MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a24b65d53104ef9cad9859a7d02ae4b8b39ead417b2dc81866d59051285410c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a24b65d53104ef9cad9859a7d02ae4b8b39ead417b2dc81866d59051285410c5
SHA3-384 hash:	45a8c006d1b45e38969aa732334c04e1cc87efcade1c2c00e7042af6ca98aab89c04cf771722670ff78c7c4b0a03b7b6
SHA1 hash:	e636de65ab51eada40fcf6cd44910b0b8021be23
MD5 hash:	8a21af8559dbd323c8dc6e123a8662fb
humanhash:	carbon-july-five-tennessee
File name:	Payment Notification.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	702'976 bytes
First seen:	2021-03-08 14:31:55 UTC
Last seen:	2021-03-09 23:31:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:i+iWF7hQmhH0GEIGx1EjnKHzbZFPnF97EwZWuCPmBhEzTfGupcBNYxmf:i+iG7hAfAj+kP8h+TfGupcf
Threatray	2 similar samples on MalwareBazaar
TLSH	4BE4DF560ABD02EEF79FDF33306B28ED5D456A016B1AD523E87C6A18165C33C42BF588
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment Notification.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-08 14:40:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/780f7125-f00a-4f7f-84e9-68a98173a247

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/122815/

Detection(s):

SecuriteInfo.com.Trojan.Heur3.CTR.201bcQm0@ay4TlVl.32385.30282.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/631313

Signature

Binary contains a suspicious time stamp

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-03-08 13:38:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 47 (29.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ujfwlvjratxzzlmylgt5akxexczz5lkbpmw4qgdg2wifckcucdcq._file

Verdict:

unknown

SnakeKeylogger

547730d182deb8f0b96b48b7d635288e43748c79816f3ad481735df25ae9523c

SnakeKeylogger

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/210308-xp7c8xrsk6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Beds Protector Packer

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/0897b9a5-b6f2-4511-aa49-e0132209ffab/

SH256 hash:

0f41b3c104b044f9b4cc6f515f086b8c96e225b58ab909c6aec1ddd7b970f9de

MD5 hash:

ee32cc3177e3d3274d5f1b009a94a446

SHA1 hash:

dd3d1a4e003ed616a297cecbdaa98c0b2faa68bf

Link:

https://www.unpac.me/results/0897b9a5-b6f2-4511-aa49-e0132209ffab/

SH256 hash:

1c52376fae953b9b1ed7184515d36b23383e606b9043df90f75ea29dfc426c20

MD5 hash:

4f1f9b95782d3f4db859396705e62756

SHA1 hash:

764ccefb9a1b563fda1ddf418ca923eadc9624ce

Link:

https://www.unpac.me/results/0897b9a5-b6f2-4511-aa49-e0132209ffab/

SH256 hash:

a24b65d53104ef9cad9859a7d02ae4b8b39ead417b2dc81866d59051285410c5

MD5 hash:

8a21af8559dbd323c8dc6e123a8662fb

SHA1 hash:

e636de65ab51eada40fcf6cd44910b0b8021be23

Link:

https://www.unpac.me/results/0897b9a5-b6f2-4511-aa49-e0132209ffab/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a24b65d53104ef9cad9859a7d02ae4b8b39ead417b2dc81866d59051285410c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/122815/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample