MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9
SHA3-384 hash: d9c56afdd21d98fba1a17e13a160caccf549f9ff382b3970f06ada0e4b8a2bd3b747b0bd569ac634bdbb2e291e3da1b5
SHA1 hash: 579f128123ea7d405f53289961347afbd711f2c0
MD5 hash: 983cad323ade648ec1161aa0cd24b57f
humanhash: equal-kansas-floor-juliet
File name:NEW-ORDER Q701528501.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:791'040 bytes
First seen:2022-05-16 11:28:32 UTC
Last seen:2022-05-16 12:50:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tkdxCzqT3kX40lvqcSXUxBXOg6ugar+4zl2Uf5oR1NMw4qdVUxU3NS:tO30/ljeUbetugarzl2UfqM/6UYNS
Threatray 10'823 similar samples on MalwareBazaar
TLSH T1FAF4F62C3B055E62FC1D9530CD110BB9BB62AF83334199C6A7DF2BCA8B5E1B51D15C8A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0f13e8d44c79374f (2 x SnakeKeylogger, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW-ORDER Q701528501.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 12:18:07 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/258d621f-fd02-4748-a3f5-a0eba7428b27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271050/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Running batch commands
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6282358c70e563c3836975b4/reports/4f80107d-dcfb-467e-a18d-8251cb35843f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f4b78e3-e4e3-4840-8245-6b1927f3627e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994844
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627340 Sample: NEW-ORDER Q701528501.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 9 other signatures 2->46 7 NEW-ORDER Q701528501.exe 2 2->7         started        11 PC.exe 2->11         started        process3 file4 32 C:\Users\...32EW-ORDER Q701528501.exe.log, ASCII 7->32 dropped 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 52 Injects a PE file into a foreign processes 7->52 13 RegAsm.exe 15 2 7->13         started        17 cmd.exe 3 7->17         started        20 cmd.exe 1 7->20         started        54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 signatures5 process6 dnsIp7 34 checkip.dyndns.com 193.122.130.0, 49770, 80 ORACLE-BMC-31898US United States 13->34 36 checkip.dyndns.org 13->36 38 192.168.2.1 unknown unknown 13->38 58 May check the online IP address of the machine 13->58 60 Tries to steal Mail credentials (via file / registry access) 13->60 62 Tries to harvest and steal ftp login credentials 13->62 64 Tries to harvest and steal browser information (history, passwords, etc) 13->64 28 C:\Users\user\AppData\Local\Temp\PC\PC.exe, PE32 17->28 dropped 30 C:\Users\user\...\PC.exe:Zone.Identifier, ASCII 17->30 dropped 22 conhost.exe 17->22         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 20->66 24 conhost.exe 20->24         started        26 schtasks.exe 1 20->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 11:29:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
106
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmtqtedksc4nodq7gfpm6uxlm7e75ti2mvjdvjdljarxq25hahmq._file
Verdict:
malicious
Similar samples:
2ff83b92db02e32a0a981b75575dac7b521a343754cdfaf493fbf7f93cb38100
SnakeKeylogger
35edc5ef499d3d36611769047630195bb59883cd9feb7c36c7988d59d0087ba5
SnakeKeylogger
382184e7571f141ed3e438ed7a88975d09b2305f827ff6b7ac65d0d31a2455c5
SnakeKeylogger
3bb08043abef19a94934ff3cf96328f6c4a72e3261df424971911094c90ced6c
SnakeKeylogger
7b70539f965304695a75a493f50370ce9a9fcebc0a0667aadf11b3a4c540c8e7
SnakeKeylogger
a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463
SnakeKeylogger
c586cdae80de6a25dc94c91083dc6468b282767f522d49496f01d6e07e3b7ab0
SnakeKeylogger
cab9ea99be713d04dfb08a504ae6cb92ceebca932ae5651f106045a86966bba4
SnakeKeylogger
+ 10'813 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/220516-nljvracbdp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5298753233:AAEzVFdK_UIW494kpeWdlRCTwjmA2bDMwKM/sendMessage?chat_id=1166763137
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/46946037-15d6-4781-8125-f3250279efdd/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
74e05e860794f6555f8a96bd7361614d5c6ae9778982c653b786f91b31bbd56e
MD5 hash:
c289c56da7b16bfb81d96f864ea3a01d
SHA1 hash:
cf93931c3de419f0cf34ee6b0de03c249e6aba34
Link:
https://www.unpac.me/results/46946037-15d6-4781-8125-f3250279efdd/
SH256 hash:
46a845122e79c8547fe620c7833aca97e66aeb8c1fb003b7ae2016aa9218ca32
MD5 hash:
89f490b5180821c78c46d8835f0515e3
SHA1 hash:
f78cf97245b0614ea57c50dc5a488d27fbf564d3
Link:
https://www.unpac.me/results/46946037-15d6-4781-8125-f3250279efdd/
SH256 hash:
6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9
MD5 hash:
983cad323ade648ec1161aa0cd24b57f
SHA1 hash:
579f128123ea7d405f53289961347afbd711f2c0
Link:
https://www.unpac.me/results/46946037-15d6-4781-8125-f3250279efdd/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b2709906a90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/271050/

Comments