MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7703afc09d5615897f8d6fcb0c7988ddfcf347047da78429aea4c9776d9e062. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7703afc09d5615897f8d6fcb0c7988ddfcf347047da78429aea4c9776d9e062
SHA3-384 hash: 439324155b678b440bc4a622ae1f59e543fb66220487f8744d89549eeb6a15d7f44328ef5009adf21f5d19f237eaa252
SHA1 hash: d5a34636b46ba0563f260bf51cb68dc5a2227c23
MD5 hash: ee30024e19336ee7f0a8b9e9e4d23f2e
humanhash: purple-coffee-whiskey-massachusetts
File name:ee30024e19336ee7f0a8b9e9e4d23f2e
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:726'016 bytes
First seen:2021-07-14 15:11:15 UTC
Last seen:2021-07-14 17:07:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+kbPOhG0nhOm0VXCHEtDbLofKHPPWDAB2A0cSnbabTP/u4u5GmZcgQT:+kbWhAzVXCHEtkysCtNSWTQ8
Threatray 245 similar samples on MalwareBazaar
TLSH T184F40126B741BB0EC23ECD3988524C10F7E1E6778717D747ACE316EC158EAA98F21295
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Catalogue-Product-Order.doc
Verdict:
Malicious activity
Analysis date:
2021-07-14 13:58:25 UTC
Tags:
exploit CVE-2017-11882 loader evasion trojan
Link:
https://app.any.run/tasks/eb458ea0-aca0-4d7d-9552-ac529b248d76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171717/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.14890.16429.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c8d83bc-7f14-4643-a120-dba36548a73a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816504
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448913 Sample: HEJMFuQOa5 Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 7 HEJMFuQOa5.exe 7 2->7         started        process3 file4 29 C:\Users\user\AppData\...\PFfmoPhQDitH.exe, PE32 7->29 dropped 31 C:\Users\...\PFfmoPhQDitH.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\Temp\tmpDD7.tmp, XML 7->33 dropped 35 C:\Users\user\AppData\...\HEJMFuQOa5.exe.log, ASCII 7->35 dropped 51 May check the online IP address of the machine 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 Adds a directory exclusion to Windows Defender 7->55 57 Injects a PE file into a foreign processes 7->57 11 HEJMFuQOa5.exe 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 37 mail.totallyanonymous.com 109.106.250.131, 49735, 49736, 49737 NETNET-ASRS Serbia 11->37 39 checkip.dyndns.org 11->39 41 3 other IPs or domains 11->41 59 Tries to steal Mail credentials (via file access) 11->59 61 Tries to harvest and steal ftp login credentials 11->61 63 Tries to harvest and steal browser information (history, passwords, etc) 11->63 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7703afc09d5615897f8d6fcb0c7988ddfcf347047da78429aea4c9776d9e062/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 14:54:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45ydv7aj2vqvrf7y236lbr4yrxp46ndqi7nhqqu25jgjo5wz4bra._file
Verdict:
malicious
Similar samples:
043c91c0f8bd07fdce3af1ccadf2afec896527684eacee91d78e7afe32173d51
SnakeKeylogger
0625021c787b2f711eb6fadc44856a9f001037bcb29686b910c557316bcbf212
SnakeKeylogger
0df4878cd67ddaed0fb5bef0fdcd6e489c64c1c0f3428a2c7b030481246dd904
SnakeKeylogger
3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e
SnakeKeylogger
510a312fcfeec1d100edf69e1f8a6f0acfbb0116be390849550743a39349b84d
SnakeKeylogger
59b7b6c0abf702ed3af7efb41f41378bf126fc718606ca3ff97db27e31f9b1d7
SnakeKeylogger
84a07c64cd318963d10bad4eead98e7f186f136d7e74725cabac4246b56e1712
SnakeKeylogger
9cf85e58b7cb62b39376e36ebc8fadf0c40f21ce98f36fa9016521a8158b4881
SnakeKeylogger
d44a2ec092a66bec26dabf98269fab0009b8309966e7a78fb0263b8c086d0c29
SnakeKeylogger
d9ed8af079bdd7fef1daa51696fe0172d5170fd4ee668ed2f252cbe65a2ab488
SnakeKeylogger
+ 235 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210714-s1pjdnn5w2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
ee08241f2df923ffac6fb327cf42fe2f9969e79050ee2079ee1113fa5bedc39e
MD5 hash:
2e3084bc21767bc23e2d9901aa3a2610
SHA1 hash:
7d060830fa9cd43e437044c800bdec2c86106e89
Link:
https://www.unpac.me/results/51ca00f0-f71a-4812-8c06-7ad74cf3d176/
SH256 hash:
0802a34774a2c054e88871271435a4aac7db81e89cbcf6f1766c37e2b9973f32
MD5 hash:
f508ba63877098d277950f60c0236dd5
SHA1 hash:
9bff928b7e52481e01d4c58dd1e2f004ac128530
Link:
https://www.unpac.me/results/51ca00f0-f71a-4812-8c06-7ad74cf3d176/
SH256 hash:
146efa666896f207cb66e57742a41f24ec34a5cd9c9b1b3b3b38351e609e6cd7
MD5 hash:
52603d2fa49b39305970d1bf927b7e35
SHA1 hash:
aaff4f4eda22ec9bd5630a9da5fe2c127a165797
Link:
https://www.unpac.me/results/51ca00f0-f71a-4812-8c06-7ad74cf3d176/
SH256 hash:
28f60121aeda21c79a187056d99ee640c79195664de5d7f76484b96a29d0a3e7
MD5 hash:
60e6422e6e1183c7fecb8f175b4f6ffa
SHA1 hash:
f3a62948756481e5f3f0f367ce1dc8a45c30d743
Link:
https://www.unpac.me/results/51ca00f0-f71a-4812-8c06-7ad74cf3d176/
SH256 hash:
e7703afc09d5615897f8d6fcb0c7988ddfcf347047da78429aea4c9776d9e062
MD5 hash:
ee30024e19336ee7f0a8b9e9e4d23f2e
SHA1 hash:
d5a34636b46ba0563f260bf51cb68dc5a2227c23
Link:
https://www.unpac.me/results/51ca00f0-f71a-4812-8c06-7ad74cf3d176/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7703afc09d5615897f8d6fcb0c7988ddfcf347047da78429aea4c9776d9e062

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe e7703afc09d5615897f8d6fcb0c7988ddfcf347047da78429aea4c9776d9e062

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1453932/
Cape
Cape
https://www.capesandbox.com/analysis/171717/

Comments


Avatar
zbet commented on 2021-07-14 15:11:16 UTC

url : hxxp://2.56.59.76/hk.exe