogger
a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba
SnakeKeylogger
adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e
SnakeKeylogger
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
SnakeKeylogger
f48af72b2049ce9cb61a28086fe47ffad766b26ea9ce27cce0082f435504dc73
SnakeKeylogger
f9a8ba23f68d57179f1a480b6207351d5f41e6303fbdd09f6fffd514f82bef30
SnakeKeylogger
+ 271 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210129-8tkfsg2bca/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d
MD5 hash:
59380235fed3c5300b01b07ca70148ca
SHA1 hash:
81e1f14e30fa437a464d1e068e1963a14212c623
Link:
https://www.unpac.me/results/a622de24-2702-4417-bdc6-0079ae4992e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img 79e6eb269387195a1158db7166f19563e49c4727d0387d9d7c65136e3a19cb15

SnakeKeylogger

Executable exe 9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d

(this sample)

  
Dropped by
MD5 6fa7116e977cc0a31f61fb9334fab32f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 79e6eb269387195a1158db7166f19563e49c4727d0387d9d7c65136e3a19cb15
Cape
Cape
https://www.capesandbox.com/analysis/114836/

Comments