MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa096f5605e4404a60f101e6076c2bb2f5f72d306b60cc404dcb9af3710f5a21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa096f5605e4404a60f101e6076c2bb2f5f72d306b60cc404dcb9af3710f5a21
SHA3-384 hash: 4f52be9f6ab5a7dc0932e7409f6af1686bb3ee9694de01576edd40bc75d1f05c535b3689e8edb14dd31eda22b7e0afc6
SHA1 hash: 73f6137e2ea52cc04eb6466eb7bfc4d62d449359
MD5 hash: 2562fa72916dff516613b3c9662bc41a
humanhash: carolina-mars-neptune-vegan
File name:PO_RFQ_2021_12_01.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:965'632 bytes
First seen:2021-01-12 06:17:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:0B9I1Fudm95ZNZVYnDEytMpu7E7wd4k32fYmwkVP6w:0B9oum7NZmDEpYA7w+7nV7
Threatray 40 similar samples on MalwareBazaar
TLSH 9A253953BB9D935CD7AC12BD2431007117E4CF67A298EA68FDC5B4BE6A7292801FD1C2
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: strong1.herosite.pro
Sending IP: 23.111.175.173
From: David Poggi <david@fortetechno.com>
Reply-To: David Poggi <admin@shortletting.com.ng>
Subject: RFQ_2021_12_01
Attachment: IMG_PO_RFQ_2021_12_01.IMG (contains "PO_RFQ_2021_12_01.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_RFQ_2021_12_01 - s.doc
Verdict:
Malicious activity
Analysis date:
2021-01-12 06:09:31 UTC
Tags:
ole-embedded trojan opendir exploit CVE-2017-11882 loader evasion
Link:
https://app.any.run/tasks/15b78d9d-c9e1-41ff-88c2-4cb73e894a79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111373/
Detection(s):
SecuriteInfo.com.Generic.mg.2562fa72916dff51.7534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/578593
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa096f5605e4404a60f101e6076c2bb2f5f72d306b60cc404dcb9af3710f5a21/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 06:18:08 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7iew6vqf4raeuyhrahtao3blwl27oljqnnqmyqcnzonpg4ipliqq._file
Verdict:
unknown
Similar samples:
035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753
SnakeKeylogger
03a7c8a4e67e6739db52502fb4babb8421059e3269610dbec749b3f0aa4a4641
SnakeKeylogger
11b82240c0a2fbb5f71aefab2266d18d28746ffc267b585f72498006a57aa6bd
SnakeKeylogger
29af8f9271305888d917e56e139a3d9e8b4dfa0f5487f6604e9eba035e0d475b
SnakeKeylogger
363f1e19af5976e6c19e76c71e98c405b227938e261beb7e2a0bcc27e4a44be7
SnakeKeylogger
60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74
SnakeKeylogger
9866933cc0ecf8e3ddfa7ce79cdbc70b16efbe819a2426ffa28d923a12c0653a
SnakeKeylogger
b2b25365ac3fab2649ba188a0c113a558686c049d89bb4b8f3d7439a6e6732c0
SnakeKeylogger
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
SnakeKeylogger
fc243975dc04f097ddfbaf8f3245cd17b7967811b97c926fff0c52749e844480
SnakeKeylogger
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210112-gpkfehjfzs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
09fa922000b3bc27eebb87e1378fe70e4f11195ce3f2671166688395731d0dac
MD5 hash:
d29f0e89700222c2e4c4bd1d5f8e702d
SHA1 hash:
2f4f54c9bd3464e1eeade07a4a0c710ff947d648
Link:
https://www.unpac.me/results/d67ec447-e628-4fb8-9ffc-882149d78b6f/
SH256 hash:
92869b23e5e18ddef0e43f2eb81d101d113cfd486fecbcb655bdeca8856fe19a
MD5 hash:
62a0f1c1e6e6dc1f48f7c68ed78377af
SHA1 hash:
3ae1ce5390680b385134f9b2f9f223104dab1365
Link:
https://www.unpac.me/results/d67ec447-e628-4fb8-9ffc-882149d78b6f/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/d67ec447-e628-4fb8-9ffc-882149d78b6f/
SH256 hash:
fa096f5605e4404a60f101e6076c2bb2f5f72d306b60cc404dcb9af3710f5a21
MD5 hash:
2562fa72916dff516613b3c9662bc41a
SHA1 hash:
73f6137e2ea52cc04eb6466eb7bfc4d62d449359
Link:
https://www.unpac.me/results/d67ec447-e628-4fb8-9ffc-882149d78b6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa096f5605e4404a60f101e6076c2bb2f5f72d306b60cc404dcb9af3710f5a21

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img e8460f99864c9e290a986fb070e743a4e574a15f730f15c796c1fd1447aabf1c

SnakeKeylogger

Executable exe fa096f5605e4404a60f101e6076c2bb2f5f72d306b60cc404dcb9af3710f5a21

(this sample)

  
Dropped by
MD5 dab93790cc887a6cfdfba1ddad18ac56
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111373/
  
Dropped by
SHA256 e8460f99864c9e290a986fb070e743a4e574a15f730f15c796c1fd1447aabf1c
  
URLhaus
https://urlhaus.abuse.ch/url/954575/

Comments