MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082
SHA3-384 hash: cae7ef81315e2aff09180377d445a67da12cd53f25de1a2dd5fd9ef154cf028f73688edcaf32c72e8f900af6c80ea56f
SHA1 hash: 49064657d66f66292daf07564f471c23b33bf3e7
MD5 hash: add006df937fd85501cc5722e9e23dc8
humanhash: fifteen-mountain-october-tennessee
File name:INV_098789.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:485'888 bytes
First seen:2021-01-20 13:53:00 UTC
Last seen:2021-01-20 15:53:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:v4P03Q5sm6K8zmsZKC4HEQeI5/DM5Jjco:v4P0WWVnx4Z39DM5hD
Threatray 10 similar samples on MalwareBazaar
TLSH ACA4BF6BAD97BC88C5EE63B647B4F9CD4B473051785F814D22883B9A5D0BBAC3B00953
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: howw.com
Sending IP: 180.214.237.140
From: "Allen Yu Fu Xiang" <info@howw.com>
Subject: Re: Payment Proof of Overdue Balance// INV#000185
Attachment: INV_098789.rar (contains "INV_098789.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV_098789.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-20 14:20:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4fd7a8fa-22f3-4cd0-b306-e26a8b42c3df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113084/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.507.18047.15559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Connection attempt
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/586138
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 10:46:56 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bvtvt7c2ht5c3acj5i6k26lue5qkoim5ic7nmy6crwrok5swcba._file
Verdict:
unknown
Similar samples:
3bea531a02c14fe09f631ee0f957d12bbf07085c666ee0c5f05de926e88d40c8
SnakeKeylogger
60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
SnakeKeylogger
795b1d78d4644d36670c78fe5b6365abea4e7629833de37d8a23d005915d15cf
SnakeKeylogger
88ae38556e157d0f34780d0764240a8f5be7c503b4c4c173403cd2be59cd2916
SnakeKeylogger
8c060e416c30f1fbbb38177e96d38f815aa69d4da4e2b59fe1979cd38fc3bce9
SnakeKeylogger
961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
SnakeKeylogger
bebdb82d4edf3ccde78c3072f47abdecd31b43ecad525f95a2d5b3b8459d6921
SnakeKeylogger
c75cc9c90f0125b6b5c6f5bd9d46a992da20fe01066283bb2bd3f6fd194ee19c
SnakeKeylogger
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SnakeKeylogger
eed9c06050ec45f480528543bba5e3176158763beda21f62220bde77f0bdeb3e
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210120-rdgrg9qm3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/5b8aebe0-889d-4c20-adcd-23ec0d40b130/
SH256 hash:
29a6e9946d0e7a706075efc1565e75b2f3830b27a0307093e0cdfacdceb2056b
MD5 hash:
e0581e124d0a43ee348678cc8ddcdb23
SHA1 hash:
c7eaccc7895c494c3d077886821944fe170aae29
Link:
https://www.unpac.me/results/5b8aebe0-889d-4c20-adcd-23ec0d40b130/
SH256 hash:
724e70817957f1b43434ad413b6e281e5446fa03bd0cb70a89da9d566a53e734
MD5 hash:
f48b47d3d5d7837804c2208ea678d8e5
SHA1 hash:
572399b92467444f69e7b83d5fc5c7bb33784d09
Link:
https://www.unpac.me/results/5b8aebe0-889d-4c20-adcd-23ec0d40b130/
SH256 hash:
d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082
MD5 hash:
add006df937fd85501cc5722e9e23dc8
SHA1 hash:
49064657d66f66292daf07564f471c23b33bf3e7
Link:
https://www.unpac.me/results/5b8aebe0-889d-4c20-adcd-23ec0d40b130/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 9085abde0721f2f03e9e9d2afb9054c3bbdc937c32b099ec798850641f760fda

SnakeKeylogger

Executable exe d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082

(this sample)

  
Dropped by
MD5 a91bd8ada494e5a17ec95f86ed935893
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113084/
  
Dropped by
SHA256 9085abde0721f2f03e9e9d2afb9054c3bbdc937c32b099ec798850641f760fda

Comments