MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddc80f262bf86345a0be3981054a8bcc1b06635e948365ceeb159688afcb51ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 11 File information Comments

SHA256 hash:	ddc80f262bf86345a0be3981054a8bcc1b06635e948365ceeb159688afcb51ce
SHA3-384 hash:	ea982e2a838ec6569adfeb625d1f9cb8cc9b96adfef75b87c1515320019df0f2407faed7042180d88ad7c330c7156d22
SHA1 hash:	3f07cd8af332cc05e0faffb4b3abc673c1dbae94
MD5 hash:	bdacafc76193287481aacc058157b552
humanhash:	sixteen-pennsylvania-nineteen-bulldog
File name:	REQUEST_.EXE
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'228'800 bytes
First seen:	2021-08-02 06:40:45 UTC
Last seen:	2021-08-02 06:41:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:35MI676DO9fx8Dgyfx8Dg9AW9/gOiEpvWnNwDZFSL:3t676858Dgy58DgPoO1BWnCZU
Threatray	507 similar samples on MalwareBazaar
TLSH	T12745D0DA7840DABBD61C27B56114D88042B99814D227FBFF7E6261B233E1A794F14CF2
dhash icon	b271e8e4d4ccf070 (22 x AgentTesla, 14 x Formbook, 11 x SnakeKeylogger)
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

563

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

REQUEST_.EXE

Verdict:

Malicious activity

Analysis date:

2021-08-02 06:43:07 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/39a593dd-3d3a-4145-a217-ba9535a5037e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/175708/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.DLO-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Blocking the Windows Defender launch

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bca63ffc-2a68-4d67-8c85-ba596d76fcf5

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/825321

Signature

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddc80f262bf86345a0be3981054a8bcc1b06635e948365ceeb159688afcb51ce/

Threat name:

ByteCode-MSIL.Infostealer.Generic

Status:

Suspicious

First seen:

2021-08-02 05:00:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

134

AV detection:

9 of 46 (19.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xea6jrl7brulif6hgaqksulzqnqmy26ssbwltxlcwlirl6lkhha._file

Verdict:

malicious

SnakeKeylogger

5c8974292a63e007d64fb43ffa31166c7ad3daeb7e08e7f9bab2f8e0e17b060c

SnakeKeylogger

74a7a39a137e6a3d6874b56099218317d0a34f105bd1b1d3ddfbb9d3c8429ade

SnakeKeylogger

b0c975b40f8a8f52aa372b0eea9ce604f35b9e5101b4aada3fda0cbb2e25229b

SnakeKeylogger

b2f77c882bdce0ff80269d0d2036243227eb3ac3bf3fd6d848c32b80df820337

SnakeKeylogger

c0122aead3c5a7b1a3a8d5f5cd7dcafa2ea0966d08cd4480ee041f5dd8eae89d

SnakeKeylogger

cd1fd75a5fede73a1929bd8fdfe922521d379ab47db28bdbfaab0d390f633413

SnakeKeylogger

dbc9cca23dc54168c95c7179dd37bbeca4569b3004dbd272b92cddeee7aa9580

SnakeKeylogger

+ 497 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/210802-hqsedlxkwa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Snake Keylogger

Unpacked files

SH256 hash:

331e8ceb8f5f95db580c5c2aab94aef84df44ef58c167487af0645d15876d272

MD5 hash:

3b03a7d2c39b498dc3437be4d05e4432

SHA1 hash:

b849b58056962942f25a775d5b33ec0eec8939a0

Link:

https://www.unpac.me/results/ac67677c-64e1-49e6-98c0-42e8b15f8360/

SH256 hash:

cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c

MD5 hash:

a0f625a3d3348903f3c902f588c0e4f5

SHA1 hash:

20d1f0b74abe6f500e8c21119f55281926210ac0

Link:

https://www.unpac.me/results/ac67677c-64e1-49e6-98c0-42e8b15f8360/

SH256 hash:

2ddb5051623b82a43d0aeb2ad5458c94c8b3ba3b1e619f8a11ae6e1d9eba9db7

MD5 hash:

0d1dc64172ee965b6e83ac4b5254dec1

SHA1 hash:

079acbc04f44b8292dc7a04e067c6a977296dd16

Link:

https://www.unpac.me/results/ac67677c-64e1-49e6-98c0-42e8b15f8360/

SH256 hash:

ddc80f262bf86345a0be3981054a8bcc1b06635e948365ceeb159688afcb51ce

MD5 hash:

bdacafc76193287481aacc058157b552

SHA1 hash:

3f07cd8af332cc05e0faffb4b3abc673c1dbae94

Link:

https://www.unpac.me/results/ac67677c-64e1-49e6-98c0-42e8b15f8360/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/ddc80f262bf86345a0be3981054a8bcc1b06635e948365ceeb159688afcb51ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICOIUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	silentbuilder_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

img a9a4724beeb4463e0bda523131a8281bac10212b221f57452d2d7a06454634a6

SnakeKeylogger

exe ddc80f262bf86345a0be3981054a8bcc1b06635e948365ceeb159688afcb51ce

(this sample)

Delivery method

Other

Dropped by

SHA256 a9a4724beeb4463e0bda523131a8281bac10212b221f57452d2d7a06454634a6

Dropped by

SHA256 3f934d01d35a6ebc8f94dea5011411c63107b1be65bcea2be90275c845bb9b86

Cape

https://www.capesandbox.com/analysis/175708/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample