MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df91e0af99535b6c1c6f35d9e7a669587a26de1222dcabad5c3528de856a1f6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	df91e0af99535b6c1c6f35d9e7a669587a26de1222dcabad5c3528de856a1f6a
SHA3-384 hash:	03767a30540f14a3d54acaefdbb18a865d53383f83b82c9b37ae7da1932d7cae894bbeb6207db74595d177b4d66c1271
SHA1 hash:	e1d73a23229e78cd39996d3b1bfe5508d6cce31b
MD5 hash:	12d65cd1c02de9d1a7bbd0919a82b88f
humanhash:	yankee-violet-item-angel
File name:	Dekont.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	100'600 bytes
First seen:	2021-02-25 10:09:25 UTC
Last seen:	2021-02-25 12:24:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:+xzh///TC2IDnnbZOOKOBOPOROzOBOZOBVKOYORE6gOQd6tktBnz6b0qqtQXnQtu:+xzVTC29qyvF0ZUhq
Threatray	1 similar samples on MalwareBazaar
TLSH	9EA3C7A917845381F838AE34386FA9D3D2C768F17F93CB5372D9E938E49150B0B9E194
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

abuse_ch

Malspam distributing SnakeKeylogger:

HELO: smtp-02-9759.kriter.com.tr
Sending IP: 81.22.97.59
From: Furkan Taşkıran <furkan@idealofset.com>
Subject: Dekont.pdf
Attachment: Dekont.pdf.gz (contains "Dekont.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Dekont.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-02-25 10:12:35 UTC

Tags:

trojan evasion

Link:

https://app.any.run/tasks/830c9cce-58f5-4de3-af45-9fb363f799e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/119164/

Detection(s):

SecuriteInfo.com.Win32.16633.12389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Sending an HTTP GET request to an infection source

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/618522

Signature

Binary contains a suspicious time stamp

Found malware configuration

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df91e0af99535b6c1c6f35d9e7a669587a26de1222dcabad5c3528de856a1f6a/

Threat name:

ByteCode-MSIL.Downloader.BaseLoader

Status:

Malicious

First seen:

2021-02-25 09:27:09 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=36i6bl4zknnwyhdpgxm6pjtjlb5cnxqselokxlk4guun5blkd5va._file

Verdict:

unknown

SnakeKeylogger

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210225-m13nlxzxp6/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

df91e0af99535b6c1c6f35d9e7a669587a26de1222dcabad5c3528de856a1f6a

MD5 hash:

12d65cd1c02de9d1a7bbd0919a82b88f

SHA1 hash:

e1d73a23229e78cd39996d3b1bfe5508d6cce31b

Link:

https://www.unpac.me/results/dd6e13b8-591b-458a-acbd-932789731e21/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time