MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a55b88a7103e336cdc7ccfbe2684e5d497715e68697cac10068cb7022ff7af71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a55b88a7103e336cdc7ccfbe2684e5d497715e68697cac10068cb7022ff7af71
SHA3-384 hash: 9fec0104b2a74406ad915f29ba57d8f65bf0fd172d53bf556cc5a0d6b21d00b573e22a2811a028c3baf55cee55b34c50
SHA1 hash: c4211a63363b9faef0a83b08b00826ffc9bacca5
MD5 hash: 275e6e679b8e6d89e9513efa1945c04e
humanhash: nuts-fanta-lima-echo
File name:0900K0900800.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:3'391'704 bytes
First seen:2020-12-28 07:05:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:i5PBHuR4zow0+H1d5ByVZo2B589pClUVMl0WcGDMxy8qyeML8PRVdUjogv6jjYR6:i52X
Threatray 136 similar samples on MalwareBazaar
TLSH E4F53D02498168CBD7B2D490A38EC2D6B38795DCE7EA6FD4AE10E21532CC477EB75D81
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: info@astsolution.org
Subject: Quotation7339
Attachment: 0900K0900800.z (contains "0900K0900800.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0900K0900800.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 07:07:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab0064b8-72cb-47ff-94e3-a9cbd81eac11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ArtemisTrojan.27651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570490
Signature
.NET source code contains very large strings
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334302 Sample: 0900K0900800.exe Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected Snake Keylogger 2->64 66 4 other signatures 2->66 6 0900K0900800.exe 2->6         started        10 0900K0900800.exe 2->10         started        12 0900K0900800.exe 2->12         started        14 3 other processes 2->14 process3 file4 34 C:\Users\user\AppData\...\0900K0900800.exe, PE32 6->34 dropped 36 C:\Users\...\0900K0900800.exe:Zone.Identifier, ASCII 6->36 dropped 38 C:\Users\user\...\0900K0900800.exe.log, ASCII 6->38 dropped 68 Creates an undocumented autostart registry key 6->68 70 Drops PE files to the startup folder 6->70 72 Injects a PE file into a foreign processes 6->72 16 0900K0900800.exe 6->16         started        20 0900K0900800.exe 6->20         started        74 Creates autostart registry keys with suspicious names 10->74 76 Creates multiple autostart registry keys 10->76 22 0900K0900800.exe 10->22         started        24 0900K0900800.exe 12->24         started        26 0900K0900800.exe 12->26         started        28 0900K0900800.exe 14->28         started        30 0900K0900800.exe 14->30         started        32 0900K0900800.exe 14->32         started        signatures5 process6 dnsIp7 40 checkip.dyndns.org 16->40 46 3 other IPs or domains 16->46 42 checkip.dyndns.org 22->42 54 Tries to steal Mail credentials (via file access) 22->54 56 Tries to harvest and steal ftp login credentials 22->56 58 Tries to harvest and steal browser information (history, passwords, etc) 22->58 48 2 other IPs or domains 24->48 50 3 other IPs or domains 28->50 52 2 other IPs or domains 30->52 44 checkip.dyndns.org 32->44 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a55b88a7103e336cdc7ccfbe2684e5d497715e68697cac10068cb7022ff7af71/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-28 06:48:52 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvnyrjyqhyzwzxd4z67cnbhf2slxcxtinf6kyeagrs3qel7xv5yq._file
Verdict:
unknown
Similar samples:
3b517bd525c1fe0bc68345c0f922dd0e3a88282dc162a1758ce909e525d38493
SnakeKeylogger
8b6454ee5db17671b4d1d3da3bdc1012eaf6fbd1684b2c85a387d437f1bcbf59
SnakeKeylogger
949bad408e6b2dc0f53c4799a7a451e49ac2e28695eb18c72f62ea6628b32188
SnakeKeylogger
9eb4a882832362dbb1d183cd5d4f916f3e8d8cef86fd99bddb0cc14b19bc2b57
SnakeKeylogger
a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399
SnakeKeylogger
b782f5827c8728175d0bd243414a50b69f2707d5c7902719fd49d189ee2bf986
SnakeKeylogger
b94c6df69188afec08d0c381f3c40d31856ef83046b933c2b90683d858728f93
SnakeKeylogger
ca60958a09d1cd5817504857d90b846a9ce6f6ee1bed7686318b3741108b709c
SnakeKeylogger
d5ee0b6cdcb76de9f5ba63902b82e4fced80a5c4d8ef8e210c53ecff72921149
SnakeKeylogger
dd7f0e91b03b789878c81bc9677686df20e858989c69ee2002e90cc86e033c6b
SnakeKeylogger
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201228-qbp1txbgy6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
a55b88a7103e336cdc7ccfbe2684e5d497715e68697cac10068cb7022ff7af71
MD5 hash:
275e6e679b8e6d89e9513efa1945c04e
SHA1 hash:
c4211a63363b9faef0a83b08b00826ffc9bacca5
Link:
https://www.unpac.me/results/0d6de66a-6f7c-489c-a85b-e13ca1dedb72/
SH256 hash:
1436a477b23f7abf2a184251e347fbd1259ef5d79ebc2268c7b9258410707293
MD5 hash:
b79f56a84241d62d9bcc6b95ae86f3e9
SHA1 hash:
1d5534770defa699e3919dea7fe826c16b3221e6
Link:
https://www.unpac.me/results/0d6de66a-6f7c-489c-a85b-e13ca1dedb72/
SH256 hash:
6d8bf1d12bccc016f2502164aac85b00e2f2526340a07fb1aae56a79d8682e33
MD5 hash:
a0e6a2f25dff04af8d96bb7b4a13cae8
SHA1 hash:
6579e0a31eb30348327f3b0a2ca6e87f7f1f15c5
Link:
https://www.unpac.me/results/0d6de66a-6f7c-489c-a85b-e13ca1dedb72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a55b88a7103e336cdc7ccfbe2684e5d497715e68697cac10068cb7022ff7af71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Snake
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 8f933fed11fcad1f5e6ca612e0444cd919a9dc722bb731de50f0560f26051eae

SnakeKeylogger

Executable exe a55b88a7103e336cdc7ccfbe2684e5d497715e68697cac10068cb7022ff7af71

(this sample)

  
Dropped by
MD5 4ec8fac9193b9bbe5291810e50130a3f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8f933fed11fcad1f5e6ca612e0444cd919a9dc722bb731de50f0560f26051eae

Comments