MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e77a2d44e244d4c950ebd5ab90406be121141f6436b45e730b8ac0e4bb4a23bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e77a2d44e244d4c950ebd5ab90406be121141f6436b45e730b8ac0e4bb4a23bf
SHA3-384 hash: 272701edde76d8a7d3ce7bf84ba834151e776394dd467d2ae2be34ad8a73d66bf44329ee90291ea1d3ec7e4068fe23f4
SHA1 hash: c6ffcbd3034df8e8ee8ada25d1aef7e55d8a1a31
MD5 hash: aaa9045bf2594e041030554867e79f06
humanhash: freddie-november-triple-six
File name:0009752202_OUTSTANDING_20210129,PDF.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:891'392 bytes
First seen:2021-02-01 08:13:18 UTC
Last seen:2021-02-01 09:45:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6G5eI5/DM5JjPdGXKwE6oY07ZVyzWX34j6tw7f:x539DM5hYXKHdY+C4e6+7f
Threatray 1 similar samples on MalwareBazaar
TLSH 7B153CD2E094DCD7E96F46B25C2A583025A36E9D68D4D21D119DBB1A3BF3381209FE0F
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: phu.phuketdigital.com
Sending IP: 162.214.66.51
From: K-eDocument <tradefinance@kasikornbank.com>
Subject: DETAIL OUTSTANDING REPORT from KBank (ACCOUNT UPDATE)[053055819]
Attachment: 0009752202_OUTSTANDING_20210129,PDF.gz (contains "0009752202_OUTSTANDING_20210129,PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0009752202_OUTSTANDING_20210129,PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 08:20:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ad6b31e-4d5e-4ede-a77d-37438b3a642b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114422/
Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595064
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346572 Sample: 0009752202_OUTSTANDING_2021... Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 35 smtp.yandex.ru 2->35 37 smtp.yandex.com 2->37 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: RegAsm connects to smtp port 2->53 55 7 other signatures 2->55 8 0009752202_OUTSTANDING_20210129,PDF.exe 3 2->8         started        11 I$s#$lT3ssl.exe 3 2->11         started        signatures3 process4 file5 29 0009752202_OUTSTAN...0210129,PDF.exe.log, ASCII 8->29 dropped 14 powershell.exe 15 8->14         started        18 RegAsm.exe 15 2 8->18         started        57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Injects a PE file into a foreign processes 11->61 21 RegAsm.exe 2 11->21         started        23 powershell.exe 18 11->23         started        signatures6 process7 dnsIp8 31 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 14->31 dropped 33 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 14->33 dropped 63 Drops PE files to the startup folder 14->63 65 Powershell drops PE file 14->65 25 conhost.exe 14->25         started        39 checkip.dyndns.org 18->39 41 smtp.yandex.ru 77.88.21.158, 49768, 49769, 49770 YANDEXRU Russian Federation 18->41 47 4 other IPs or domains 18->47 67 Tries to steal Mail credentials (via file access) 18->67 69 Tries to harvest and steal browser information (history, passwords, etc) 18->69 43 checkip.dyndns.org 21->43 45 smtp.yandex.com 21->45 27 conhost.exe 23->27         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e77a2d44e244d4c950ebd5ab90406be121141f6436b45e730b8ac0e4bb4a23bf/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=455c2rhcitkmsuhl2wvzaqdl4eqrih3eg22f44ylrlaojo2keo7q._file
Verdict:
unknown
Similar samples:
707025aabf49be938c24b5b6614d2008b928ff596fb405d7be2338b1cf1ae04d
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210201-7qs37xm2z6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Beds Protector Packer
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/3827001c-a892-4152-86ea-f9b6da7a69d0/
SH256 hash:
446347d785bd082fd3ee60d3b34b52a234385f316fd4ab551c7d7834a81dbbee
MD5 hash:
84ea4129afb4d4f79610b1a5a9874e2f
SHA1 hash:
bf6556af2967ccb2b2fa8a67ce1e360996418db8
Link:
https://www.unpac.me/results/3827001c-a892-4152-86ea-f9b6da7a69d0/
SH256 hash:
46ff08a316f0dd591659937ab5be74dc94a6afdc4ec3fd6d2ec127cc4b05dad2
MD5 hash:
fbc5a1dec5e55d5967bfdf281bc7bbf5
SHA1 hash:
74e2062abdeeb2a15b156598357033eeb668d958
Link:
https://www.unpac.me/results/3827001c-a892-4152-86ea-f9b6da7a69d0/
SH256 hash:
e77a2d44e244d4c950ebd5ab90406be121141f6436b45e730b8ac0e4bb4a23bf
MD5 hash:
aaa9045bf2594e041030554867e79f06
SHA1 hash:
c6ffcbd3034df8e8ee8ada25d1aef7e55d8a1a31
Link:
https://www.unpac.me/results/3827001c-a892-4152-86ea-f9b6da7a69d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e77a2d44e244d4c950ebd5ab90406be121141f6436b45e730b8ac0e4bb4a23bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz 532c2cb74502b36f9736531da143c0e3bdad6bfe8c5baa0d48738f75ad9847ea

SnakeKeylogger

Executable exe e77a2d44e244d4c950ebd5ab90406be121141f6436b45e730b8ac0e4bb4a23bf

(this sample)

  
Dropped by
MD5 4c43b3857a040e77c2eca8db993d0aab
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 532c2cb74502b36f9736531da143c0e3bdad6bfe8c5baa0d48738f75ad9847ea
Cape
Cape
https://www.capesandbox.com/analysis/114422/

Comments