MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221
SHA3-384 hash: 6e005d2cff8080a902a21517897e8c9d66d5aec9e1475b905e95b4f8efc3bff36a08850a2334633b01d85214374b340a
SHA1 hash: c0b06a3d83ae834077a28f3d36fcca897e78d35b
MD5 hash: d82f6746c99f52c1542a6e6dac209df8
humanhash: april-skylark-steak-aspen
File name:Orden-CVE6535 _TVOP-MIO, pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'085'952 bytes
First seen:2021-10-12 17:39:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:2z+OsGm7CSGbx+lLBb35H7h7XSmeII2g8P90bk:2zaD7i9+fj5d7imeIITSib
Threatray 507 similar samples on MalwareBazaar
TLSH T10335221CB2B0D263C57E5F3076A4C37C4A3A6E5A3DBDA11E3194776D6BF12E24826321
File icon (PE):PE icon
dhash icon 7cfcc8d8f8b8f8e0 (2 x SnakeKeylogger, 2 x Formbook)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden-CVE6535 _TVOP-MIO, pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-12 18:20:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed17a503-9239-4ef9-a164-617f5ab43f51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197010/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6165c8749fb4d8593d62b1f4/reports/55b6552d-6c83-4c9e-9d3e-6e24f15bd812/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81eb8f90-3d2a-4bb7-81a3-f3ee95955aa1
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868935
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501360 Sample: Orden-CVE6535 _TVOP-MIO, pdf.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Yara detected Telegram RAT 2->43 45 5 other signatures 2->45 7 Orden-CVE6535 _TVOP-MIO, pdf.exe 3 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\...\MSBuild.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->27 dropped 29 C:\...\Orden-CVE6535 _TVOP-MIO, pdf.exe.log, ASCII 7->29 dropped 47 Writes to foreign memory regions 7->47 49 Allocates memory in foreign processes 7->49 51 Injects a PE file into a foreign processes 7->51 11 MSBuild.exe 15 2 7->11         started        15 MSBuild.exe 7->15         started        17 AdvancedRun.exe 1 7->17         started        19 3 other processes 7->19 signatures5 process6 dnsIp7 31 checkip.dyndns.org 11->31 33 checkip.dyndns.com 216.146.43.71, 49799, 49802, 80 DYNDNSUS United States 11->33 35 freegeoip.app 172.67.188.154, 443, 49817 CLOUDFLARENETUS United States 11->35 53 Tries to steal Mail credentials (via file access) 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 57 May check the online IP address of the machine 15->57 37 192.168.2.1 unknown unknown 17->37 21 AdvancedRun.exe 17->21         started        23 AdvancedRun.exe 19->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 17:41:54 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zglvkjpmmkdcdneqja2ax5grxqgen64wey4ik2bnysbsksjzciqq._file
Verdict:
malicious
Similar samples:
1f4ccad233d733ecf2c0374593f95ea0bd521a17e82206b17fd74948faca974c
SnakeKeylogger
3207b29dc3b4396073112e25e54d5806aa95234b460aaea32e970d9ba725559e
SnakeKeylogger
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
SnakeKeylogger
70cb4ed4ee85184589dc4b5bb72dd1313b133b428e6604bde1a7e1da7fb216ae
SnakeKeylogger
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
SnakeKeylogger
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
SnakeKeylogger
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
SnakeKeylogger
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
SnakeKeylogger
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
SnakeKeylogger
d642eb17671f269eddc3d1045845374a45eda0a7c3fd197d8b7f6a3355ba01d6
SnakeKeylogger
+ 497 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/211012-v8vn4acfel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Nirsoft
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
3dc88f2b83560b7a7c361d5efdf234ae3c9cfcb06c7a95262d797b29906a51d0
MD5 hash:
94ec0a683a6ad148c0c5cafe48fb15ea
SHA1 hash:
9603904bdca9b96d82bd5d8026d0abfdc8386e5d
Link:
https://www.unpac.me/results/09a09424-8d9a-431e-bb30-2a5c15b89983/
SH256 hash:
647ee7b8017d3b06d8b60848a0166915277d4cfa27fa36b53bc7178aee6d5152
MD5 hash:
253ef04da63ef30374eea35ab3d20aa7
SHA1 hash:
5bf0528bcdd5655bf1717b4124fbbc98bcc0df35
Link:
https://www.unpac.me/results/09a09424-8d9a-431e-bb30-2a5c15b89983/
SH256 hash:
4a2710a548a234552d18a498e96c8e3cea420ab32aa196dc53bcdcbeec0c475b
MD5 hash:
e4a507d39386d1b9cb2c8168d32a60a1
SHA1 hash:
3567afaf248045e771a13b3799aab67cde9b6950
Link:
https://www.unpac.me/results/09a09424-8d9a-431e-bb30-2a5c15b89983/
SH256 hash:
c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221
MD5 hash:
d82f6746c99f52c1542a6e6dac209df8
SHA1 hash:
c0b06a3d83ae834077a28f3d36fcca897e78d35b
Link:
https://www.unpac.me/results/09a09424-8d9a-431e-bb30-2a5c15b89983/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c9975525ec62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/197010/

Comments