MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2f7e7285b03e6374aac8c497ed7f6048ec7917efb1dc17ba6adc58af2a5dc55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2f7e7285b03e6374aac8c497ed7f6048ec7917efb1dc17ba6adc58af2a5dc55
SHA3-384 hash: f638bc2e3936403822b1b288d96e5522fc4ba4166ad4126e83057e6c1b1eb06919a678ada5a8022a4b157226d5b28b1a
SHA1 hash: bc860c279b00dcdf22ad1df4ef5ffadeb83036f1
MD5 hash: e07396d19b7235ffc9fd27dd29bc2afd
humanhash: india-leopard-wyoming-nevada
File name:SKM_C12102021.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:329'317 bytes
First seen:2021-10-12 12:14:40 UTC
Last seen:2021-10-12 13:03:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBs9qzUZwd2LDFd1lKu+1ZHV8hDtFbIeZ4iBNnOw9OpNHZkxCeGG7bJGBD4F:/LM2LZd14u+zGPFlZpnkp9ZkxR5Hc0F
Threatray 250 similar samples on MalwareBazaar
TLSH T10E6412627BE54CB3D1E6643005B587FDE37A821485231F0B4BE27A939F635E7110B39A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_C12102021.exe
Verdict:
Malicious activity
Analysis date:
2021-10-12 20:43:51 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/818d445e-b83c-4cf8-98a4-a4fce0ed4023

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent10
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196928/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.22101.26454.17283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61657c48fd35fe780c3a8f60/reports/3a72a3a4-c125-4000-a02d-aca4198ed685/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35ddae41-ede7-439c-ad96-a2a39d387621
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868629
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501055 Sample: SKM_C12102021.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 6 other signatures 2->43 8 SKM_C12102021.exe 17 2->8         started        process3 file4 29 C:\Users\user\AppData\Local\...\edqybya.dll, PE32 8->29 dropped 47 Detected unpacking (changes PE section rights) 8->47 49 Detected unpacking (overwrites its own PE header) 8->49 51 Injects a PE file into a foreign processes 8->51 12 SKM_C12102021.exe 15 3 8->12         started        signatures5 process6 dnsIp7 35 141.95.6.166, 1337, 49741, 49755 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 12->35 31 C:\Users\user\...\SKM_C12102021.exe.log, ASCII 12->31 dropped 53 Writes to foreign memory regions 12->53 55 Allocates memory in foreign processes 12->55 57 Injects a PE file into a foreign processes 12->57 17 cvtres.exe 14 6 12->17         started        21 explorer.exe 4 131 12->21         started        23 cvtres.exe 12->23         started        25 3 other processes 12->25 file8 signatures9 process10 dnsIp11 33 severdops.ddns.net 212.193.30.54, 49753, 8844 SPD-NETTR Russian Federation 17->33 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 27 conhost.exe 17->27         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2f7e7285b03e6374aac8c497ed7f6048ec7917efb1dc17ba6adc58af2a5dc55/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-12 06:40:34 UTC
AV detection:
17 of 35 (48.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2l36okc3aptdosvmrrex5v7washmpel67mo4c65gvxcyv4vf3rkq._file
Verdict:
malicious
Similar samples:
2bf8fe42f591b6bd6090306f9ca6e3d6b02a2cc86255d526619ca53a533006be
SnakeKeylogger
30b71db8fd221bb29f1965ced700337d5b90251876a2ad72d38b4d427f3da41d
SnakeKeylogger
3528262d84ec15b8f88df39fe817d32a773274d53541ceee13c983c81b15fcf6
SnakeKeylogger
499619c6bc43585013dd421ef88cf14830c85a28bc3ce3984bcf62a24f6d59fc
SnakeKeylogger
8fe74471f7e76b21be7e677b97a65d66cecaf52ff0c343ab0a93b303ee464c0e
SnakeKeylogger
9b9a03add59199d08af6095e168e6b4bca3916774291603b4582d14f6078fa15
SnakeKeylogger
b2099393aaac0b795c21cacbee87e5e36109be4e92809c58345ac2916aff9c24
SnakeKeylogger
d0e7f5daadb45d6d43e608cfbce838da2740791a01e79457d4ee69514b56601c
SnakeKeylogger
d4487b370ba2645516192a1461cb25ed3d11d02e4d0fdce3025269ca7d63aefa
SnakeKeylogger
e862c2495e79b33c27fd00a29dda3c22df6796ff8aa7fc6294216a46668f9047
SnakeKeylogger
+ 240 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211012-pexcyaccg3/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
d2f7e7285b03e6374aac8c497ed7f6048ec7917efb1dc17ba6adc58af2a5dc55
MD5 hash:
e07396d19b7235ffc9fd27dd29bc2afd
SHA1 hash:
bc860c279b00dcdf22ad1df4ef5ffadeb83036f1
Link:
https://www.unpac.me/results/2bf1d30a-94a9-43a5-bfe2-6eee04028b7e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d2f7e7285b03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2f7e7285b03e6374aac8c497ed7f6048ec7917efb1dc17ba6adc58af2a5dc55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d2f7e7285b03e6374aac8c497ed7f6048ec7917efb1dc17ba6adc58af2a5dc55

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/196928/

Comments