MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a06a159d3fd47ac0698cd649205f983beef2d1718de0f8c5b2aef9450e2758ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	a06a159d3fd47ac0698cd649205f983beef2d1718de0f8c5b2aef9450e2758ce
SHA3-384 hash:	f31901dd0b1c46fa5fe12647aba3d4559f914e8217032aaebf4d518c4ab8b8d1709975c944e9bf14ad82599a44e4f546
SHA1 hash:	a6bcfbac880877d6149491490979461c4f940b5f
MD5 hash:	028f4790b00f49d7505a6179d6cc9a4d
humanhash:	beer-oranges-vermont-carbon
File name:	Scan000406860.rar
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	549'041 bytes
First seen:	2024-08-28 06:42:28 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:G9YzPcXbr6iQWBRp2ecfp8LD9ZtYro7TadjVeYOnAiGW:dUXbr6iPnlcrQssAiGW
TLSH	T145C4235A5DA2B8794D7535368211F25EC976B8125C60BF0BE17F821AF343C2D28B39B3
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	rar SnakeKeylogger

cocaman

Malicious email (T1566.001)
From: ""Brad Sun" <nurul.hazirah@tw.import-kr.sbs>" (likely spoofed)
Received: "from p0.tw.import-kr.sbs (p0.tw.import-kr.sbs [176.32.39.155]) "
Date: "27 Aug 2024 18:52:50 -0700"
Subject: "Purchase Order"
Attachment: "Scan000406860.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Scan000406860.exe
File size:	1'077'760 bytes
SHA256 hash:	9a318a246c633d4630bec3b499961573e035ccbb070827f9fdef90298dcfccc6
MD5 hash:	cbd1eddc103af5a8424c94d4b4fd96da
MIME type:	application/x-dosexec
Signature	SnakeKeylogger

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66cec6fafe69a9e56049a3ea

Tags:

Heur

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a06a159d3fd47ac0698cd649205f983beef2d1718de0f8c5b2aef9450e2758ce

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a06a159d3fd47ac0698cd649205f983beef2d1718de0f8c5b2aef9450e2758ce/

Threat name:

Script-AutoIt.Spyware.Snakekeylogger

Status:

Malicious

First seen:

2024-08-28 06:42:31 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ubvblhj72r5ma2mm2zesax4yhpxpfulrrxqprrnsv34ukdrhldha._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a06a159d3fd47ac0698cd649205f983beef2d1718de0f8c5b2aef9450e2758ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.