MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918
SHA3-384 hash: 51a4608a983570a1f38580f9cdd3ded5c95eb1371be27aed5aa98ec8e7c15a4ac809dd836ee36b8a0d4424c44307eb11
SHA1 hash: b337dcf04bf73d24449961986c57c5755055bf3f
MD5 hash: a71b15ea6d73184732952503f0f59505
humanhash: queen-freddie-nineteen-stairway
File name:22041081517_20220329_16042903_HesapOzeti.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'355'264 bytes
First seen:2022-04-04 09:27:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (82 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 24576:pnsJ39LyjbJkQFMhmC+6GD9H1N0UWcgx8ItZm9FCbbyb9:pnsHyjtk2MYC5GDl1N3RItgFg2b9
Threatray 2'567 similar samples on MalwareBazaar
TLSH T12655CF36B3E14537D17B0B7C8C6B93548639BE112D29BA0E3BE52DDD4E3A3816C25293
File icon (PE):PE icon
dhash icon 82a2b28eeed696aa (1 x SnakeKeylogger)
Reporter TeamDreier
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260417/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12520/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun coinminer darkkomet emotet hacktool packed virus
Link:
https://www.filescan.io/uploads/624ab9ecdb9ca5cf841a5041/reports/30413f49-a792-4974-9b72-3ebd27807dfd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cc85a35-7128-4c29-9cb4-200a8c6e9e8d
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969850
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602337 Sample: 22041081517_20220329_160429... Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 17 other signatures 2->57 7 22041081517_20220329_16042903_HesapOzeti.pdf.exe 1 6 2->7         started        10 EXCEL.EXE 2->10         started        12 Synaptics.exe 2->12         started        process3 file4 27 ._cache_2204108151..._HesapOzeti.pdf.exe, PE32 7->27 dropped 29 C:\ProgramData\Synaptics\Synaptics.exe, PE32 7->29 dropped 31 C:\ProgramData\Synaptics\RCX86CF.tmp, PE32 7->31 dropped 33 C:\...\Synaptics.exe:Zone.Identifier, ASCII 7->33 dropped 14 ._cache_22041081517_20220329_16042903_HesapOzeti.pdf.exe 3 7->14         started        18 Synaptics.exe 279 7->18         started        process5 dnsIp6 35 ._cache_2204108151...apOzeti.pdf.exe.log, ASCII 14->35 dropped 65 May check the online IP address of the machine 14->65 67 Machine Learning detection for dropped file 14->67 69 Injects a PE file into a foreign processes 14->69 21 ._cache_22041081517_20220329_16042903_HesapOzeti.pdf.exe 14->21         started        39 docs.google.com 172.217.168.14, 443, 49763, 49764 GOOGLEUS United States 18->39 41 freedns.afraid.org 69.42.215.252, 49766, 80 AWKNET-LLCUS United States 18->41 43 2 other IPs or domains 18->43 37 C:\Users\user\Documents\IVHSHTCODI\~$cache1, PE32 18->37 dropped 71 Antivirus detection for dropped file 18->71 73 Multi AV Scanner detection for dropped file 18->73 75 Drops PE files to the document folder of the user 18->75 77 Contains functionality to detect sleep reduction / modifications 18->77 25 WerFault.exe 18->25         started        file7 signatures8 process9 dnsIp10 45 checkip.dyndns.com 132.226.8.169, 49892, 80 UTMEMUS United States 21->45 47 freegeoip.app 188.114.97.7, 443, 49914 CLOUDFLARENETUS European Union 21->47 49 checkip.dyndns.org 21->49 59 Tries to steal Mail credentials (via file / registry access) 21->59 61 Tries to harvest and steal ftp login credentials 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 signatures11
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 09:28:13 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxnpcc566rncxokbwk4yj3fsmzloivklxv5nyk5pnykekgzjnema._file
Verdict:
malicious
Similar samples:
26274dd1baa5be91bd6bdb0db48895d89da2a78e6fac273257557de473adc841
SnakeKeylogger
2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0
SnakeKeylogger
5ff2763a7af9c5e8d274be89a3df9e75d9a0b281878def38c44085395178f01e
SnakeKeylogger
7110059a2bb0e2b4e6ee39ff235c283864152200d0daca4fb123f3b7c7315095
SnakeKeylogger
95272a070df2cf2988d238138d1eadcfeffe68e311d904f83969b2fd71b62f60
SnakeKeylogger
a4b821d0cadc92c344c8b60f5290a5e5520fd1fb3813b88c529c48d285b72c63
SnakeKeylogger
dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb
SnakeKeylogger
+ 2'557 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/220404-lesg7sdca9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot1513074805:AAE9QtTNfInovOlDzP4PcE-Ro12KxYiz9Z4/sendMessage?chat_id=1673719962
Unpacked files
SH256 hash:
71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4
MD5 hash:
bfcf754fb9acba752f79f44817b7be23
SHA1 hash:
01af19456b6f97790973d0d67a97ecc362ab7aed
Link:
https://www.unpac.me/results/0df5b59a-8655-4cb8-84d2-45ba1e8724b1/
SH256 hash:
e49dcc7f15d696bcb6bbaf392a92249e29815cea8457fe3ab3a078b99a49e699
MD5 hash:
41e84298d2e5c7e737ec55b05c64290d
SHA1 hash:
4e11f6b0c2274349c4f51708dd5b37c4d64cae90
Link:
https://www.unpac.me/results/0df5b59a-8655-4cb8-84d2-45ba1e8724b1/
SH256 hash:
69d8742e78735c9e08f9fcec838ff357c6aabfe4b593e2612ea85aca9815715c
MD5 hash:
22250ae9bdb6ee365069a2afc90e764f
SHA1 hash:
b8fb058e98bda06e321573ba4d69407cd95f0805
Link:
https://www.unpac.me/results/0df5b59a-8655-4cb8-84d2-45ba1e8724b1/
SH256 hash:
addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918
MD5 hash:
a71b15ea6d73184732952503f0f59505
SHA1 hash:
b337dcf04bf73d24449961986c57c5755055bf3f
Link:
https://www.unpac.me/results/0df5b59a-8655-4cb8-84d2-45ba1e8724b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/260417/

Comments