MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc5587fc7b0ae1762cf3a8d5437608ccb908c8eaaeb219f1abb7ee4cad57d1ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	bc5587fc7b0ae1762cf3a8d5437608ccb908c8eaaeb219f1abb7ee4cad57d1ba
SHA3-384 hash:	34f3fc967069c86ba20303b2f6b6850eb7bce62c15320c7a541070678f6d35dbdef6aef0afc899775bdc5b6378d40bb4
SHA1 hash:	97edd171131eb1a3ae9e63aa18b7596bf7ab9d44
MD5 hash:	581632a12c1a592209d0601ed1636e81
humanhash:	lactose-georgia-island-dakota
File name:	IMG_80137.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'708'032 bytes
First seen:	2021-01-19 16:20:33 UTC
Last seen:	2021-01-19 18:12:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:QeQQYwyzF/B1eSdILkqEpwAg/Tr1HeLJlr5rvOUCJ6c:QtQYtzJB1bk0LBOUCE
Threatray	69 similar samples on MalwareBazaar
TLSH	71855B02EA0C8673C5303877459B2B6D2352E9EBE651C3C27B09BA3EB556FC51BCD198
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

abuse_ch

Malspam distributing unidentified malware:

HELO: klginformatica.com.br
Sending IP: 88.26.195.167
From: AccountsPayable <nilson@klginformatica.com.br>
Subject: L&F- SWIFT EXECUTED RECEIPT
Attachment: IMG_80137.pdf.img (contains "IMG_80137.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG_80137.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-01-19 16:26:22 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/b9267796-89e3-4c54-aaa7-c693a093649b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/112936/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.509.10261.2681.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/585281

Signature

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc5587fc7b0ae1762cf3a8d5437608ccb908c8eaaeb219f1abb7ee4cad57d1ba/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-01-19 15:13:30 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xrkyp7d3blqxmlhtvdkug5qizs4qrshkv2zbt4nlw7xezlkx2g5a._file

Verdict:

unknown

SnakeKeylogger

1a9dfbc3aed67dd204ff8dae55a38bd28c250cb0ad9f8d150c4a6a4ee9b9f83e

SnakeKeylogger

2109e18f96cf5f627351d52a48eecc483b67e02fd3f1a0e58088f615afc3737f

SnakeKeylogger

2bffb59c94e38a0b9c564111115dd3bf5d9f333dc1554d308722637d9f88cdf1

SnakeKeylogger

8b6da6511860d9a2c86b0ea5f1f31a7811d654a4cf638c9e98fcd806c59050a8

SnakeKeylogger

91a31ae7de6c7cfa8123333cec0fb4ac9317b12e8b1ede01de97936c8ab82ed7

SnakeKeylogger

a0ad4179ba893bb00642d7f51870660fafcde6e315f9640e6fddd7a81ddd569c

SnakeKeylogger

b3bda762a662aba0ac2fc68304f10f80d897eab01a3157755e230943615eddeb

SnakeKeylogger

c914e1cead39ffb086bb87029bcea3673f8159087ef8cd7c1cf49eceba97ee07

SnakeKeylogger

cc7d19e6c4fcae8326db313f78e56ad4e9f7346912c2f4d909e3620c1c22147f

SnakeKeylogger

+ 59 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210119-gm19yrmp7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

adbfaf1794b1c0b4e7a9adf0ed1d3503cd361f4a2ab9494dcb6d816010d41fa7

MD5 hash:

9cd1cca6f24e7aea3d100687b4a78602

SHA1 hash:

7c1752866b11d60987dff4add93b4c9e4485dd03

Link:

https://www.unpac.me/results/4b86ba73-eaf0-41be-a6c5-6f382d0210a5/

SH256 hash:

1ffac68def5ce68f650ac8229d3a40e9ac1fc89adeddc9a6041c3dcebb6d1933

MD5 hash:

8503258c9fb8f1519204a2f9a4ccd873

SHA1 hash:

63a62f152f2fe8d79aa29eb3133ba180b03ed416

Link:

https://www.unpac.me/results/4b86ba73-eaf0-41be-a6c5-6f382d0210a5/

SH256 hash:

4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046

MD5 hash:

29e19b5dce96140a8b90152b16bd44af

SHA1 hash:

4f3dc6eb876bb58f53966980a9c451a04ec17d8a

Link:

https://www.unpac.me/results/4b86ba73-eaf0-41be-a6c5-6f382d0210a5/

SH256 hash:

c06d4e3d0205d9bdd4a4b40b8da710d698b3a5d73a1626c9ca058c10b2c6d00c

MD5 hash:

7f67414b3fd29299f2d29ad7c2afb995

SHA1 hash:

2ec40d57c08c47433a6d044d271d74005dddae8d

Link:

https://www.unpac.me/results/4b86ba73-eaf0-41be-a6c5-6f382d0210a5/

SH256 hash:

49dc26861fffee2f6440e56a10b7086ea305d2f16bb9e27ba3e08b9893557f86

MD5 hash:

e732cd6decfed3503b4020899d5a56f9

SHA1 hash:

024c1bf147c698e92aae340bbee323601d02a787

Link:

https://www.unpac.me/results/4b86ba73-eaf0-41be-a6c5-6f382d0210a5/

SH256 hash:

bc5587fc7b0ae1762cf3a8d5437608ccb908c8eaaeb219f1abb7ee4cad57d1ba

MD5 hash:

581632a12c1a592209d0601ed1636e81

SHA1 hash:

97edd171131eb1a3ae9e63aa18b7596bf7ab9d44

Link:

https://www.unpac.me/results/4b86ba73-eaf0-41be-a6c5-6f382d0210a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc5587fc7b0ae1762cf3a8d5437608ccb908c8eaaeb219f1abb7ee4cad57d1ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector