MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 11 File information Comments

SHA256 hash:	fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874
SHA3-384 hash:	8df123cdd89ca1cb423e2b98c0ca773f15ad50f7a22288f5eaccbf83763c5a4ba20abb5f8717623f949078aa1e3f5a4b
SHA1 hash:	555ec385b294af3dac78125ea8a86697e2d95c4e
MD5 hash:	9bd50fc23ff26bd01695f3da830b2727
humanhash:	high-batman-minnesota-wyoming
File name:	HSBC SWIFT Payment Delivery Advice {IB17924306092314 ,0150548596801}.zip
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	821'455 bytes
First seen:	2024-08-14 11:44:09 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:OPdbILY6qYOg+9W/C/qlDW02aSKUZVHA5MLF23bNGliE6kAsiNXi1tbpwMl6n:OWnqYORqpSKUjzy9gj72Iq
TLSH	T18D0523FD7F0E50DEFDABD09F375F85B092472B6AF9037519304A5B4B462083CA51868A
Reporter	cocaman
Tags:	HSBC payment SnakeKeylogger SWIFT zip

cocaman

Malicious email (T1566.001)
From: "HSBC Advising Service <advising.service@mail.hsbcnet.hsbc.com>" (likely spoofed)
Received: "from livers.trumpbuyer.com (unknown [141.98.10.122]) "
Date: "8 Aug 2024 19:14:14 +0200"
Subject: "HSBC SWIFT Payment Delivery Advice {IB17924306092314 ,0150548596801}"
Attachment: "HSBC SWIFT Payment Delivery Advice {IB17924306092314 ,0150548596801}.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	HSBC SWIFT Payment Delivery Advice {IB17924306092314 ,0150548596801}.exe
File size:	1'309'696 bytes
SHA256 hash:	81c1043490096d6c818bf0eae1bfe8248d7f9b3b1217d4c769de6f29e321e635
MD5 hash:	51db45892803b947277b04005594f3aa
MIME type:	application/x-dosexec
Signature	SnakeKeylogger

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20240808-2237.UNOFFICIAL

Win.Malware.Silentall-10034109-0

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66b56960b35234d5cc65bc6d

Tags:

Discovery Generic Network Stealth Shellcodecrypter

Result

Verdict:

Malicious

File Type:

PE File

Link:

https://app.docguard.net/fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit epmicrosoft_visual_cc fingerprint keylogger lolbin masquerade microsoft_visual_cc packed shell32

Link:

https://www.filescan.io/uploads/66bc98c132f6d05ff3cccd3d/reports/d545fc6e-ecb2-41d5-90b2-15e414c81352/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection credential_access discovery keylogger stealer

Link:

https://tria.ge/reports/240814-n4k6ja1bld/

Behaviour

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Credentials from Password Stores: Credentials from Web Browsers

Snake Keylogger

Snake Keylogger payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip fb6f73bb0367c0a581cc75d76b925f5b08c128887e4967b2503f6258bb781874

(this sample)

AgentTesla

exe 81c1043490096d6c818bf0eae1bfe8248d7f9b3b1217d4c769de6f29e321e635

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 81c1043490096d6c818bf0eae1bfe8248d7f9b3b1217d4c769de6f29e321e635

Dropping

SnakeKeylogger

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample