MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958
SHA3-384 hash:	6b8c793909162d4c6eb7d39f28080183d456e290aaefc51dd750dc64bf5daf10a9a8bf8ef3470cedda0c22c7c368e068
SHA1 hash:	04fe416ede15f7a0873609fe0660263a6cb7dd95
MD5 hash:	ee7673e9718c0ea2c15cc3b75548fea6
humanhash:	pip-arkansas-alabama-nuts
File name:	REQUIRED UPDATED SOA.pdf.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	605'696 bytes
First seen:	2021-01-18 07:12:16 UTC
Last seen:	2021-01-18 08:50:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3fa489abaee814a61ce0966e1954db55 (12 x Loki, 7 x RemcosRAT, 3 x SnakeKeylogger)
ssdeep	12288:M4GbT/r+XtczqsBdRqFWzzB9RiQl0hL3TZxxgLrnMTgNbpp4iV5/vAPUxc:MjTSczhdRuIzBXiQmhLDVgLrn4gZJVMp
Threatray	275 similar samples on MalwareBazaar
TLSH	18D4F121B8C1C071D41321751665DBB14AAA7CB23772B98B7BDD7E7A4F722E2C23530A
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

abuse_ch

Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: yolanda.sh@francovagochina.com
Subject: REQUIRED UPDATED SOA TILL DATE
Attachment: REQUIRED UPDATED SOA.pdf.gz (contains "REQUIRED UPDATED SOA.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/112406/

Detection(s):

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Sending a UDP request

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/583354

Signature

Antivirus detection for dropped file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-01-17 23:24:27 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=77m665m2uh55gnykqqihogdyw6xjihimmdc44qoxawvbrzhftfma._file

Verdict:

unknown

SnakeKeylogger

4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf

SnakeKeylogger

5a9d6f65582f501b13882b7114eb420be506bbf8695a890e1573d3a20b8d0b7c

SnakeKeylogger

6800f5b370a3df8a367fdf29b81f596dc78b5d7b095e5c3c5a9cae0dac36efbc

SnakeKeylogger

7a5dd5409a4a4928ac82b3c019c717d4d6a920a4309e0dcd9fec58f3711187f0

SnakeKeylogger

a81dc80c4e292405023f9c59504e55045ca754901cd06185d041642ce91a33b2

SnakeKeylogger

a9b710f85ef86429b380e2a96153ea27a21ea201ce8bd81e316420f0c3a435c3

SnakeKeylogger

ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4

SnakeKeylogger

aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12

SnakeKeylogger

bf0e82358921791e16998b942e600a500a967f6e5c5b034a675af7e49663a34f

SnakeKeylogger

+ 265 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210118-ks316txx8a/

Behaviour

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958

MD5 hash:

ee7673e9718c0ea2c15cc3b75548fea6

SHA1 hash:

04fe416ede15f7a0873609fe0660263a6cb7dd95

Link:

https://www.unpac.me/results/efc9c599-df48-4ad1-bcc9-122e0c840124/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffd9ef759aa1fbd3370a8410771878b7ae941d0c60c5ce41d705aa18e4e59958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector