MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924
SHA3-384 hash:	946f4895279767a3765f640db22292302cc5f251366a9f20e1f9cf5741d38c094dac737a9d3088ef70a18576fa3a2f32
SHA1 hash:	f6ce537a7f31ed9509d2b22f2406cb01f227a69a
MD5 hash:	2d98061820e074b3c289815996a38443
humanhash:	uranus-william-uranus-kansas
File name:	Order.zip
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	488'641 bytes
First seen:	2024-09-21 11:37:34 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:gekIy66nl89Os8Tr6nD/RtqygtWeZ+NTaTe2:g4ilyUrO/jqyYIeTj
TLSH	T1E6A4235B822B91B09C35C9212F8C1C649E55FDCF2EAA5E15D46B5AF39F6F715C20B008
Magika	zip
Reporter	cocaman
Tags:	SnakeKeylogger VIPKeylogger zip

cocaman

Malicious email (T1566.001)
From: "Tarun <sales2@indexbb.com>" (likely spoofed)
Received: "from indexbb.com (static.100.24.108.65.clients.your-server.de [65.108.24.100]) "
Date: "20 Sep 2024 21:44:23 -0700"
Subject: "Urgent Enquiry"
Attachment: "Order.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Order.exe
File size:	909'824 bytes
SHA256 hash:	e40aa2ac74b12d2b000617839127a60a5faa81d7cae5087b738ba2b45c040537
MD5 hash:	d6967ea7baf752e952a2c8c184feef3b
MIME type:	application/x-dosexec
Signature	SnakeKeylogger

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3226.UNOFFICIAL

SecuriteInfo.com.Win32.MalwareX-gen.3252.24786.UNOFFICIAL

Sanesecurity.Malware.21235.ZipHeur.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ee3b9f1db25d66857c5d0d

Tags:

Discovery Generic Network Stealth Snakestealer

Result

Verdict:

Malicious

File Type:

PE File

Link:

https://app.docguard.net/e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

dotnet lolbin masquerade packed

Link:

https://www.filescan.io/uploads/66eeb01b800c7315e1cabaa1/reports/7397cd0c-58a4-4a7f-aa11-fbd5c38b9b0f/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection credential_access discovery keylogger spyware stealer

Link:

https://tria.ge/reports/240921-nxv26azhng/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

VIPKeylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot7985888771:AAEHZkJS7VPCqlc0_wV-hgnkJ-IvnEmNisQ/sendMessage?chat_id=2135869667

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_APT29_WINELOADER_Backdoor Create hunting rule
Author:	daniyyell
Description:	Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:	https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip e4d8394f74053ae9e12309994170e177ec8bd01e756d6b327d88efee7d3bf924

(this sample)

SnakeKeylogger

exe e40aa2ac74b12d2b000617839127a60a5faa81d7cae5087b738ba2b45c040537

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 e40aa2ac74b12d2b000617839127a60a5faa81d7cae5087b738ba2b45c040537

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample