MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363
SHA3-384 hash: 681fd97803ad23b162bbcc9131510b4034f8028b5371284d02eaa345176ed982f620721d61afc160739261ce40b5a978
SHA1 hash: 95a0c95fee10a8e37fb0bcabff6e4b10924285d2
MD5 hash: dca3732857d10782f68df4c3e1b757a9
humanhash: juliet-cola-magnesium-oven
File name:000000090000-0990.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'542'656 bytes
First seen:2021-01-20 13:54:02 UTC
Last seen:2021-01-20 15:53:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 52b6f9925181b207b99c579c99e10d60 (4 x Loki, 2 x Formbook, 2 x RemcosRAT)
ssdeep 24576:r7s0lt70aJfExlXjvUTVYChJmkFlazNAx/P83TvaW8QXX7SZwOjhtQ2zjjbebwDj:80j70/5E/h5lWAu3TvDXLSZwsOQ/ShWJ
Threatray 2'222 similar samples on MalwareBazaar
TLSH A265B0D1F190C8A6ED6B05F1AD2AA5302497BD9C54B4410D67ADBB2B76F3342209FE0F
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: Eng. Elias Hanna <oktaykucuk@karatguc.com>
Subject: NEW ORDER-09098787
Attachment: 000000090000-0990.xz (contains "000000090000-0990.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
000000090000-0990.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 14:11:54 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/f1506c09-3e83-4292-8c1f-43031d4310c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113085/
Detection(s):
SecuriteInfo.com.Variant.Zusy.362040.14178.16672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Forced shutdown of a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Matiex Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586148
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Matiex Keylogger
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342113 Sample: 000000090000-0990.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Antivirus detection for dropped file 2->60 62 Sigma detected: Capture Wi-Fi password 2->62 64 12 other signatures 2->64 9 000000090000-0990.exe 4 2->9         started        process3 file4 34 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 9->34 dropped 36 C:\...\39f3642c01e5456a9e5b83f9a108aa0b.xml, XML 9->36 dropped 82 Writes to foreign memory regions 9->82 84 Maps a DLL or memory area into another process 9->84 13 MSBuild.exe 4 9->13         started        16 cmd.exe 1 9->16         started        signatures5 process6 file7 38 C:\Users\user\...\bilgi snake 2021.exe, PE32 13->38 dropped 40 C:\Users\user\...\MATIEX GODISOD 4.0 .exe, PE32 13->40 dropped 42 C:\Users\user\AppData\Local\Temp\4.0.exe, PE32 13->42 dropped 18 4.0.exe 14 2 13->18         started        22 MATIEX GODISOD 4.0 .exe 14 2 13->22         started        24 bilgi snake 2021.exe 15 2 13->24         started        26 conhost.exe 16->26         started        28 schtasks.exe 1 16->28         started        process8 dnsIp9 56 4 other IPs or domains 18->56 66 Antivirus detection for dropped file 18->66 68 Multi AV Scanner detection for dropped file 18->68 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->70 80 3 other signatures 18->80 44 checkip.dyndns.org 22->44 46 216.146.43.70, 49728, 49730, 49735 DYNDNSUS United States 22->46 48 srvc13.turhost.com 37.230.106.16, 49738, 587 AEROTEK-ASTR Turkey 22->48 72 Tries to steal Mail credentials (via file access) 22->72 74 Tries to harvest and steal ftp login credentials 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 78 Tries to harvest and steal WLAN passwords 22->78 30 netsh.exe 22->30         started        50 checkip.dyndns.org 24->50 52 checkip.dyndns.com 162.88.193.70, 49725, 49726, 80 DYNDNSUS United States 24->52 54 freegeoip.app 172.67.188.154, 443, 49732, 49734 CLOUDFLARENETUS United States 24->54 signatures10 process11 process12 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 10:02:48 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyuugsm3p7wybp2og6vvew3cf32pw7ggxaw5w64nn7tv3k6k6nrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
SnakeKeylogger
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
SnakeKeylogger
3fd2c91007c4b1429d70710853232018e8da2528d375af5d64b79901254e52f0
SnakeKeylogger
436fdd814820def5e208ef0ed29038a5f4b0e84b418694591c926b6961e1203f
SnakeKeylogger
5a9e1ff007254cb77b90545f61dd8ea00eddc37b080950563b95d1bfbe70bb26
SnakeKeylogger
7596db7593e9571f3cfdb3003fe0001054abddfb57dd8390bc05d458cbef0be3
SnakeKeylogger
8a3c02f3f221e3874e057b7a98a43560d291f886f4b5351051f2876bc2f8c4e6
SnakeKeylogger
8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7
SnakeKeylogger
95eaed904a48a580a9ba80eb8193b178f08b3da26d830b7a8b2fa8f5e3b5186e
SnakeKeylogger
aefa2f5a8448c792183fedf9d025becfb782102b749c0fe3be273975f2dc3b61
SnakeKeylogger
+ 2'212 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:matiex family:snakekeylogger keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210120-2eetyj3ss2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Matiex
Matiex Main Payload
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363
MD5 hash:
dca3732857d10782f68df4c3e1b757a9
SHA1 hash:
95a0c95fee10a8e37fb0bcabff6e4b10924285d2
Link:
https://www.unpac.me/results/188325da-4b3b-4b87-b8c8-32b9f88da715/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 317fec4108f6d85caa5c1589b983a87dc665140390975d2f96e54a8ab1ab2d34

SnakeKeylogger

Executable exe c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363

(this sample)

  
Dropped by
MD5 56c9727d6d4e0af73218e73f62677000
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 317fec4108f6d85caa5c1589b983a87dc665140390975d2f96e54a8ab1ab2d34
Cape
Cape
https://www.capesandbox.com/analysis/113085/

Comments