MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2
SHA3-384 hash:	fde0221e3aeb3fd5c4e64a5b5ed3453e22e21f79bceb6bb3677cc61f7f37e55e26e385f146f37c36d9550458bd15b9ae
SHA1 hash:	ebc9aeab6c28937991f14a976a2845b5232d85b2
MD5 hash:	ade635608acc66cf3125fcc8055601c7
humanhash:	virginia-juliet-maryland-west
File name:	Payment Receipt.docx
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	183'787 bytes
First seen:	2024-08-14 07:39:53 UTC
Last seen:	Never
File type:	doc
MIME type:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep	3072:8iY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUMozJ5U:G5r/g+qZMpcFSQzYHut4dRQa
TLSH	T17E040230284384FA8FA3E435F455B42F738FED236A720D5626E47BA573488B69123F59
TrID	52.2% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4) 38.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 8.8% (.ZIP) ZIP compressed archive (4000/1)
Reporter	TeamDreier
Tags:	doc SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

2'894

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment Receipt.docx

Verdict:

Malicious activity

Analysis date:

2024-08-14 07:42:38 UTC

Tags:

cve-2017-0199 exploit

Link:

https://app.any.run/tasks/bdc314fc-c49e-4824-9e44-729242edef6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

TwinWave.EvilDoc.OkayLureDefenderWord.20220418.UNOFFICIAL

Sanesecurity.Malware.27321.XmlHeur.UNOFFICIAL

Sanesecurity.Malware.30525.XmlHeur.UNOFFICIAL

Doc.Downloader.Loda-7570590-0

TwinWave.EvilDoc.RelsPublicDottedQuadDancingInHeaven.20211202.UNOFFICIAL

MiscreantPunch.Suspicious.RemoteTemplateCall.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66bc5f55aa5b40be0aa02fda

Tags:

Execution Generic Infostealer Network Stealth W97m

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Sending an HTTP GET request

Creating a file

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Creating a file in the %AppData% directory

Connection attempt by exploiting the app vulnerability

Launching a file downloaded from the Internet

Launching a process by exploiting the app vulnerability

Creating a process from a recently created file

Result

Verdict:

Malicious

File Type:

OOXML Word File

Link:

https://app.docguard.net/a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

language-af masquerade

Link:

https://www.filescan.io/uploads/66bc5f543930e113b90b130d/reports/3df2928f-0dca-41d7-8e6e-2a901d3ef412/overview

Verdict:

Malicious

Labled as:

CVE-2017-11882

Link:

https://www.hybrid-analysis.com/sample/a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2

Label:

Malicious

Suspicious Score:

9.3/10

Score Malicious:

93%

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=a613ed8b-583e-417e-bc50-720c085621bd

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2

Details

IPv4 Dotted Quad URL

A URL was detected referencing a direct IP address, as opposed to a domain name.

External Relationship Element

Document contains an externally hosted relationship, which fetches further content.

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1492687

Signature

Contains an external reference to another file

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office viewer loads remote template

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2

Detection:

cve-2017-11882-shellcode

Link:

https://mwdb.cert.pl/sample/a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2/

Threat name:

Document-Word.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2024-08-14 03:14:27 UTC

File Type:

Document

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vd6imntv4jj5a5cc67wcolg2sawvy4jhvevybiddtlszvln2ygra._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/240814-jhjncszglc/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

System Location Discovery: System Language Discovery

Drops file in Windows directory

Abuses OpenXML format to download file from external location

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/491c09bf-2801-485e-b700-df6037707cd3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a8fc863675e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

doc a8fc863675e253d07442f7ec272cda902d5c7127a92b80a0639ae59aadbac1a2

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample