MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c
SHA3-384 hash: 1177046dd881a66d6f29edf93211d07b6b33d629db85b6c7fffdcf3db790232844856c1e56cb48a6bdeb406b65c8678b
SHA1 hash: 454339e238e041a56a87b76ead7c2aaf469953b1
MD5 hash: a80422c14d9020fac56a564a890e9989
humanhash: nitrogen-mountain-vegan-xray
File name:Yeni siparis _WJO-001, pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'034'752 bytes
First seen:2021-04-07 11:18:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:r3bOx1cDn3DmS6pUb4aoaJ3IkPNYX3YGJuvHUzvvCOOReYycnlWp:Ox1Wn3DmvpI4aoaDPi3pJ9v7
Threatray 14 similar samples on MalwareBazaar
TLSH 6F25E02232989BD6F17E5B329465913013F1B88FE366D64E3CDCA39C14B2BC1C25A776
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: pve03-mail01.stuenings.de
Sending IP: 116.202.61.49
From: Rüya <info@taca.com.tr>
Subject: Yeni sipariş _WJO-001
Attachment: Yeni siparis _WJO-001, pdf.iso (contains "Yeni siparis _WJO-001, pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Yeni siparis _WJO-001, pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:20:46 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/ad4a9757-3a89-4073-a7e9-0faf53629947

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132824/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624.13321.22531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/668553
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 11:15:54 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twjhccqwdpptxpyzvck22p364nd5fa4jbpjkicet6o5w3bnta56a._file
Verdict:
unknown
Similar samples:
23c566938824db35e8806a9f51f245cfd91e379016d76ba7a5cba8bca5e4b251
SnakeKeylogger
4e9d4accd47dc415c57f8c246d5e7a80b57eb0428380ec6fad4daf99e35494fe
SnakeKeylogger
5c8301f5ec2ae8cca6eb7aca8cd2578811019bcc261e16fe84f1bf7231676805
SnakeKeylogger
7c98a7aee7d155bc8632cae1ff09120f88483adfa77205e6b74253e9d652e2b6
SnakeKeylogger
7e585caf6d39d5596d2f74e12de5c1d5e3d00fb9eaa2341808d13fbe7db70d4b
SnakeKeylogger
ae1efe48a48d407e61531703344339809994b4c1bc339cdd4e4f5a4ec9f498b7
SnakeKeylogger
c9ecc8ac0893475d6852cd5aadf9ed6c5378e45f281b92ee948def1c7f9263f3
SnakeKeylogger
dc377a33af6a32885d2ad71c2f0495372f5aac992d25fa0239ecc9aeec1d482b
SnakeKeylogger
efa63822d503d39c7cf4ed12eea7c23780a146214aafcf5b74a18b859c5ab5ca
SnakeKeylogger
ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362
SnakeKeylogger
+ 4 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210407-m185w3d372/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/5f8a2f29-456e-49f4-9f57-83debb355a0a/
SH256 hash:
9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c
MD5 hash:
a80422c14d9020fac56a564a890e9989
SHA1 hash:
454339e238e041a56a87b76ead7c2aaf469953b1
Link:
https://www.unpac.me/results/5f8a2f29-456e-49f4-9f57-83debb355a0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

iso e427d1bb1bd411677b680ec5414b2b778f3eb3963b3f51bbfa9d1009e6fbe672

SnakeKeylogger

Executable exe 9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c

(this sample)

  
Dropped by
MD5 438fd6dbab8d1248eb8a36e91003bb6f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132824/
  
Dropped by
SHA256 e427d1bb1bd411677b680ec5414b2b778f3eb3963b3f51bbfa9d1009e6fbe672

Comments