MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3f86e0516f848f1a75847b807e00503530968fbd656b88236109735f225688. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff3f86e0516f848f1a75847b807e00503530968fbd656b88236109735f225688
SHA3-384 hash: e20f3981bb817a5eeab21a7b27490cca15800f445e178ed7daf52d997004e64ed7413517da4dca378232d3ff87b14662
SHA1 hash: d2d1849f350779c598845a35fa4053b2e7e21a43
MD5 hash: 6aa8678c3864527805f73a4d661bb4af
humanhash: moon-emma-coffee-nine
File name:Telex Transfer.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'097'728 bytes
First seen:2021-02-24 06:40:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:z38KySCiSdWunLEQiydW+PWk7iWriyfpbkukWO8Jxde6lvyC2EhWWUWWMpGpQP4Q:zsiaaTEPk8xwq0P+s+rin5Oll
Threatray 24 similar samples on MalwareBazaar
TLSH 29353A032698BF57F9BFD738E26842094BF4B856D320DB0E7EE478D98A35F408756612
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: vps.tecp0s.com
Sending IP: 203.159.80.121
From: office1@tecp0s.com
Subject: TELEX TRANSFER
Attachment: Telex Transfer.gz (contains "Telex Transfer.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Telex Transfer.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 06:48:59 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/ff6e628f-4153-4644-9bc8-c1df4aa95bd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118820/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616174
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff3f86e0516f848f1a75847b807e00503530968fbd656b88236109735f225688/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 04:46:52 UTC
AV detection:
5 of 45 (11.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=747ynycrn6ci6gtvqr5ya7qaka2tbfupxvswxcbdmeexgxzck2ea._file
Verdict:
malicious
Similar samples:
2d485079e6ea5f70104e6a625cd6a3afc285e80c6b48ace8cc1c78b131d89897
SnakeKeylogger
411942da0d420d40bda588e6b372013c496be35fd3c586232bee2c2d7706ba2a
SnakeKeylogger
4fc219b61d4c1ec456ac76af0a82dcfde187dcab2b015a277c6ee96b04930091
SnakeKeylogger
536658ca5cd0cfe41706073016c38e8aa40949b897e0fc68dc821ea842c85e77
SnakeKeylogger
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
SnakeKeylogger
8c4c8b12dbf0db3ab592dec00177954ae0c044852ee56037d238b490ef2eae1f
SnakeKeylogger
cc84debcfc3e30a4b682bb53e028acb0a75d56607ab25b2418797f65a7e6efb7
SnakeKeylogger
e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b
SnakeKeylogger
e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7
SnakeKeylogger
fc95c84eb428f263fef3220d512a2f602570f2acb41a46114244c30af48fd51b
SnakeKeylogger
+ 14 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210224-3nwhxsa43j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/61e5aaca-ded7-4a56-ad74-4a684838b7cc/
SH256 hash:
ff3f86e0516f848f1a75847b807e00503530968fbd656b88236109735f225688
MD5 hash:
6aa8678c3864527805f73a4d661bb4af
SHA1 hash:
d2d1849f350779c598845a35fa4053b2e7e21a43
Link:
https://www.unpac.me/results/61e5aaca-ded7-4a56-ad74-4a684838b7cc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz 0934b7bfc19e502e3a0a05067a78084dc0611a21b80078d0de2be6ec2e79fbce

SnakeKeylogger

Executable exe ff3f86e0516f848f1a75847b807e00503530968fbd656b88236109735f225688

(this sample)

  
Dropped by
MD5 83d91bb7d6c7bfb490997d6893f130b9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118820/
  
Dropped by
SHA256 0934b7bfc19e502e3a0a05067a78084dc0611a21b80078d0de2be6ec2e79fbce

Comments