MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfdd5afe0daaf8c288e3761b6570989db1beda4f3b19a704a62e4465edd1ff2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfdd5afe0daaf8c288e3761b6570989db1beda4f3b19a704a62e4465edd1ff2b
SHA3-384 hash: 43208fca3ae2ac638a30ee2418ab93e7bbd42a66ae7344b513c29041f32dff23a78b386de3d3bc4c65f336a669b3b811
SHA1 hash: 1cb7b43e436a8da2a64889eb920d596164f0523c
MD5 hash: 15bc66a09ae60f15352800e2275501d6
humanhash: eight-black-bulldog-failed
File name:48539543_03_14_2022.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:915'456 bytes
First seen:2022-03-14 14:39:07 UTC
Last seen:2022-03-14 16:57:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:qSBK8DmgULfZI5kqnk1ebHVl87vjnhzA:qSBHD2fvYHVlcjnhzA
Threatray 1'738 similar samples on MalwareBazaar
TLSH T1C215F1A03E556FD1F9398BF4005A966E83F32D663E03D9391FF02ECB081EF169565A12
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250242/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.49854.8754.7315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/622f53cab94fb38cb47b51d6/reports/3ba03a21-31f5-4533-a309-dbc8bab51af6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7fab9e2b-fa94-4799-887e-8cca7b981fc6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956197
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588675 Sample: 48539543_03_14_2022.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 33 mail.celkonsan.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 9 other signatures 2->47 8 48539543_03_14_2022.exe 7 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\LFoRuOvQfZjO.exe, PE32 8->25 dropped 27 C:\Users\...\LFoRuOvQfZjO.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\AppData\Local\...\tmp3CD7.tmp, XML 8->29 dropped 31 C:\Users\user\...\48539543_03_14_2022.exe.log, ASCII 8->31 dropped 49 May check the online IP address of the machine 8->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 8->51 53 Adds a directory exclusion to Windows Defender 8->53 55 Injects a PE file into a foreign processes 8->55 12 48539543_03_14_2022.exe 15 2 8->12         started        15 powershell.exe 25 8->15         started        17 schtasks.exe 1 8->17         started        19 48539543_03_14_2022.exe 8->19         started        signatures6 process7 dnsIp8 35 checkip.dyndns.org 12->35 37 checkip.dyndns.com 132.226.8.169, 49781, 80 UTMEMUS United States 12->37 39 2 other IPs or domains 12->39 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        process9
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfdd5afe0daaf8c288e3761b6570989db1beda4f3b19a704a62e4465edd1ff2b/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 11:20:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37ovv7qnvl4mfchdoynwk4eytwy35wsphmm2obfgfzcgl3or74vq._file
Verdict:
malicious
Similar samples:
085716dfefcb862a1677484242f5e03be402875e1752717a9e9f6ce346120ea4
SnakeKeylogger
6e164cb51ca6a0c1c9c27d4d4fece6d970bfe924be2f5766fd2d04bd59fe0d6e
SnakeKeylogger
94c886046226a984061d30cac35b6895675d31cf287f3f3ebb94dadd8de531b7
SnakeKeylogger
aac8efdfd3ceabbb6c37bd91950f63f7fa1575c90f8398cb4d4296f8fedc036c
SnakeKeylogger
f259a6f11128523898edbf2c2cb8e56ab3deb480ef20c54dc2d254e8064ac08a
SnakeKeylogger
fe5f1112090e21867adec366344544a7cf8ca48937d53e7e42b859e7d302db32
SnakeKeylogger
+ 1'728 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220314-r1yt1aaeej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
b3f1690e05dff72c79f5e592641c3b620ddee87ec9f45474bd73835be871185a
MD5 hash:
1a302883114cef7749c7178789c5a2e8
SHA1 hash:
f00af6376b12b1ccbfe8272c4cc93c5dfcd0f945
Link:
https://www.unpac.me/results/2385ec4b-a2a1-4cd7-8ee8-fc57cb140069/
SH256 hash:
8faae4c23b28d090f85450d5e6a84bec97d92cf3b4e909a5c5e8af822f6ee822
MD5 hash:
fd219adbfc483381869db773c17c9997
SHA1 hash:
86e75d87604df9f999e200a7d5ceadffb741ae4b
Link:
https://www.unpac.me/results/2385ec4b-a2a1-4cd7-8ee8-fc57cb140069/
SH256 hash:
5b7da029d64cea05a37737af6d68281d089430389f07168b6d4caa83792cc675
MD5 hash:
6cd61188afd9a9597b61c5431eee062d
SHA1 hash:
3e580950318104d6db7f4fe9e4ba26c4a88d4a0a
Link:
https://www.unpac.me/results/2385ec4b-a2a1-4cd7-8ee8-fc57cb140069/
SH256 hash:
7c2c093d08a436e9b65ffa5a1f1d32602580ac444103afc322da8096ba7f18fb
MD5 hash:
005d6a5bf1d1860b9c9e1d98b4e8d23e
SHA1 hash:
2fef4ac8eb9d1303d0588d32bf7501598bc0b943
Link:
https://www.unpac.me/results/2385ec4b-a2a1-4cd7-8ee8-fc57cb140069/
SH256 hash:
dfdd5afe0daaf8c288e3761b6570989db1beda4f3b19a704a62e4465edd1ff2b
MD5 hash:
15bc66a09ae60f15352800e2275501d6
SHA1 hash:
1cb7b43e436a8da2a64889eb920d596164f0523c
Link:
https://www.unpac.me/results/2385ec4b-a2a1-4cd7-8ee8-fc57cb140069/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfdd5afe0daaf8c288e3761b6570989db1beda4f3b19a704a62e4465edd1ff2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe dfdd5afe0daaf8c288e3761b6570989db1beda4f3b19a704a62e4465edd1ff2b

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/250242/

Comments