MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4dcdf575d7c25bdba3e73ac2ff890b1103dcf43325b8876c5215204fcf7d1fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4dcdf575d7c25bdba3e73ac2ff890b1103dcf43325b8876c5215204fcf7d1fb
SHA3-384 hash: 26d7755f0da18a47676b006f3fe0d6c5d5bb0611e412b6f8a29a0ac30a400c75a306228d1d821f07dea71d6233d0356d
SHA1 hash: 9cca4de3ed866f6c314c531ab71e3a40cc2de508
MD5 hash: 00fc5691b97003612a77a30ad7cb0f1c
humanhash: bluebird-pasta-early-moon
File name:PRODUCT SPECIFICATION.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:86'616 bytes
First seen:2021-02-25 10:10:50 UTC
Last seen:2021-02-25 12:24:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:QCTB6U6Q6h6z6Z6n6j6x6r6k6F6HYjPEs4ceqwBlXT7oQ0QRAj7:CVBQmI6WgelEc4ceqIoQ0QRAj7
Threatray 88 similar samples on MalwareBazaar
TLSH 0D83C68BCD340D0BF8B97B39965A1904D369930E224178FF5461F2B2E538F322B759DA
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: coolermaster.com.tw
Sending IP: 45.133.116.243
From: Raffizas<sales@coolermaster.com.tw>
Subject: purchase order
Attachment: PRODUCT SPECIFICATION.7Z (contains "PRODUCT SPECIFICATION.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRODUCT SPECIFICATION.exe
Verdict:
Malicious activity
Analysis date:
2021-02-25 10:12:35 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/33edaf11-d5d9-416b-829f-85638bedcdf0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119167/
Detection(s):
SecuriteInfo.com.Win32.2367.17726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
DNS request
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/618525
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358263 Sample: PRODUCT SPECIFICATION.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Yara detected Snake Keylogger 2->42 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->44 46 6 other signatures 2->46 7 PRODUCT SPECIFICATION.exe 21 6 2->7         started        process3 dnsIp4 32 coroloboxorozor.com 172.67.172.17, 49712, 80 CLOUDFLARENETUS United States 7->32 30 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->30 dropped 48 Adds a directory exclusion to Windows Defender 7->48 50 Hides threads from debuggers 7->50 12 PRODUCT SPECIFICATION.exe 2 7->12         started        16 cmd.exe 1 7->16         started        18 powershell.exe 20 7->18         started        20 3 other processes 7->20 file5 signatures6 process7 dnsIp8 34 checkip.dyndns.org 12->34 36 checkip.dyndns.com 131.186.113.70, 49733, 49734, 80 DYNDNSUS United States 12->36 38 freegeoip.app 104.21.19.200, 443, 49736 CLOUDFLARENETUS United States 12->38 52 Tries to steal Mail credentials (via file access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        26 conhost.exe 18->26         started        28 AdvancedRun.exe 20->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4dcdf575d7c25bdba3e73ac2ff890b1103dcf43325b8876c5215204fcf7d1fb/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 10:11:11 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ton6v25pqs33or6oowc76eqweid3t2dgjnyq5wfefjaj7hx2h5q._file
Verdict:
malicious
Similar samples:
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
SnakeKeylogger
2ddbf5aed765723b948699526bc2a9a49864dc1181e21f4c51fe613aa8d0ca7e
SnakeKeylogger
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
SnakeKeylogger
56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6
SnakeKeylogger
5abccf199b1e503db7c810a9dcbe1310b6a6b78441b091dae6f45c92d3c3add1
SnakeKeylogger
638c7d6859e792cc15836509bd58bf468b755fee3dcf669d2dcf328dd0029f12
SnakeKeylogger
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
SnakeKeylogger
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
SnakeKeylogger
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
SnakeKeylogger
d6b54e921467dd688dc63b3019654168fd7e72fb0b902e9b08f8c0c3337af388
SnakeKeylogger
+ 78 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210225-m4vv5pfhqa/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Snake Keylogger
Snake Keylogger Payload
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
f4dcdf575d7c25bdba3e73ac2ff890b1103dcf43325b8876c5215204fcf7d1fb
MD5 hash:
00fc5691b97003612a77a30ad7cb0f1c
SHA1 hash:
9cca4de3ed866f6c314c531ab71e3a40cc2de508
Link:
https://www.unpac.me/results/c8b16e5d-c2b0-437e-bea1-781708106a1f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

7z d1d137d9e7498bfcc2d545b19f4ca50f0dd961b1f9372c4d8f55f7862fbe0346

SnakeKeylogger

Executable exe f4dcdf575d7c25bdba3e73ac2ff890b1103dcf43325b8876c5215204fcf7d1fb

(this sample)

  
Dropped by
MD5 d591c93d31d80147e7369e0629b7565e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119167/
  
Dropped by
SHA256 d1d137d9e7498bfcc2d545b19f4ca50f0dd961b1f9372c4d8f55f7862fbe0346

Comments