MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399
SHA3-384 hash: c0bef0220a525967d49f271c0a13c3b80319abad6e5f769108bc0219f704421fb653267e09e58a58f8defc359aeee5e4
SHA1 hash: 700d3253a5f0b9bfe7f7fcffae1e4d156f35c84c
MD5 hash: 482d5806bdb0c6973deb14e7b371ca3c
humanhash: lake-carolina-friend-low
File name:090800000000000000.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:3'426'384 bytes
First seen:2020-12-25 07:59:56 UTC
Last seen:2020-12-25 10:13:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:1Zi4sAXZM0mDWeI1gCWLQlTbbhN99m/jfB9XD91cqf0KE9i4zB0KBFfmJsOy0tvI:16Q
Threatray 20 similar samples on MalwareBazaar
TLSH 1CF53E02498168CBD7B2D490A38EC2D6B38795DCE7EA6FD4AE10E21532CC477EB75D81
Reporter abuse_ch
Tags:exe geo SnakeKeylogger VNM


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: alistekstil.com
Sending IP: 45.137.22.52
From: sales@alistekstil.com
Subject: Đơn đặt hàng / Đơn đặt hàng (Số đơn đặt hàng / Số đơn đặt hàng: 74637)
Attachment: 090800000000000000.zip (contains "090800000000000000.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
872
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
090800000000000000.exe
Verdict:
Malicious activity
Analysis date:
2020-12-25 08:03:27 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/6404f0c3-b018-4516-8c73-183b223249c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109426/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45158800.24818.22183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/570021
Signature
.NET source code contains very large strings
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334070 Sample: 090800000000000000.exe Startdate: 25/12/2020 Architecture: WINDOWS Score: 84 56 Yara detected Snake Keylogger 2->56 58 May check the online IP address of the machine 2->58 60 .NET source code contains very large strings 2->60 6 090800000000000000.exe 3 5 2->6         started        10 090800000000000000.exe 2->10         started        12 090800000000000000.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 32 C:\Users\user\...\090800000000000000.exe, PE32 6->32 dropped 34 C:\...\090800000000000000.exe:Zone.Identifier, ASCII 6->34 dropped 62 Creates an undocumented autostart registry key 6->62 64 Drops PE files to the startup folder 6->64 16 090800000000000000.exe 15 2 6->16         started        66 Creates autostart registry keys with suspicious names 10->66 68 Creates multiple autostart registry keys 10->68 20 090800000000000000.exe 10->20         started        22 090800000000000000.exe 10->22         started        24 090800000000000000.exe 12->24         started        26 090800000000000000.exe 2 14->26         started        28 090800000000000000.exe 14->28         started        30 090800000000000000.exe 14->30         started        signatures5 process6 dnsIp7 36 checkip.dyndns.org 16->36 44 3 other IPs or domains 16->44 38 checkip.dyndns.org 20->38 50 Tries to steal Mail credentials (via file access) 20->50 52 Tries to harvest and steal ftp login credentials 20->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 40 checkip.dyndns.org 24->40 46 2 other IPs or domains 26->46 48 2 other IPs or domains 28->48 42 checkip.dyndns.org 30->42 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2020-12-25 01:29:17 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vd6xbvevm5ft3jumyoj4m4rv3krouj2hkem2xg25nmsh675gkomq._file
Verdict:
unknown
Similar samples:
0df2eaf3f216575fde216ea22e4a56d352d14f78b0fcc3453799bd9563053899
SnakeKeylogger
218749361bde82c8be049aa53b7b55591fbf3934c4338971cb25f2cc570a855d
SnakeKeylogger
42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290
SnakeKeylogger
5f8c7788c7ce23bead2ccae4724fe05e277007f2caed3eedfef6103a4bbfabae
SnakeKeylogger
8a290b72c3abedee23df097a5dc65d879f05e2ef1c214c19be8eed0a73528e77
SnakeKeylogger
8b6454ee5db17671b4d1d3da3bdc1012eaf6fbd1684b2c85a387d437f1bcbf59
SnakeKeylogger
c805a81435618323cd34e9729b058df78e9c496d1d6c752cc3e5c7cb30f26613
SnakeKeylogger
e0d4ce0316734fce0ea0d950f0ff1b4182f1364d581c549a199ac041cfe68ebb
SnakeKeylogger
e292ffed81fa4ebddd37c87bd1ca8fb3a636950a2c301715e3e9ddb1941cc15b
SnakeKeylogger
ee41bffec9b30b0e5e1ee01e07482c92ea0f0663734833e3ac76de4e6388f025
SnakeKeylogger
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201225-s88b6gyt16/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399
MD5 hash:
482d5806bdb0c6973deb14e7b371ca3c
SHA1 hash:
700d3253a5f0b9bfe7f7fcffae1e4d156f35c84c
Link:
https://www.unpac.me/results/e3a074cb-a0ff-4197-8d26-f59829f16afa/
SH256 hash:
eb22da349d8d0ad357df14b20fca4c64d41e102d26be2ab022ed2f0c2b569fef
MD5 hash:
982cdcc28cb20ea117ca1f30f65e0832
SHA1 hash:
7bb8f48963e9c607c7c893b90f2ecb278ebd9ac0
Link:
https://www.unpac.me/results/e3a074cb-a0ff-4197-8d26-f59829f16afa/
SH256 hash:
27edc5a193ddecd05340b77b9d46dd098d469b58226c413685704d4c46ab8c49
MD5 hash:
58ae57239daeb49dec804a620972893e
SHA1 hash:
bf90c865d77532c4db5eef9153d5c5aa378cd431
Link:
https://www.unpac.me/results/e3a074cb-a0ff-4197-8d26-f59829f16afa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Snake
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 39506bc6b6835299cdbaa83206b3a1e0ab001966ca37c619536707b9ae6e6899

SnakeKeylogger

Executable exe a8fd70d495674b3da68cc393c67235daa2ea27475119ab9b5d6b247f7fa65399

(this sample)

  
Dropped by
MD5 480e2d247a3b52ab7e0cfdae7fc78756
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 39506bc6b6835299cdbaa83206b3a1e0ab001966ca37c619536707b9ae6e6899
Cape
Cape
https://www.capesandbox.com/analysis/109426/

Comments