MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d75599619184077baa18a7952f55027c5762084a2005b7bf5dedd49b8ceb7b70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Maldoc score: 13


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d75599619184077baa18a7952f55027c5762084a2005b7bf5dedd49b8ceb7b70
SHA3-384 hash: 36940826468a93ec49f17a625f8d7fd812f7a6062673caf58da0e06f0438ad284a5953bdc13f748599134e6fa962037c
SHA1 hash: 6d85f6b5418cfbb1e75134d8a328d82a72d4f0b1
MD5 hash: 35bd86bd2ed842bec5c2b2f84986e5f7
humanhash: beer-mars-harry-moon
File name:RFQ_fattura a saldo0944.xlsm
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:399'266 bytes
First seen:2021-11-01 14:16:01 UTC
Last seen:2021-11-01 15:35:34 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:b3qRMCJwQkPjQ6ZhW7AC+kNNcbN6OW6Yy+8hmLo:b3ZCJ1kPjQ6ZQ7X+4QNL2y+y+o
TLSH T1BD84125CCF6A44C2C39BA6709269D866C82C7C01AC0CDFA72D64D70D89879D6536FECE
Reporter abuse_ch
Tags:SnakeKeylogger xlsm


Avatar
abuse_ch
Payload URL:
http://52.28.219.17/bi/8/Q/RFQ_ref-02090100233.exe

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 13
OLE dump

MalwareBazaar was able to identify 19 sections in this file using oledump:

Section IDSection sizeSection name
A11102 bytesPROJECT
A2335 bytesPROJECTwm
A3173 bytesVBA/Learn more
A4172 bytesVBA/Sheet10
A5178 bytesVBA/Sheet11
A6169 bytesVBA/Sheet2
A7170 bytesVBA/Sheet3
A8171 bytesVBA/Sheet4
A9173 bytesVBA/Sheet5
A10180 bytesVBA/Sheet6
A11171 bytesVBA/Sheet7
A12177 bytesVBA/Sheet8
A13173 bytesVBA/Sheet9
A14168 bytesVBA/Start
A151176 bytesVBA/ThisWorkbook
A16171 bytesVBA/Workbook
A177 bytesVBA/_VBA_PROJECT
A18452 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_ActivateRuns when the Excel Workbook is opened
IOCMtbdgudqwbcqkvpihr.bExecutable file name
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousStrReverseMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_fattura a saldo0944.xlsm
Verdict:
No threats detected
Analysis date:
2021-11-01 15:32:19 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/d1e02d51-a34d-463f-89f6-b1310270d577

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
image/svg+xml
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201107/
Detection(s):
TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.REV.200317.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CancionDelMariachi.20211020.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.START_PROC.211028B64.7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/d75599619184077baa18a7952f55027c5762084a2005b7bf5dedd49b8ceb7b70/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd macros macros-on-open powershell
Link:
https://www.filescan.io/uploads/617ffab1db358dd15ee33f17/reports/f248f901-e88a-422c-9be7-512fb22d36c7/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d75599619184077baa18a7952f55027c5762084a2005b7bf5dedd49b8ceb7b70
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880504
Signature
.NET source code references suspicious native API functions
Binary or sample is protected by dotNetProtector
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document contains an embedded VBA macro which may execute processes
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512956 Sample: RFQ_fattura a saldo0944.xlsm Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 10 other signatures 2->98 10 EXCEL.EXE 77 48 2->10         started        14 taskeng.exe 1 2->14         started        process3 file4 50 C:\Users\user\...\Mtbdgudqwbcqkvpihr.bat, ASCII 10->50 dropped 52 C:\Users\...\~$RFQ_fattura a saldo0944.xlsm, data 10->52 dropped 54 C:\...\RFQ_fattura a saldo0944.xlsm (copy), Microsoft 10->54 dropped 112 Document exploit detected (creates forbidden files) 10->112 16 cmd.exe 10->16         started        19 mbso.exe 1 14->19         started        signatures5 process6 signatures7 72 Malicious encrypted Powershell command line found 16->72 74 Encrypted powershell cmdline option found 16->74 21 powershell.exe 12 7 16->21         started        76 May check the online IP address of the machine 19->76 78 Machine Learning detection for dropped file 19->78 80 Tries to delay execution (extensive OutputDebugStringW loop) 19->80 82 Injects a PE file into a foreign processes 19->82 26 mbso.exe 12 19->26         started        28 cmd.exe 19->28         started        30 cmd.exe 19->30         started        process8 dnsIp9 58 52.28.219.17, 49167, 80 AMAZON-02US United States 21->58 48 C:\Users\user\...\Qjzcqsgtezkcbhfxzjyjk.exe, PE32 21->48 dropped 104 Powershell drops PE file 21->104 32 Qjzcqsgtezkcbhfxzjyjk.exe 2 21->32         started        60 freegeoip.app 26->60 62 checkip.dyndns.org 26->62 64 checkip.dyndns.com 26->64 106 Tries to steal Mail credentials (via file / registry access) 26->106 108 Tries to harvest and steal ftp login credentials 26->108 110 Tries to harvest and steal browser information (history, passwords, etc) 26->110 35 schtasks.exe 28->35         started        file10 signatures11 process12 signatures13 84 May check the online IP address of the machine 32->84 86 Machine Learning detection for dropped file 32->86 88 Tries to delay execution (extensive OutputDebugStringW loop) 32->88 90 2 other signatures 32->90 37 Qjzcqsgtezkcbhfxzjyjk.exe 12 32->37         started        41 cmd.exe 32->41         started        43 cmd.exe 1 32->43         started        process14 dnsIp15 66 158.101.44.242, 49168, 49170, 80 ORACLE-BMC-31898US United States 37->66 68 freegeoip.app 104.21.19.200, 443, 49169, 49171 CLOUDFLARENETUS United States 37->68 70 2 other IPs or domains 37->70 100 Tries to steal Mail credentials (via file / registry access) 37->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 41->102 46 schtasks.exe 41->46         started        56 C:\Users\user\AppData\Roaming\mbso\mbso.exe, PE32 43->56 dropped file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d75599619184077baa18a7952f55027c5762084a2005b7bf5dedd49b8ceb7b70/
Threat name:
Document-Excel.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 14:16:09 UTC
AV detection:
8 of 44 (18.18%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25kzsymrqqdxxkqyu6ks6vicprlwecckeac3pp255xkjxdhlpnya._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger macro spyware stealer
Link:
https://tria.ge/reports/211101-rk5mlsaad8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
Snake Keylogger
Malware Config
Dropper Extraction:
http://52.28.219.17/bi/8/Q/RFQ_ref-02090100233.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d75599619184077baa18a7952f55027c5762084a2005b7bf5dedd49b8ceb7b70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/1736073/
Cape
Cape
https://www.capesandbox.com/analysis/201107/

Comments