MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac
SHA3-384 hash:	f66dded4efd75375cdaab370731bac2b5cedfe1bedcc905108668eb14e217f7dcb78111da87b20db643329ac80a95b0f
SHA1 hash:	fb0c5a0751addf986e7ec7794789b730ef107431
MD5 hash:	816659035e7720016f9fcd8907e79a5f
humanhash:	emma-emma-london-earth
File name:	Z0iORdySTEIDFZI.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'787'392 bytes
First seen:	2022-10-18 05:58:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	24576:DnsJ39LyjbJkQFMhmC+6GD91sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm:DnsHyjtk2MYC5GDDNwZqzCcFdjj
Threatray	5'889 similar samples on MalwareBazaar
TLSH	T173857B7272D00237E02136788857E2B725FB7E102920E5CB2AD71F5FBD652B7A916387
TrID	92.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10523/12/4) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	5420ccd4ccccaa10 (1 x SnakeKeylogger)
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321205/

Detection(s):

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-1

PUA.Win.Packer.D1s1g-2

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Searching for the window

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Modifying an executable file

DNS request

Sending an HTTP GET request

Sending a UDP request

Sending a custom TCP request

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Infecting executable files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/43572/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

75%

Tags:

cmd.exe evasive fingerprint greyware hacktool keylogger macros macros-on-close macros-on-open packed packed shell32.dll

Link:

https://www.filescan.io/uploads/634e40a7455bf4ac5c714efd/reports/fc9a0f1e-e891-4d94-8dab-49b4c257514f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/53b635af-d2cf-4237-9aa5-d7e9030c24f0

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

expl.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1092437

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2022-10-18 04:33:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7yvh7p26z37ukb3jboqtyoebp5hm7jwlyn3k3cbj5yjbpf5im2wa._file

Verdict:

malicious

SnakeKeylogger

458787a4edcc3d5b67ad7cbe721addd3879872d25c90f9399984e02a9038b9c1

SnakeKeylogger

5ff2763a7af9c5e8d274be89a3df9e75d9a0b281878def38c44085395178f01e

SnakeKeylogger

7110059a2bb0e2b4e6ee39ff235c283864152200d0daca4fb123f3b7c7315095

SnakeKeylogger

98f57a58e8c04c7905cd96329487ea551f61ec1265d991f502fe7413254def12

SnakeKeylogger

a49f6e00c0468e074fa2204a7862c22aa3b934af4f2bb281c55d8bb65da67e44

SnakeKeylogger

addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918

SnakeKeylogger

cf3d069794498e9ee621651afdc6823dd2b076789af668f296f7ff9a233d1c3d

SnakeKeylogger

+ 5'879 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger persistence spyware stealer

Link:

https://tria.ge/reports/221018-gpqn5sehhl/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7acf62fc-f629-4b2e-82b9-802c30ac2952

Unpacked files

SH256 hash:

a9fb72bc13e0090b49d598f29f1c0728bff06c547307fbe0fc1cb227d8c19c44

MD5 hash:

8133a8f0afcf62357648b2e24021911d

SHA1 hash:

d321e4528079c448e92712dd0751d1d3e452f544

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

SH256 hash:

7de596025513f076e11d40e979b1d475dca8db517bd2b1b94eceab0cd1e8c513

MD5 hash:

9f2fe738699090a2445da55d931e2840

SHA1 hash:

a108baf0547679df1bf13197f40d8decb763db9f

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

SH256 hash:

f0027e585e7cbdfb6e1acd7f43bc651080291af175003240b9bcfdab90bf0174

MD5 hash:

52b06687cb92e9dcd38d5be05520a0e2

SHA1 hash:

7bd20e4948c183fe179820636ad56b2e91cfd9e5

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

SH256 hash:

c78f0131808f1e413785eba353f5d7fbe079a2549c821dfeac1c06b5e6d93181

MD5 hash:

cc94248c5d10e4ac051ef91e32176e2c

SHA1 hash:

1e972ec5f52d1e548fb4d9b9ab8d47350018a487

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

Parent samples :

62417edae13110fed908d2732ba7e43ec49af749c456c81740f540fa34bbe756
ad97db9a2ec2dffd87a00d37fe369244c206e0502721425b3d0b4636b89ad3aa
efd85d05f6895bdf7b33ec107555a234f6bc51d5625c6630e9665ddb6bad50af
5f119db647dcac4a1662073fa17e1554f13f9af1a9e3840631f4a03bec92e7f1
0a150814a392799c9c416674a8cbf62b3852f8e5af611f83e9656a269c275194
fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac
69524a356c0748734777b74d2706b270ba46d96fd62151145370dc1a07ee8889
6da766510fe8768a10d22c5c2bb7e6362d65f6684de20e88f63d66e3be898ab2
638f8df25c45f872276d56ea885ce9b623271eca45ef9bd5a93887a627683109

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

SH256 hash:

0c82cd4634792527427d1003d5dd2825bb220567ce26e051532bf148f3535ad9

MD5 hash:

f25ce603460090ba2f98d040a1899769

SHA1 hash:

e39571e10b5995a0b0c8a3fd7309971cd44c88ff

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

SH256 hash:

fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac

MD5 hash:

816659035e7720016f9fcd8907e79a5f

SHA1 hash:

fb0c5a0751addf986e7ec7794789b730ef107431

Link:

https://www.unpac.me/results/860ec905-7e32-4de6-87e5-5dda784e935b/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fe2a7fbf5ece/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe fe2a7fbf5eceff4507690ba13c38817f4ecfa6cbc376ad8829ee121797a866ac

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/321205/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample