MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
SHA3-384 hash:	9887fc6ce8d4d023bec2379febda0b75d01db8655b89a0c9ad550335fad8f878b068018cc2beea8fcf196ac6fb7295b3
SHA1 hash:	2a17b07e408d7f6e4c7ee5f7e833a199eeafe6dc
MD5 hash:	882bc784202475c666b589b889b72037
humanhash:	october-bluebird-william-lactose
File name:	Voyage Orders Details.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	779'264 bytes
First seen:	2023-03-27 15:24:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:YkUJB0Oj1Si6Uxo6WM3ZYPVEWZU3LgLTM8VLOy5cT3l9mB3KaPvrBS3PTFJhZ:YNuiLxdW8YPVxUuTM8ZPcTIKrfD
Threatray	543 similar samples on MalwareBazaar
TLSH	T12BF4131BE674A721C7A5C7F413E18A84E2BDF4F56766ED08AD8830E702F77208A57607
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Voyage Orders Details.exe

Verdict:

Malicious activity

Analysis date:

2023-03-27 15:25:59 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/df96f0d9-542e-41d1-89cf-6dd369287f5f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/377942/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6421b5508f3f4544f6cc56fb/reports/c70a92dc-57f8-4208-8c70-85768575f15a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/11fb0d09-a430-4ab7-94b4-ee5e5bb42fce

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1202814

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-27 13:35:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aa6gmb6d33xa6dcfrqmcebad4hvsvzkgtakhk3svd6xvx474t5na._file

Verdict:

malicious

SnakeKeylogger

285442f66366aab5b789ec12e4e484b345f4c3a5e3357841507ccb0d0049ac0e

SnakeKeylogger

454c784e20e24793d9ed6ea55e6c8b308ced6dbdaf8a3d2de5dd7b1817ed231d

SnakeKeylogger

89fc947344db449af06bbd95b6f955a98c06006e742a589689860dd5806484aa

SnakeKeylogger

8d568e3e78eaaf4a8a89f03de6ad457c036bf257741f2bf42d6b861f65c5c060

SnakeKeylogger

b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56

SnakeKeylogger

da066dd7d70853830debfb1931ab13e48b2556e8b8d116db96749d1f0db43577

SnakeKeylogger

f4e535a66881a91014aa12b837175eb110849a0d387a925444576387aafd633b

SnakeKeylogger

fbca5195cab9ea8df36b6123fd0e23f2e1ca97cd0b61d6d40ecee6611f31c8ff

SnakeKeylogger

+ 533 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230327-stlrjagb3z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

7ad6fd7241826025ff1a01588a824a9b983fd37a7c050982e831ed69609658a1

MD5 hash:

d4f77acad079711bb0c14aa6164a2777

SHA1 hash:

fef12baf324a0dbde2dc171763f676cd1b6b82e9

Link:

https://www.unpac.me/results/0e3cd668-ab4b-42ad-8cea-6976de2c6c5b/

SH256 hash:

42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805

MD5 hash:

aca804d5d77bd73228eaa44a95402330

SHA1 hash:

fab4900d6af18796b65e1ab8f5ca4da5c933185b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/0e3cd668-ab4b-42ad-8cea-6976de2c6c5b/

Parent samples :

854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
e7549401654dedc2a2064ccaaf8301c753c76b0f71f208c0d819f2a56ab8949f
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
145b8aff160e3a50b8b5b9e6fd3b68106c1f3c0766bf76fa88faea0787d07bf5
8f90611a7d29f7e832d55fe1587107d30c53c2f580c45ea09c4f0cf45fe7cc7d
42a1b13fcfeac3b9171c33a5f5d5cd202e022653fd40a3d77ec0ecffbdb25805
3ace1af5dc3cf09c40ae8d4c0c4f499fbe1996c7c041ee07e30fb24283b4343f

SH256 hash:

1aa92b1fe909b6363698b7117b58e939b02accec4b3d3c1337afd95ca4b15bb6

MD5 hash:

4db6115981744df67ab3ad00b0540258

SHA1 hash:

c24e21d8b46c9bb252e21468264f4490935bb0bb

Link:

https://www.unpac.me/results/0e3cd668-ab4b-42ad-8cea-6976de2c6c5b/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/0e3cd668-ab4b-42ad-8cea-6976de2c6c5b/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

6bf9d07d639521837124af321555cbcdc5997fead136195aed97e2744e4120b6

MD5 hash:

acfbc6c59006cabeaa982c5cf3b2975c

SHA1 hash:

03ef87ee97fb810723f8cf284c09755c08822eb0

Link:

https://www.unpac.me/results/0e3cd668-ab4b-42ad-8cea-6976de2c6c5b/

SH256 hash:

003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a

MD5 hash:

882bc784202475c666b589b889b72037

SHA1 hash:

2a17b07e408d7f6e4c7ee5f7e833a199eeafe6dc

Link:

https://www.unpac.me/results/0e3cd668-ab4b-42ad-8cea-6976de2c6c5b/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/003c6607c3de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/377942/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample