MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac
SHA3-384 hash: 391a5be2e2f15308a28ea577e331b669fa678db51e4ed8fa42f4db5750af57b0b4ae10c4646eca14c1f671f3b2b83f0b
SHA1 hash: c1b30a2d00436ff430153a80adf64b0c0005d774
MD5 hash: 0a73075a58f055c2af0403ee35887b65
humanhash: connecticut-oven-lamp-burger
File name:INVOICE-099990.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:614'912 bytes
First seen:2021-01-20 14:02:29 UTC
Last seen:2021-01-20 15:53:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 22673e55edaa8d924306e1f5da0283cf (1 x NetWire, 1 x SnakeKeylogger)
ssdeep 12288:u6qkmGmyvkB3Tw0EnkKGZLH+4UeDBv8VRoQs47qnUgebK93:u6f+ycTw0AAn3WRNTOn2KR
Threatray 362 similar samples on MalwareBazaar
TLSH 55D4F1343AC1C031C5A755748A65C7B2CE6AB4722672648FE7DA0E395F387E2933931E
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: "Sareera Nunnuck"<sales@hplanners.com>
Subject: PO-INVOICE-0900000
Attachment: INVOICE-099990.pdf.xz (contains "INVOICE-099990.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE-099990.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 14:31:34 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/5bcc123a-b3f4-4960-b528-05d8f10fb0d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113092/
Detection(s):
PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586216
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 09:01:40 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdzjqtk7axyatgc27qbwr3isam4awppum5uzmfakk4argziqrkwa._file
Verdict:
unknown
Similar samples:
0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b
SnakeKeylogger
220ab940326b10e217ed23f4806edd06fac3cf52cbd3c8863863eac6893b02ea
SnakeKeylogger
477d57f165a0cdcf90d8a93fc5c64c0beff6ca253f996b6399327fe8b644623f
SnakeKeylogger
ab64843d1074c1091118c175f2ca85e43d66a7918faf479be9d6d2613583fce3
SnakeKeylogger
ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
SnakeKeylogger
aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12
SnakeKeylogger
c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363
SnakeKeylogger
e3fceaabe401036d5b259a767747f86c6563db8d122c87e70506ce84ad622638
SnakeKeylogger
feb7ef6e6c842b97b92c82fdba89499c252cc9414874efc7fafae8389dbf0538
SnakeKeylogger
ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958
SnakeKeylogger
+ 352 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger ransomware stealer
Link:
https://tria.ge/reports/210120-vl1s1p3c4e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac
MD5 hash:
0a73075a58f055c2af0403ee35887b65
SHA1 hash:
c1b30a2d00436ff430153a80adf64b0c0005d774
Link:
https://www.unpac.me/results/ee1d92dc-3347-411f-a90f-dc30927bf4ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 14a7859356398dc76f47bfb886f879873ba0ba2c53d1e17bfa9a3c35df397cd3

SnakeKeylogger

Executable exe a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac

(this sample)

  
Dropped by
MD5 8013e4eee25625eae1594d99b16c681e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113092/
  
Dropped by
SHA256 14a7859356398dc76f47bfb886f879873ba0ba2c53d1e17bfa9a3c35df397cd3

Comments