MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2ff52ed353429d954a579493e0d95571a1da3edbecd6328bf3ef76a47aeda0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be2ff52ed353429d954a579493e0d95571a1da3edbecd6328bf3ef76a47aeda0
SHA3-384 hash: 8cc4ec2abaaeabee9f6330587641a6317054abff6b2fd6eb54c237c73583a25da1cbf634f312f2b52de7901c06468a35
SHA1 hash: d0f4162b77fd7e63fb175c061395beaa379e233d
MD5 hash: b644ad55edc241dc9ee0b7bdb55c8704
humanhash: beryllium-twenty-uniform-king
File name:PO-09IOIOOUIR.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:23'552 bytes
First seen:2021-01-18 08:19:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:b5ydXbu7MLd8uflK3mkI7m3plfWT0q4he22XHriXCpIRLkpZpKUfyZsPUfHU2xde:g8IKLOT0V23rCEFQT7d/642T
Threatray 16 similar samples on MalwareBazaar
TLSH 7CB23F397CC42A33EA7FA67AD5F609C6FB21318336111C0E569B83464847BD73D8AA1D
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: sales10@tzrising.com
Subject: أمر شراء جديد بتاريخ 18-01-2021.
Attachment: PO-09IOIOOUIR.z__.zip (contains "PO-09IOIOOUIR.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-09IOIOOUIR.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 08:23:17 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/1c0ed753-dc57-4adb-ba46-24f276a8b1b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112453/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583745
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 340908 Sample: PO-09IOIOOUIR.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 49 checkip.dyndns.org 2->49 51 freegeoip.app 2->51 53 checkip.dyndns.com 2->53 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Snake Keylogger 2->77 79 5 other signatures 2->79 8 PO-09IOIOOUIR.exe 18 4 2->8         started        13 PO-09IOIOOUIR.exe 3 2->13         started        15 PO-09IOIOOUIR.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 71 135.125.27.253, 49714, 49737, 49742 AVAYAUS United States 8->71 43 C:\Users\user\AppData\...\PO-09IOIOOUIR.exe, PE32 8->43 dropped 45 C:\...\PO-09IOIOOUIR.exe:Zone.Identifier, ASCII 8->45 dropped 87 Creates an undocumented autostart registry key 8->87 89 Drops PE files to the startup folder 8->89 91 Tries to delay execution (extensive OutputDebugStringW loop) 8->91 19 PO-09IOIOOUIR.exe 2 8->19         started        23 PO-09IOIOOUIR.exe 2 8->23         started        25 PO-09IOIOOUIR.exe 2 8->25         started        33 2 other processes 8->33 47 C:\Users\user\...\PO-09IOIOOUIR.exe.log, ASCII 13->47 dropped 93 Hides threads from debuggers 13->93 27 PO-09IOIOOUIR.exe 13->27         started        29 PO-09IOIOOUIR.exe 13->29         started        35 3 other processes 13->35 31 PO-09IOIOOUIR.exe 15->31         started        37 4 other processes 15->37 95 Creates autostart registry keys with suspicious names 17->95 97 Creates multiple autostart registry keys 17->97 99 Injects a PE file into a foreign processes 17->99 file6 signatures7 process8 dnsIp9 63 3 other IPs or domains 19->63 55 checkip.dyndns.org 23->55 65 3 other IPs or domains 25->65 57 checkip.dyndns.org 27->57 59 checkip.dyndns.org 29->59 61 checkip.dyndns.org 31->61 81 Tries to steal Mail credentials (via file access) 31->81 83 Tries to harvest and steal ftp login credentials 31->83 85 Tries to harvest and steal browser information (history, passwords, etc) 31->85 39 WerFault.exe 33->39         started        41 WerFault.exe 33->41         started        67 3 other IPs or domains 35->67 69 4 other IPs or domains 37->69 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be2ff52ed353429d954a579493e0d95571a1da3edbecd6328bf3ef76a47aeda0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 05:20:00 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyx7klwtknbj3fkkk6kjhygzkvy2dwr63pwnmmul6pxxnjd25wqa._file
Verdict:
unknown
Similar samples:
208a8cfdd915e43d58459d4e082efbbf58c649933c09c18c52bc95d34f9725ce
SnakeKeylogger
22e473a7adb1bf3da0d6b900d5ec9f1b4a455bde122d31d6509b8d7b5bd9eab1
SnakeKeylogger
301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0
SnakeKeylogger
50291fb5edd36f2d5a467e0beed36433f35a118e220984afb775924135a62e20
SnakeKeylogger
622b255f7552f990c5d1f97c3ec9fad77b589b88961deec7b691794d81a7b9b4
SnakeKeylogger
6800f5b370a3df8a367fdf29b81f596dc78b5d7b095e5c3c5a9cae0dac36efbc
SnakeKeylogger
8186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d
SnakeKeylogger
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9
SnakeKeylogger
ad3ed5a2a7fdaf7778464c1f3bd3de13972d04e7123522cb906ea18112e359ba
SnakeKeylogger
de2737f4da569bbee74f77a76656589a22f1e3e495b60b4f84959d49eab5d1f1
SnakeKeylogger
+ 6 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210118-rw9vls3pfe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
be2ff52ed353429d954a579493e0d95571a1da3edbecd6328bf3ef76a47aeda0
MD5 hash:
b644ad55edc241dc9ee0b7bdb55c8704
SHA1 hash:
d0f4162b77fd7e63fb175c061395beaa379e233d
Link:
https://www.unpac.me/results/71e4674e-c7c2-457f-a507-7e4c0a45e5c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be2ff52ed353429d954a579493e0d95571a1da3edbecd6328bf3ef76a47aeda0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip aa4489386c0f548edec9e32cbb74e7b929656916c8111b31d7deb84c5180151e

SnakeKeylogger

Executable exe be2ff52ed353429d954a579493e0d95571a1da3edbecd6328bf3ef76a47aeda0

(this sample)

  
Dropped by
MD5 dc2147f245f6d7a9c8330e8dda832514
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112453/
  
Dropped by
SHA256 aa4489386c0f548edec9e32cbb74e7b929656916c8111b31d7deb84c5180151e

Comments