MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc679eb3b028aff2d47112fed2549ab780d2f9da47b1253582c623b989d432d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc679eb3b028aff2d47112fed2549ab780d2f9da47b1253582c623b989d432d6
SHA3-384 hash: 6ea6ead3a52fa094505b4bc06c18eb093da67dd80edb8237a841e0ed283e2148850bcbd51b5e8b103da88ba49841d637
SHA1 hash: 00402465ccf497e9ea9ea37ff0463945d11e1289
MD5 hash: 42adcfbd8fa7a8b17a236a3a695ebce5
humanhash: diet-twelve-nebraska-island
File name:14.ppam
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:47'859 bytes
First seen:2022-04-14 08:09:48 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 768:3LyRD4S0JS00SneSnjS0yS03S0IMS0bS02SC+02/pvrk/QVm2JfIPuTghgb8SjIr:38PzodsQgo9AlDAA1/K8NytsR8H
TLSH T1E423D154C501260BC273953EE43888E119A6AC279525898FD1DBB94F07E89DB3F4F7CE
TrID 77.7% (.ZIP) Open Packaging Conventions container (17500/1/4)
17.7% (.ZIP) ZIP compressed archive (4000/1)
4.4% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter madjack_red
Tags:ppam SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/bc679eb3b028aff2d47112fed2549ab780d2f9da47b1253582c623b989d432d6/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-close macros-on-open masquerade replace.exe
Link:
https://www.filescan.io/uploads/6257d6dcffe27d5119cbde31/reports/2a8e3118-3da3-4ac6-a320-32b23bf9b8bb/overview
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=19d31f79-a8e3-49e5-b665-fc6279989313
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/bc679eb3b028aff2d47112fed2549ab780d2f9da47b1253582c623b989d432d6
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad.troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/976670
Signature
Creates processes via WMI
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (drops PE files)
Drops PE files with a suspicious file extension
Malicious sample detected (through community Yara rule)
Office process drops PE file
Renames powershell.exe to bypass HIPS
Sigma detected: Execution of Suspicious File Type Extension
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609157 Sample: 14.ppam Startdate: 14/04/2022 Architecture: WINDOWS Score: 88 84 Malicious sample detected (through community Yara rule) 2->84 86 Document exploit detected (drops PE files) 2->86 88 Document contains an embedded VBA with base64 encoded strings 2->88 90 5 other signatures 2->90 7 taskeng.exe 1 2->7         started        9 ddond.com 13 2->9         started        14 cmd.exe 1 2->14         started        16 POWERPNT.EXE 501 3 2->16         started        process3 dnsIp4 18 milon.com 11 7->18         started        22 milon.com 7->22         started        25 milon.com 7->25         started        80 download2281.mediafire.com 199.91.155.22, 443, 49174 MEDIAFIREUS United States 9->80 82 taxfile.mediafire.com 205.196.120.6, 443, 49173 MEDIAFIREUS United States 9->82 54 C:\ProgramData\milon.com, PE32+ 9->54 dropped 96 Drops PE files with a suspicious file extension 9->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 9->98 27 powershell.exe 12 6 9->27         started        29 taskkill.exe 9->29         started        31 taskkill.exe 9->31         started        35 2 other processes 9->35 33 POWERPNT.EXE 9 12 14->33         started        file5 signatures6 process7 dnsIp8 56 download2277.mediafire.com 199.91.155.18, 443, 49178 MEDIAFIREUS United States 18->56 92 Drops PE files with a suspicious file extension 18->92 37 powershell.exe 18->37         started        40 schtasks.exe 18->40         started        42 taskkill.exe 18->42         started        48 12 other processes 18->48 58 download1277.mediafire.com 205.196.122.218, 443, 49187 MEDIAFIREUS United States 22->58 60 blogspot.l.googleusercontent.com 172.217.168.1, 443, 49185 GOOGLEUS United States 22->60 62 p14hgrur.blogspot.com 22->62 50 C:\ProgramDataSETNONU.com, PE32+ 22->50 dropped 94 Renames powershell.exe to bypass HIPS 22->94 64 download1489.mediafire.com 205.196.123.177, 443, 49182 MEDIAFIREUS United States 25->64 44 powershell.exe 25->44         started        46 schtasks.exe 25->46         started        66 download2345.mediafire.com 199.91.155.86, 443, 49176, 49181 MEDIAFIREUS United States 27->66 68 www.mediafire.com 104.16.202.237, 443, 49175, 49177 CLOUDFLARENETUS United States 27->68 52 C:\ProgramData\ddond.com, PE32+ 33->52 dropped file9 signatures10 process11 dnsIp12 70 104.16.203.237, 443, 49179, 49180 CLOUDFLARENETUS United States 37->70 72 www.mediafire.com 37->72 74 download2345.mediafire.com 37->74 76 www.mediafire.com 44->76 78 download2345.mediafire.com 44->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc679eb3b028aff2d47112fed2549ab780d2f9da47b1253582c623b989d432d6/
Threat name:
Document-Office.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 08:10:07 UTC
File Type:
Document
Extracted files:
43
AV detection:
11 of 25 (44.00%)
Threat level:
  2/5
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/220414-j2pnqaage9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc679eb3b028aff2d47112fed2549ab780d2f9da47b1253582c623b989d432d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments