MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 7


Intelligence 7 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904
SHA3-384 hash: 9406f465aae9ada21e9847c292d6c35f64e81359ba9f4d20583e0fb5e1ee2e0b7cd0a156096f9a2da4a637a9821d64c5
SHA1 hash: c681408fe06b9ebf291885fc3bca8dc4b8d5cd5a
MD5 hash: 0939ffc5a87e6e22d5005ecf45ded569
humanhash: carbon-island-michigan-lemon
File name:БАНКОВСКИЙ ПЕРЕВОД pdf.zip
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:832'635 bytes
First seen:2024-08-19 06:58:32 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:eHMx4Ot+aU8iOLuzMYxr2nwFEfqFh3+/yH:eu4OfCSqFECz+/M
TLSH T19D0523690D44A770FD0642AD438C91235221C10DA9E3D7DF5DAEBE8B3CAD7B93646C87
Reporter cocaman
Tags:SnakeKeylogger SWIFT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Bron Kim <mmoffice2007@aomm.kz>" (likely spoofed)
Received: "from pkz56.hoster.kz (pkz56.hoster.kz [185.98.5.210]) "
Date: "Sun, 18 Aug 2024 20:10:09 -0700"
Subject: "=?UTF-8?Q?RE=3A_SWIFT_=D0=91=D0=90=D0=9D=D0=9A=D0=9E=D0=92=D0=A1?=
=?UTF-8?Q?=D0=9A=D0=98=D0=99_=D0=9F=D0=95=D0=A0=D0=95=D0=92=D0=9E=D0=94_?=
=?UTF-8?Q?=23USD32=2C000=2E00?="
Attachment: "БАНКОВСКИЙ ПЕРЕВОД pdf.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:БАНКОВСКИЙ ПЕРЕВОД pdf.exe
File size:1'122'816 bytes
SHA256 hash: 72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
MD5 hash: 627534bca81ea8cbc73a9ed94df2cf28
MIME type:application/x-dosexec
Signature SnakeKeylogger
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3391.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c2ed38aa5b40be0aa07c88
Tags:
Banker Discovery Encryption Execution Generic Network Static Stealth Snakestealer Dexter
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904/results/dashboard
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904/
Threat name:
ByteCode-MSIL.Trojan.SuspMsilInArcEmail
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 06:02:10 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77iocgvnqi3nedb3evhfzveveyxqtz5lquk67hcd2kjm53yileca._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery execution stealer
Link:
https://tria.ge/reports/240819-hwjd3stdrn/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip ffd0e11aad8236d20c3b254e5cd495262f09e7ab8515ef9c43d292ceef085904

(this sample)

SnakeKeylogger

Executable exe 72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
  
Dropping
MD5 627534bca81ea8cbc73a9ed94df2cf28

Comments