MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb
SHA3-384 hash:	2ec49d9f560abee3437c549ad78a4e335b22cb50eed296da59d6a633ce5b45f4a000eb484161e4c7312c1a6808aa5435
SHA1 hash:	05f2a89463f1335681fe7669a95a91ff52095081
MD5 hash:	009784700cb0534965d78fb5e2433a8f
humanhash:	bluebird-uniform-idaho-march
File name:	ORDEN DE COMPRA014.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'140'132 bytes
First seen:	2021-08-25 08:20:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:nAOcZw/DuR+4Ys4zlisWCnG8rSjlCBWq3XFQYcqa6lCKCvZ:ZVl3NG8i8WWX6KtAZ
Threatray	1'688 similar samples on MalwareBazaar
TLSH	T1D2350102B781847ED532293218266AD5EB793D301E24F66F63E43E7F9F711819624BF2
dhash icon	f0ccb27170b2ccf0 (1 x SnakeKeylogger)
Reporter	Racco42
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ORDEN DE COMPRA014.exe

Verdict:

Malicious activity

Analysis date:

2021-08-25 08:22:56 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/ba3c3adb-9b01-4bf3-9287-d552110760c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/182228/

Detection(s):

Win.Malware.Lisk-9868843-0

Win.Malware.Lisk-9875330-0

Win.Malware.Qshell-9875653-0

Win.Malware.Lisk-9884866-0

Win.Malware.Lisk-9886225-0

Win.Malware.Lisk-9886229-0

Win.Malware.Lisk-9886840-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Sending a UDP request

Adding an access-denied ACE

Launching a process

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a system process

Forced shutdown of a browser

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/53693a4a-a6c1-4e7b-8686-4a1e33510da6

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/838858

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for URL or domain

Drops PE files with a suspicious file extension

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Process Start Without DLL

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-08-14 21:11:43 UTC

AV detection:

22 of 46 (47.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n3eawloin2l2rbwff63hv2sm4gvrsvmh2ujdn4am2xcl7e7nwtvq._file

Verdict:

malicious

SnakeKeylogger

3776aaf0ca18645e4e245513a4aa3279cb6240221dac7f2401b63e8fba00ffbf

SnakeKeylogger

726e779529f34143e4d094f0252f3c6e04547d062970d26c0cb553c57c98b1ed

SnakeKeylogger

9ff44ba44707bbdda0a858a2d0c11725b146fb4671ed91295ce2e0a3ac8b175c

SnakeKeylogger

bce4b929f18998a33f795bd5b6f54d95e24fa63d7a5880e2e0361728122f40aa

SnakeKeylogger

d57a5e8835ba746d89d2c4ecc9f904793b485c6affc1b9901486c84eb88f4e1e

SnakeKeylogger

e17f1bd08149cfe18bd2a9ee2e04e3a9b6a46f85577885f1e74066a73e1debd2

SnakeKeylogger

+ 1'678 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210825-1p1tgfbhfx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Snake Keylogger

Unpacked files

SH256 hash:

f3f16e3a80a51a96e4c2db320826b5cb5565b513a140071090947d8718c76974

MD5 hash:

59bb245fc54cee768f866ad633a64720

SHA1 hash:

bcdc0390ff2d3198dca3a7b8b40f050f37eac44d

Link:

https://www.unpac.me/results/f9506561-2549-4edc-9c19-a93787f929c9/

SH256 hash:

ab852f52284810b1ef6fc4a2521dbf5130c5ed4cb98ca54310b22dd3529c0c94

MD5 hash:

fbd2a6237d00d90eb947b23feb9f68b0

SHA1 hash:

173dae239c761dcd824c692f3360902d04aa0479

Link:

https://www.unpac.me/results/f9506561-2549-4edc-9c19-a93787f929c9/

SH256 hash:

6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb

MD5 hash:

009784700cb0534965d78fb5e2433a8f

SHA1 hash:

05f2a89463f1335681fe7669a95a91ff52095081

Link:

https://www.unpac.me/results/f9506561-2549-4edc-9c19-a93787f929c9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6ec80b2dc86e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/182228/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample