MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c
SHA3-384 hash: 5e7fd49d5f8fe43e067057c719192ffe9e1221a801b43c5536f27dcf86b806c7c3d4b250ea0dfbd832785ca566a5cf79
SHA1 hash: a71bad052a002b779867209887875c98cb5a571e
MD5 hash: dc7a345584ec575cb64973d29ac5e784
humanhash: sink-failed-twenty-alanine
File name:aralık ekstreniz.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:502'272 bytes
First seen:2020-12-18 16:51:09 UTC
Last seen:2020-12-18 18:33:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d498fcaaa649fc0fa5ec434bbabef3d (7 x SnakeKeylogger, 1 x BitRAT, 1 x AgentTesla)
ssdeep 12288:aTKeKRCkHYbGrHprE4R51EUc/wkvH+uX2jirSz3f43sQkbk:aTRAvH6GrHv51EU6vHLPSzv4rk4
Threatray 64 similar samples on MalwareBazaar
TLSH BCB4121C6644A63FC19CE1BC9391C6B6C47805309348609BFB7488DE736BED9ADB621F
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: ekstre@eekstre.qnbfinansbank.com
Subject: CardFinans KOBİ Visa Aralık ayi ekstreniz.
Attachment: aralık ekstreniz.7z (contains "aralık ekstreniz.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURA_DE_PAGO.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 15:12:46 UTC
Tags:
evasion trojan 404keylogger stealer
Link:
https://app.any.run/tasks/f63ea36d-8823-40f1-84cb-e52f64f4d7e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108454/
Detection(s):
SecuriteInfo.com.BScope.Trojan-Dropper.Injector.23203.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
AgentTesla Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566501
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 11:46:59 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22rn2twxgl2dcaf46zvkdo7psrbmj3mxlwkd52a4thb7usjs3eoa._file
Verdict:
unknown
Similar samples:
0b604e2f87afd12a073cba5691e606dfecc374e10d95b0078d722217ce300125
SnakeKeylogger
4b4ce2070aa958e7431643fc10c4b96ca8612747a2d5e0bf23ae31013ed71b59
SnakeKeylogger
4d302b4fd8564f5e3f9b505c0f342ec0e133fca6e5d0c6b3bd89746351561c5b
SnakeKeylogger
8de05d97b50a1b169bbe51c2d188c9fc1678e36d7d4bcfb269ba1536195d0a53
SnakeKeylogger
9e5ae90f75fe48362b66a1c79246d519a2a96adbb68b03c0ed53ec6db93143c5
SnakeKeylogger
9f4bda20379f0175458a93982ba909bfad8bbbcfce5a4a7c8a0a32ca89f85a34
SnakeKeylogger
ba427f33bcbc3f27a2bcecf21c044e115985dd0a43dbc66a7c0170854b44e39b
SnakeKeylogger
bf60e55ec0adb6a2be7a8009c201aecbb074beecd22458bf19ff12f5d5acbb9b
SnakeKeylogger
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
SnakeKeylogger
e3be5f2b9bd4b6b4847cabb927de8818ffb29e3544dc667f9962c31c92bd87e7
SnakeKeylogger
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-nb3w398bsa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
5ddcc7ed95d9f35583a72cd0b597443579536254e4067b692fb26fdf0dd29ae9
MD5 hash:
581ff57fde5cdbd7a02ee70c9e6ce701
SHA1 hash:
bede6759d9155ea51142ccb3e8695702b5b2e883
Link:
https://www.unpac.me/results/0e3ed3ca-601e-43f4-9123-cb7c059436b2/
SH256 hash:
d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c
MD5 hash:
dc7a345584ec575cb64973d29ac5e784
SHA1 hash:
a71bad052a002b779867209887875c98cb5a571e
Link:
https://www.unpac.me/results/0e3ed3ca-601e-43f4-9123-cb7c059436b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

7z 8778993306dd228e1753718c882fed72f2d2492f9839d76c8b28f7d7191255a8

SnakeKeylogger

Executable exe d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c

(this sample)

  
Dropped by
MD5 07e779b5c25f41784fe2102225976808
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8778993306dd228e1753718c882fed72f2d2492f9839d76c8b28f7d7191255a8
Cape
Cape
https://www.capesandbox.com/analysis/108454/

Comments