MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d343134c1059de966b18db5befa9de624af3a60a16c74435c359a6b633d7bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2d343134c1059de966b18db5befa9de624af3a60a16c74435c359a6b633d7bd
SHA3-384 hash: c2770dad9f0bac14b26c241cffbc1b4cb0f94102e6e55906f8d498639cd0fe27cb3273488eff8bc49664a7ac3744fc43
SHA1 hash: 967432b0f0628c943f8ae1285658265e6b691642
MD5 hash: 47455e580d7487f9a88a046fb9382bde
humanhash: mike-yellow-twelve-undress
File name:Purchase Order.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:612'352 bytes
First seen:2021-02-05 16:36:05 UTC
Last seen:2021-02-05 18:57:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:YsozSDMpra6vCvQNuJls24Vw5w9hcakur7LHaKFZRAV3lwoMGq:ip15NuJ7ap7LHaKFSq
Threatray 15 similar samples on MalwareBazaar
TLSH 77D44B6D259F9AA1D079CCF2415B17C082859B1DC8EAE2FB5F8853D8DE237848273DD2
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: air.nseasy.com
Sending IP: 64.37.52.73
From: Sales <sales@greenwoodmagnetics.com>
Subject: RE: Purchase Order.
Attachment: Purchase Order.zip (contains "Purchase Order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-05 16:41:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/525435b2-d30b-4039-9843-5232e106381c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115767/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6999.32252.20558.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/600461
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2d343134c1059de966b18db5befa9de624af3a60a16c74435c359a6b633d7bd/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 15:38:30 UTC
AV detection:
35 of 47 (74.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ljuge2mcbm55ftlddnvx35j3zrev45gbilmorbvynm2nnrt266q._file
Verdict:
unknown
Similar samples:
137fb0e24fd529a653dc39073e216fc0044ba9ddbb1515d34155b16f9848ce1f
SnakeKeylogger
319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f
SnakeKeylogger
47ffaf572157824fb5a40a2706bd72f3e0e43090c621c9d676031fd80bb35fe5
SnakeKeylogger
5c490fcd927f87434dca860aa71947a31942bcabfed0adb27ab16a0fe1412fe1
SnakeKeylogger
71908b2defae460e3fef4b3275a66680bb518a59a8b0d740e61f063ff9eece45
SnakeKeylogger
7e57934a39e0526d67e204b9fa5a6a65b901b05ee1faa540f2a6e5ca348f136f
SnakeKeylogger
9b9a319f7df0632a5850678d19ae828c31659569b1ffa615fe54bb8fb7e17d49
SnakeKeylogger
bc8df1915282e2e0682f70a348b91aab8282560beee4fd5f7b972cbc8240993a
SnakeKeylogger
c10cdab79d291209250dbe8cab991843dedfdf4291d742e7764ecdcaa910b9e5
SnakeKeylogger
ee049ddb16bce4b0a37cce581802976cb696243207172c8461ba27d85948fd5e
SnakeKeylogger
+ 5 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210205-jxntbxqlbe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Beds Protector Packer
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/274916cb-e059-4f92-8355-1ced046c969c/
SH256 hash:
fd8573024777ee78ea5d9ade77b3124c0b71a3a4270a5565bd5e2523451a4e05
MD5 hash:
630fe8125c752d0d9a157bf37e2d6c06
SHA1 hash:
2dfa4d5ab58d3c7a7a2b7797a872c5eb31a51b9a
Link:
https://www.unpac.me/results/274916cb-e059-4f92-8355-1ced046c969c/
SH256 hash:
f01701516a91d5ef62f58f52d49ee06f5f2edde19ec54bf3d49baceb173124d4
MD5 hash:
4150189aaf4246cf9386a047c6367bd9
SHA1 hash:
18ab0cf518cc95745a0cf4ac7235358193be97bd
Link:
https://www.unpac.me/results/274916cb-e059-4f92-8355-1ced046c969c/
SH256 hash:
d2d343134c1059de966b18db5befa9de624af3a60a16c74435c359a6b633d7bd
MD5 hash:
47455e580d7487f9a88a046fb9382bde
SHA1 hash:
967432b0f0628c943f8ae1285658265e6b691642
Link:
https://www.unpac.me/results/274916cb-e059-4f92-8355-1ced046c969c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2d343134c1059de966b18db5befa9de624af3a60a16c74435c359a6b633d7bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 367b779b6e09c5ed6998e37ce8c22ec744b5563a4b151d7d37f00eb173333ed8

SnakeKeylogger

Executable exe d2d343134c1059de966b18db5befa9de624af3a60a16c74435c359a6b633d7bd

(this sample)

  
Dropped by
MD5 a4087336fd56841fa3b6d1a56f96304b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115767/
  
Dropped by
SHA256 367b779b6e09c5ed6998e37ce8c22ec744b5563a4b151d7d37f00eb173333ed8

Comments