MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c19c779689b53564815cd937aac148d5c60cda82246b395200f89fd24431819. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	1c19c779689b53564815cd937aac148d5c60cda82246b395200f89fd24431819
SHA3-384 hash:	f7b996e8459c504d43aca9e6c584cd6dd4e22682a1916a408ddd6694ad58f4acdfdfacdded1ed3460a5b7d2dc98d14a1
SHA1 hash:	ce8bb98c1991e46732f0cda2e74fa5d989611d7c
MD5 hash:	49791bde2400d4e10b6ad1ea4e628802
humanhash:	fourteen-four-bulldog-eleven
File name:	INQ-UMJ005IX2022.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	608'256 bytes
First seen:	2022-11-01 08:37:13 UTC
Last seen:	2022-11-01 14:55:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:WwhuJ9DrAlVrYlA5Eg5epg1GSL0zQvhzps7:9uJ9DnlAEmken3s7
Threatray	8'629 similar samples on MalwareBazaar
TLSH	T1B5D412027A55689CF83907F691A68AA636B06C2CFC60EC1E0ECFB2DC18717478756977
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	131163e1e1e1e1a0 (17 x SnakeKeylogger, 7 x Formbook, 2 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INQ-UMJ005IX2022.exe

Verdict:

Malicious activity

Analysis date:

2022-11-01 08:40:32 UTC

Tags:

evasion trojan snake

Link:

https://app.any.run/tasks/a8a1e6b2-ee1c-4433-932c-1302b66cbe83

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/326750/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.46086.3750.22952.UNOFFICIAL

SecuriteInfo.com.Trojan.Inject4.46086.29270.6041.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6360daf09b9bf84bf679d28b/reports/126cf4e1-6a66-40e7-98d3-8857f16653c4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48369c05-8a86-4f4b-acb6-c9a1737e70f4

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1102404

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c19c779689b53564815cd937aac148d5c60cda82246b395200f89fd24431819/

Threat name:

ByteCode-MSIL.Trojan.REMLoader

Status:

Malicious

First seen:

2022-11-01 07:08:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqm4o6litnjvmsavzwjxvlaurvogbtniejdlhfjab6e72jcddamq._file

Verdict:

malicious

SnakeKeylogger

09a476b31272d7aa3ba1e7f0a5ed54dda6834819fb360de18cd883fdb177686d

SnakeKeylogger

5c00ba81ba3c63b387be3c81b197a552de1ba46a1922c696d602e4fbf1700c01

SnakeKeylogger

6e3068d40a7f9cf1c1b32ce4c58931efe7363b9f2d9c96117c72e8c5fa90c723

SnakeKeylogger

bde44d28af8eea00ebb87e8a609fba8ed3e7371dfc1b5b842ef1a2aac4a0819c

SnakeKeylogger

e3555cc65ec783fa2aa5a0c5c565e2ac373487fbcffd83db2a014f40ac983d30

SnakeKeylogger

e7bce95f8d0c0afe68c7073eb88a60271388885c07bd9a5abfcace139eec9e9f

SnakeKeylogger

f92f663f8f3a0eb9aa71214253b157153bc4c9b386e4189c00017ec85e9d6913

SnakeKeylogger

+ 8'619 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221101-kjqczahgf5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5793325124:AAGHzRsq2tvLBf23l8pkEofcJjw4AQXsgAQ/sendMessage?chat_id=2086616067

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1e04f45d-2825-4218-92aa-0be709df6b36

Unpacked files

SH256 hash:

821df20cb4347d90524d7782ced96298c6728dae41f7c47081b991dd4d02a07f

MD5 hash:

25d0a901ce99377f11ee43c78d76f572

SHA1 hash:

f614c680fe53b4a96b276d516ce2472f9317952e

Link:

https://www.unpac.me/results/e81ab57f-22c9-48b8-ae60-0645cb6ae880/

SH256 hash:

15d73a776fe344c81d89f8c1403a88694e798a4698997b7e71ff8cd285043e5e

MD5 hash:

30f4d7c4a68786ee7add65357696b171

SHA1 hash:

f1dc5ea4551456140bda5f1be92ea156260cab2f

Link:

https://www.unpac.me/results/e81ab57f-22c9-48b8-ae60-0645cb6ae880/

SH256 hash:

4a8d3e4551a9f9322e6c531ed9b53cdd4623a6435dde7843c4ab8369026c6c3f

MD5 hash:

35dd9a9becc49678c532b16d5f8fa088

SHA1 hash:

cba9fac2629e05004a80be9f79d3a99b40362fe2

Link:

https://www.unpac.me/results/e81ab57f-22c9-48b8-ae60-0645cb6ae880/

SH256 hash:

bf10b138e060a04c6db62fcef75a6c07ec59f2df7cc20d740ca66c41f08f5c71

MD5 hash:

fdda5ad44d299c3d3ca25dd89d6caf32

SHA1 hash:

3bb2e27ad8c92a5f154e184c43d72e21579b3ec4

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/e81ab57f-22c9-48b8-ae60-0645cb6ae880/

Parent samples :

2c1233c23ad1b8d5fd045f3ff75ae8faf053d0210602637c35319c03ba29049d
caf10374b119f0d943ede964071e5b3c902a006859f35caff84b440dad7daa5e
fe33c22faabafd696535976eb75d55862b2f32339536c87f32775f0152c53b06
68ea38997c73f63cd68dea8bb6e2ecd5b5f6f5bf3a5f1597083bb674fdf3901f
c1d8796df0c4f3ed781a1a04561b470ad793f8eeffb99bfcf89aeb32e6db3894
66f2172acd9f30a31b5cfe40cb2f02b2f167b3fec6e9c3350817e4e42eed505c
bc6923bcc30f23b64fd56d49372a30ebd34502c3d7d4b3213b2ca4238f54fdb1
fe87b471e4495f17639521e425cf3bd044abd6fc1ac94725e1752adeb076bee3
34d4de981eed5da5d62b8a4d7928ca739fbc09740b50d08736400e463e491f4b
a23deaa3f3ffb5b8e0901c2dd9961188dbe945f37fd184e7616e5f678ee718d5
9f748ffe55ad536a8a5dba9fece063455c9b3c0ea8f75afdf3b97c30741d3879
79cb1e9c71dc8b1e72e7329b4ab9e968688680c37671ed6df39d58d04f21aad9
3cb9a4f2458b6897c3389f22eecd17a8e7642e98636227f08c02bddf28f04f29
921a9d7e264ebdd6cd571b536733497be42e08ce26b1846fc1870220fc335b15
cbab45963c125f9320b3cdd66e41f341894d4045d0d1739c98eff440ff68efc4
b89443b465f1a7b4f348460e5ca65ab3d0a39226450480cabc93c29d8699b517
f78ba8b9b657d78339e63a4918ddff3aa7c4a3ce1cb3b944696ddf0a703f78ba
4facce5f12610b8544de2a07a89f0d9c194d22992a1e52981764b75e28d5d507
c8e9c70f96f3d9fef327b336f68fed249cfee9fd893d2fae47d03a8321530eb4
c4bc99be2d00ad7e96c9f192f31da7d25c5971b3463b7f28f5a42659a4829ef7
22bb77707a5e4daee152238760d8e4d3ab808199609c679f7acc5d4e0ac09e53
1c19c779689b53564815cd937aac148d5c60cda82246b395200f89fd24431819
830048b03052b79d97b200ea975ed6f37776aae8cd05c55410d83ebbb8fe4d12
34681bfe6903ae02763664071b92d92b17fe545c9fcbda94b26a2a80df5a8fd7
1657b8a3bf202fe947182543cc96b4b20f0fb513018209a903c53b95d3cbf491
4f286ec29274298c8788b4e0ebb36676f97ff57d3e94c94f3d438892600b919d
35e5a32157421bae8ec1a960edae39245f5e68b772fcbf9376add99181a58e3e
1ad58f55bceeb539c9f77e62af86c5e09fb0dd0dcac700e6368964f6a4f5e5a8
d3cd2cdc7d4979c03daa0b92a90d18ba47089abc568c76e4a11c4067defd6b31
b8848531fba261561cae57936e50512202d45257460805c92f2778331e0db85b
76bb047672915b6378f82db87a53b80be37aa810ac89b934b5c111e57601fc31
8f6910c2c42d4d5aef3cd7ffa5bb4a70e15c2b32e35d465be19a68ffd872b60b
0dcb7ab9a3b94c33349f33098da76c80a70a4f27d663243035ad02742e9aee0c
a29c78e6f4be0fbbfa1a48a6d9bd0172f104861e2659b46872a2eecdafa58003
d427cff555d97a92b992d42f77c1d790314133032ea1cbcc43193a024427a0f9

SH256 hash:

744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f

MD5 hash:

91fed5db1afcdf48e0cd6d4058a013ba

SHA1 hash:

3717b3346e25d3f66f00626ad1a771d8655f485f

Link:

https://www.unpac.me/results/e81ab57f-22c9-48b8-ae60-0645cb6ae880/

SH256 hash:

1c19c779689b53564815cd937aac148d5c60cda82246b395200f89fd24431819

MD5 hash:

49791bde2400d4e10b6ad1ea4e628802

SHA1 hash:

ce8bb98c1991e46732f0cda2e74fa5d989611d7c

Link:

https://www.unpac.me/results/e81ab57f-22c9-48b8-ae60-0645cb6ae880/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c19c779689b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/1c19c779689b53564815cd937aac148d5c60cda82246b395200f89fd24431819

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326750/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample