MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec0e08b45cab17ef409d93105a7d3d4b246606af934a49faf8f2403d3ab52559. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec0e08b45cab17ef409d93105a7d3d4b246606af934a49faf8f2403d3ab52559
SHA3-384 hash: b52be67dad2e82ee1fd0ed133e47b569c15eeda9e1266cf7996a0f65fe2967a7795f0607e4feb7d3ea6b802e8c5ee48b
SHA1 hash: 8c7d57edfbca0edca571e27843fbe0d972691215
MD5 hash: 89999fdaa07270c074c1ff9c86ce26a0
humanhash: fruit-avocado-maine-mars
File name:New Order Requests 006166-RFQ.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:313'856 bytes
First seen:2021-07-14 07:01:14 UTC
Last seen:2021-07-14 08:05:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:a4PQuSARTAjjiES8zQ+hE7epqivGCoE9bg4M8nIxJXxsfdEr9:aAQuSYAPmqDGCo0bg4lSJiu
Threatray 242 similar samples on MalwareBazaar
TLSH T19664026132889CAEC8345BF71E676584076D7D5976C39A8928ACBF8F3535F9D0233B02
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order Requests 006166-RFQ.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-14 07:15:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bfc26abe-4b78-4218-81fd-4fb17e001302

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171591/
Detection(s):
SecuriteInfo.com.Artemis89999FDAA072.10938.10868.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fc5d9ef-c505-4151-b2ef-a73fb8b648b7
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816060
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec0e08b45cab17ef409d93105a7d3d4b246606af934a49faf8f2403d3ab52559/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 07:02:10 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qharnc4vml66qe5smifu7j5jmsgmbvpsnfet6xy6jad2ovvevmq._file
Verdict:
malicious
Similar samples:
0f50a03ab746696adbaae3755d933c7f6f5070e8592efa2452de01ba9326fa7c
SnakeKeylogger
210a46fa055399a9fe0b153724c4c6480c622e68fdf70c67fc3626d16619d68a
SnakeKeylogger
4c840cf8b8e6ffbd8fd1140e323f898e220a405714353834ce98a1070cbe4a4c
SnakeKeylogger
4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29
SnakeKeylogger
500e5287dba2679bde2df8551de4a7066bf8fe9575d3bbd7d8051cec76c12501
SnakeKeylogger
6e0bef23794d4e93ef917868ab89ce22bd27e35361e4e7d2f60ad3f82455e75e
SnakeKeylogger
78dd328a721ab033b3d63be6add959894ba7cf1d7ba380f78b078a1c9d1da16c
SnakeKeylogger
ca4896bca693d072c950104571b902964e437bcf92be959262573d6147291139
SnakeKeylogger
d0d4465b80008a2e31364728cef132a9c912df99e130c8eac93ba0acfd380193
SnakeKeylogger
+ 232 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210714-shg54pdqwe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
c6fd5bf920668326b89b54ad74670a6c08419020edc91ab4de334dc6b032ce62
MD5 hash:
7bc8184ff743bacba46050cdad81a159
SHA1 hash:
9dc2c9d557af65937af4a56cd0579a60f30467e1
Link:
https://www.unpac.me/results/8b4f3da6-fc44-4ce7-80f4-8339a20e2f8a/
SH256 hash:
841caba6f3c5a8ef2fa11ddf1d310b84af69e8f96b4d5e680f3e2536fbbb928a
MD5 hash:
33b09ca233198cbab068b4c0f304c7bb
SHA1 hash:
4d0825f827169e3bcf1247f772b230cc748dbf9c
Link:
https://www.unpac.me/results/8b4f3da6-fc44-4ce7-80f4-8339a20e2f8a/
SH256 hash:
8688d3438f2333c8f32ce0b64ad8c8eb1162907176656402a9f1e699ad7efe4d
MD5 hash:
b0cd9047141dc900d9a19b8d38e21ef9
SHA1 hash:
232f221929dfaafbff800fbbaa268c366df23423
Link:
https://www.unpac.me/results/8b4f3da6-fc44-4ce7-80f4-8339a20e2f8a/
SH256 hash:
ec0e08b45cab17ef409d93105a7d3d4b246606af934a49faf8f2403d3ab52559
MD5 hash:
89999fdaa07270c074c1ff9c86ce26a0
SHA1 hash:
8c7d57edfbca0edca571e27843fbe0d972691215
Link:
https://www.unpac.me/results/8b4f3da6-fc44-4ce7-80f4-8339a20e2f8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
APT3 Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec0e08b45cab17ef409d93105a7d3d4b246606af934a49faf8f2403d3ab52559

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171591/

Comments