MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3d29f3885b26ef7959221cf8f1110cc9165c83a2b40ed8bd354a846fb7d3f21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3d29f3885b26ef7959221cf8f1110cc9165c83a2b40ed8bd354a846fb7d3f21
SHA3-384 hash: b925654684a70192da4dfca8f1dd2e0a6c8e289adf54a495ccf33804f8a7f5171d531c5b6a2c43583bf4e6ae0b61bc0c
SHA1 hash: cfb0c7484507149d29c5f665635da8378b81f703
MD5 hash: b1205d7d975388c82252359007460eed
humanhash: leopard-papa-asparagus-washington
File name:1 payment invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:444'928 bytes
First seen:2020-12-28 07:06:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c316b1c9b53ace86b3252d02ce4c4299 (6 x Matiex, 2 x SnakeKeylogger, 1 x RemcosRAT)
ssdeep 12288:XgU+Hqc722/g71cL7oKRKOKc+k+T6XKUVwo/:ot72z5cQKhK5IP/
Threatray 182 similar samples on MalwareBazaar
TLSH 64942278B841AC30EA19187187D225AD21988936AF5FE5B35C07BF6F319D451BBBC80F
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: shipping@hysong.cn
Subject: 付款发票
Attachment: 1 payment invoice.7z (contains "1 payment invoice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1 payment invoice.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 07:07:38 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/123dc089-850b-432c-b011-03bf3fceb50d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Generic.mg.b1205d7d975388c8.5568.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570498
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334306 Sample: 1 payment invoice.exe Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 25 Antivirus detection for dropped file 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 7 other signatures 2->31 7 1 payment invoice.exe 4 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->21 dropped 23 C:\...\93b307bb395746148ecc2794fed9472d.xml, XML 7->23 dropped 33 Writes to foreign memory regions 7->33 35 Maps a DLL or memory area into another process 7->35 37 Sample uses process hollowing technique 7->37 11 cmd.exe 1 7->11         started        13 MSBuild.exe 7->13         started        15 conhost.exe 7->15         started        signatures5 process6 process7 17 schtasks.exe 1 11->17         started        19 WerFault.exe 23 11 13->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3d29f3885b26ef7959221cf8f1110cc9165c83a2b40ed8bd354a846fb7d3f21/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-12-27 23:40:30 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=upjj6oefwjxppfmsehhy6eiqzsiwlsb2fnao3c6tksuen635h4qq._file
Verdict:
unknown
Similar samples:
01215ac46a00f3c840e0a69a7864241e60e2878f8c8f3c7ad213d44bd140c883
SnakeKeylogger
08a8d2666394e14369192ac720209c7c947a024181e4255c62825e37165cb45b
SnakeKeylogger
0f27f78d46ff8335c16d27e3828a7cdc433e33262621478bf40b0b158b20cd11
SnakeKeylogger
218749361bde82c8be049aa53b7b55591fbf3934c4338971cb25f2cc570a855d
SnakeKeylogger
43628dc10a888993bebb296e627e0f7e842d1060ecf45237ce4e071b040310b2
SnakeKeylogger
5b5e1135c372c0af40d6b3089a5d756feecd42802305d1ec973db01f40713c38
SnakeKeylogger
949bad408e6b2dc0f53c4799a7a451e49ac2e28695eb18c72f62ea6628b32188
SnakeKeylogger
a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399
SnakeKeylogger
b782f5827c8728175d0bd243414a50b69f2707d5c7902719fd49d189ee2bf986
SnakeKeylogger
b94c6df69188afec08d0c381f3c40d31856ef83046b933c2b90683d858728f93
SnakeKeylogger
+ 172 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201228-pn6q5flffe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
a3d29f3885b26ef7959221cf8f1110cc9165c83a2b40ed8bd354a846fb7d3f21
MD5 hash:
b1205d7d975388c82252359007460eed
SHA1 hash:
cfb0c7484507149d29c5f665635da8378b81f703
Link:
https://www.unpac.me/results/09b3e0bd-119c-4cc5-a08d-c821494a95b2/
SH256 hash:
5ddcc7ed95d9f35583a72cd0b597443579536254e4067b692fb26fdf0dd29ae9
MD5 hash:
581ff57fde5cdbd7a02ee70c9e6ce701
SHA1 hash:
bede6759d9155ea51142ccb3e8695702b5b2e883
Link:
https://www.unpac.me/results/09b3e0bd-119c-4cc5-a08d-c821494a95b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3d29f3885b26ef7959221cf8f1110cc9165c83a2b40ed8bd354a846fb7d3f21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Snake
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 8d413249d5a600ea45da4d5e783557c0b264ac8dd2ca1b0c054e1154bdbae1c2

SnakeKeylogger

Executable exe a3d29f3885b26ef7959221cf8f1110cc9165c83a2b40ed8bd354a846fb7d3f21

(this sample)

  
Dropped by
MD5 8045e4fcef5248896db09b4b7d5e8d70
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8d413249d5a600ea45da4d5e783557c0b264ac8dd2ca1b0c054e1154bdbae1c2

Comments