MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0
SHA3-384 hash: 0afd684e82d985360464fe15e0709270af4a0c6bc9c7cd27c25b67932294dabf36fa5315770ee5249199ac0d4bff644c
SHA1 hash: c13a4aeb355817daca29dafe874cc21b367fd193
MD5 hash: 187784e257ffe08b39e7a656d994effc
humanhash: green-thirteen-oxygen-pennsylvania
File name:New Order PO#86637.zip
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:969'998 bytes
First seen:2024-09-19 10:19:23 UTC
Last seen:2024-09-19 10:22:55 UTC
File type: zip
MIME type:application/zip
ssdeep 24576:Ht7Y8R39qYXC6ruzvnki18ITtpwi+ADhSBMw4W/eudLRqvop:Ht7Y89qYXC6ruz/LnxpwiTFSB57WyLRj
TLSH T19D25335C0034E4FAF9945F00391C2AD9603A967396A3A5BEBD8BE0FF68CD16744119FE
Magika zip
Reporter cocaman
Tags:SnakeKeylogger zip


Avatar
cocaman
Malicious email (T1566.001)
From: "MOHAMED ABDUL HAFEZ <hussein.khalife@kcomofficesolutions.com>" (likely spoofed)
Received: "from kcomofficesolutions.com (unknown [185.117.90.249]) "
Date: "19 Sep 2024 02:17:56 +0000"
Subject: "New Order PO#86637 19/09/2024"
Attachment: "New Order PO#86637.zip"

Intelligence

File Origin
# of uploads :
9
# of downloads :
583
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:New Order PO#86637.exe
File size:1'332'869 bytes
SHA256 hash: 5c6ff5340700194b1ec369d0fa8c4d03320a3e7379903d19a7c1fce628ee73bc
MD5 hash: 6fa58744ffb09c72c150f276f7c79ecd
MIME type:application/x-dosexec
Signature SnakeKeylogger
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.22623.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ebfad54ec6bdebe5304431
Tags:
Encryption Stealth Trojan Snakestealer
Result
Verdict:
Suspicious
File Type:
PE File
Link:
https://app.docguard.net/af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin masquerade microsoft_visual_cc overlay packed phishing shell32
Link:
https://www.filescan.io/uploads/66ebfad33c9389b729b9c0c9/reports/742cb5f9-a80d-4a84-9452-bf31949b8595/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0/
Threat name:
Win32.Trojan.Autoitinject
Create hunting rule
Status:
Malicious
First seen:
2024-09-19 10:19:25 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v47u36shkbcce2jp5oegnzlcdlg6ppmkof2cbesehx4eh2cto6qa._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection credential_access discovery keylogger stealer
Link:
https://tria.ge/reports/240919-q2zbgssbnk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
VIPKeylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot7247249543:AAEjQNxXUVZRm1ev9K9Jf_pcuz9vHQRkYyU/sendMessage?chat_id=403948698
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip af3f4dfa47504422692feb8866e5621acde7bd8a71742092443df843e85377a0

(this sample)

SnakeKeylogger

Executable exe 5c6ff5340700194b1ec369d0fa8c4d03320a3e7379903d19a7c1fce628ee73bc

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5c6ff5340700194b1ec369d0fa8c4d03320a3e7379903d19a7c1fce628ee73bc
  
Dropping
MD5 6fa58744ffb09c72c150f276f7c79ecd

Comments