MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353
SHA3-384 hash: 4dee157ed3a0af8ff0501f74ca807bc5b33527e0112c14bc8c7d3f558a0ae499952cfccde46a4b5de0ee34f23194763b
SHA1 hash: 605a2de57a5337af1a972f344cf20b88c64abb47
MD5 hash: 2509447b18947c385a1cfc622d47d131
humanhash: lake-romeo-johnny-hydrogen
File name:ORDER0023490923.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'428'624 bytes
First seen:2021-02-27 06:41:16 UTC
Last seen:2021-02-27 09:04:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Z0tJwGd4LzmxsPKCSEpMaPr8d4oyazwKkQacBsxmMW1h0232J5xzXOQyo4ZabBGu:Z00VQ4YqqoD4MxZhwLZ9MKHU
Threatray 58 similar samples on MalwareBazaar
TLSH 7665273DA6F46A9DC96B0B7AA7C6150C42EC8133E471E28B28FC39DDD5309C6495F8D2
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cp25.cpanelhosting.rs
Sending IP: 94.127.7.154
From: nabavka@misschilli.rs
Subject: PO
Attachment: ORDER0023490923.bz (contains "ORDER0023490923.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER0023490923.exe
Verdict:
Malicious activity
Analysis date:
2021-02-27 06:43:55 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/1c07319e-d588-436f-b359-5071d9476f95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119559/
Detection(s):
SecuriteInfo.com.FileRepMalware.484.15265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/620320
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 23:08:23 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vrpv5ezlnsgektaaalwtgvuuya52zqcpu74swgqwnzohwakcnjq._file
Verdict:
unknown
Similar samples:
5cd44014177c68a2e4bf08bdf8ec2e779c13a340cc830ad2c3a7a71676780b0d
SnakeKeylogger
6275a11bba81d765d92e670a44888734f565eb11fd137a0ff852ed5df68c1d67
SnakeKeylogger
657a164783b53dc028ca6024f4df09f9e4a9b289e0a3216d2c686ec091a224c0
SnakeKeylogger
7298ca6edb5f8ea41d3d1cb2fd50768a50db1749e75c9a2f39a6dc1cd3a1ddf2
SnakeKeylogger
72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
SnakeKeylogger
99a9903d77272e93c262ae1391ef64f0639835f0cc9fc8b07f6fbc4d1bf40c5a
SnakeKeylogger
9dde30eea4bc51f6561d857ecb624f09e3257c3a015ff49a8f22f206fcab45c1
SnakeKeylogger
9e4326708091e0200c65e604aa974e6032c0533e2fa1e71d39f8d78ebacd8195
SnakeKeylogger
afeb708ad46713f215fe9e8bfada31b7b518fcd081f1592778d514fc41012d3f
SnakeKeylogger
c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23
SnakeKeylogger
+ 48 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger agilenet keylogger spyware stealer
Link:
https://tria.ge/reports/210227-xylxwxpg1s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353
MD5 hash:
2509447b18947c385a1cfc622d47d131
SHA1 hash:
605a2de57a5337af1a972f344cf20b88c64abb47
Link:
https://www.unpac.me/results/33bd7afb-d86d-46d4-9a7d-71bf1043ca05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 574a81c2a50dab1548c3fc5d43f7dfe87fee2fa0f9ee41b6613319299aecc82f

SnakeKeylogger

Executable exe dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353

(this sample)

  
Dropped by
MD5 9a4c94b1c9b6aafce8a9e02ca76fdf36
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119559/
  
Dropped by
SHA256 574a81c2a50dab1548c3fc5d43f7dfe87fee2fa0f9ee41b6613319299aecc82f

Comments