MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e42652363da5db38ce553de583825a570fc76123af18a59550b3956dd3d573d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e42652363da5db38ce553de583825a570fc76123af18a59550b3956dd3d573d0
SHA3-384 hash: cdd3f2b5dc6ae0389e68d0fc9c78d1ae6ed7e02c1fdd1839462f91a2def9acc66c7f7e51e12977ca473be32aaba963e3
SHA1 hash: 0866696f3395ae375cfe7b2a9051fe570fe8544a
MD5 hash: b50fe78f59ae343a4ea40475ee85685d
humanhash: texas-freddie-august-sad
File name:PURCHASE_ORDER_0098_PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:445'488 bytes
First seen:2021-05-11 10:43:04 UTC
Last seen:2021-05-11 12:08:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 12288:l0VbNotdnO7Zd542rspOfc0kyBuP9cawxPjxMb:obNotdO7DxOOfcVPWddjmb
Threatray 814 similar samples on MalwareBazaar
TLSH AC94233417A0D8F3DA9506711E3EFF7AAE964229946A0A0F2744BDDEFCB4E49670C124
Reporter GovCERT_CH
Tags:SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155043/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36876993.16156.21928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778513
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e42652363da5db38ce553de583825a570fc76123af18a59550b3956dd3d573d0/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 15:53:25 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qtfenr5uxntrtsvhxsyhas2k4h4oyjdv4mklfkqwokw3u6vopia._file
Verdict:
unknown
Similar samples:
1fc1fd8c6222445fb1064c4658c93a1bee4319850f1a06a4860521f5cb4ce009
SnakeKeylogger
3c8992a1fa966b9838653d1276934114b1e3536d2d0d47172ef4c67af1ef3b2c
SnakeKeylogger
47795e947ae1864d553396ae7b191c6c507f2e5e50ced435018906c43f2364e5
SnakeKeylogger
735d11c1fa476083846e9e622af57a902ff20be1a1bbce7d8ec9f7f4179d1bb3
SnakeKeylogger
758353a1ee13e2b4e82bd4ebfa6df47a12a3ac2d488d9602bb89700a4dc6b997
SnakeKeylogger
8f94fe68e4decbed1a460bbb09116e1f41fc6987bce37ebb6fd09230d3f89d61
SnakeKeylogger
a7fa0b9c523e32efbdefa0c04cc8229bbdea0cc820d3362289e8d2b0670281d4
SnakeKeylogger
bd9659fd8971265902d8bea95aff9de3ef28d9fa1891314ddb069c48aeb0e655
SnakeKeylogger
ea66d2f582f9da718979a56b628e19a5712e41e979808cb84a8cb427fbe1ab30
SnakeKeylogger
f43b323ae6be7b7945d58fcab72ae3c66ef552b8584063def9d2415d08573c8a
SnakeKeylogger
+ 804 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210511-p52k5ckn5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Snake Keylogger
Snake Keylogger Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/e42652363da5db38ce553de583825a570fc76123af18a59550b3956dd3d573d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe e42652363da5db38ce553de583825a570fc76123af18a59550b3956dd3d573d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/155043/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 11:02:56 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process