MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b062dff5d70847fbec0f252db14092f1e28a45f9069d0e1b26632222da2e2741. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Maldoc score: 11

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	b062dff5d70847fbec0f252db14092f1e28a45f9069d0e1b26632222da2e2741
SHA3-384 hash:	ab1c91882524486d3120a2f9dda54335ddf90a808596ce3d8039cd49195fcad9e3f8dcd9f16b99a170999e7ba98ad31a
SHA1 hash:	903accc35e9abd4994a5e36aa0165ac65396a107
MD5 hash:	321bfe330a10dc1f615e5c9d69218c57
humanhash:	nine-lima-harry-sweet
File name:	PO10976 B86b0mDlYqpH2306105pdf.doc
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	645'632 bytes
First seen:	2021-10-29 05:13:14 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	12288:TbqTtukI4DLk+N76BI7G+eDYYQgc6gID6ijVAm5vbZ82NHKLtO2:nmukI6Y+N7uDgl6gI9VAm5vzs
TLSH	T10FD42392B1D4DF9BE41B66391CC3D09C7E18FC889E6DD20B3A45BB5F4EB97268102819
Reporter	abuse_ch
Tags:	doc SnakeKeylogger

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 11

OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	4096 bytes	DocumentSummaryInformation
3	4096 bytes	SummaryInformation
4	7019 bytes	1Table
5	610223 bytes	Data
6	412 bytes	Macros/PROJECT
7	65 bytes	Macros/PROJECTwm
8	1001 bytes	Macros/VBA/Module1
9	2146 bytes	Macros/VBA/ThisDocument
10	2693 bytes	Macros/VBA/_VBA_PROJECT
11	562 bytes	Macros/VBA/dir
12	4096 bytes	WordDocument

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Document_Open	Runs when the Word or Publisher document is opened
IOC	god.bat	Executable file name
Suspicious	Open	May open a file
Suspicious	CreateTextFile	May create a text file
Suspicious	GetObject	May get an OLE object with a running instance
Suspicious	Chr	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Malicious

File type:

application/msword

Has a screenshot:

False

Contains macros:

True

Detection(s):

TwinWave.GetObjectStringManipulationDontMessAroundWithJim.20200804.UNOFFICIAL

TwinWave.EvilDoc.DOCXSTRGOOD.HTTP

TwinWave.EvilDoc.DOCXRSTRGOOD.START-BITSTRANSFER.210729.UNOFFICIAL

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.211019.UNOFFICIAL

Sanesecurity.Badmacro.Doc.blankopen.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/b062dff5d70847fbec0f252db14092f1e28a45f9069d0e1b26632222da2e2741/results/dashboard

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/b062dff5d70847fbec0f252db14092f1e28a45f9069d0e1b26632222da2e2741

Details

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Macro with File System Write

Detected macro logic that can write data to the file system.

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Result

Threat name:

Clipboard Hijacker Snake Keylogger

Detection:

malicious

Classification:

expl.evad.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/879011

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Binary or sample is protected by dotNetProtector

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (overwrites its own PE header)

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (creates forbidden files)

Document exploit detected (process start blacklist hit)

Found detection on Joe Sandbox Cloud Basic with higher score

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Clipboard Hijacker

Yara detected Obfuscated Powershell

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b062dff5d70847fbec0f252db14092f1e28a45f9069d0e1b26632222da2e2741/

Threat name:

Document-Word.Downloader.Powdow

Status:

Malicious

First seen:

2021-10-29 05:14:09 UTC

AV detection:

17 of 44 (38.64%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wbrn75oxbbd7x3apeuw3cqes6hriurpza2oq4gzgmmrcfwroe5aq._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger macro macro_on_action persistence spyware stealer

Link:

https://tria.ge/reports/211029-fw1l9ahchr/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Office loads VBA resources, possible macro or embedded object present

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Process spawned unexpected child process

Snake Keylogger

Malware Config

Dropper Extraction:

http://coachcarmenwilliams.com/B86b0mDlYqpH2306105pdf.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b062dff5d70847fbec0f252db14092f1e28a45f9069d0e1b26632222da2e2741

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample