MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a
SHA3-384 hash:	07fdc1c8e967fd0df5c3c9b7fe2e3b68dc84c73dc6b4b484c07864909f8a84acbc0bf262cedd2d37bff107dc04ef5dbe
SHA1 hash:	79e0f251d84ba40ec4cd39a3545bc2527679df4e
MD5 hash:	80cfcff11ee2975941fd9b5dcd160f56
humanhash:	sierra-uncle-nine-football
File name:	file
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	606'720 bytes
First seen:	2022-11-28 13:52:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:rO+copbKbfolkpPwDMjKrE5QujFhbzTrq9dBYKiPDkE+M:rCmbKclkpkMurxujjnS9difPDk6
Threatray	9'420 similar samples on MalwareBazaar
TLSH	T1E6D4018631AD5745E3A87BB169E093507B74BE365873D06F2D88B6CE4933B805E3072A
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter	jstrosch
Tags:	.NET exe MSIL SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ.doc

Verdict:

Malicious activity

Analysis date:

2022-11-28 07:35:42 UTC

Tags:

exploit cve-2017-11882 loader evasion trojan

Link:

https://app.any.run/tasks/81722851-74dd-4322-b83a-07462a106b5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/339454/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.30078.31139.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6384bd3f5be128ac718f4879/reports/521409df-d745-497a-b89b-2409bbfa0b40/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e34a6240-7cb2-4cee-8650-cfc3463e7e32

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1122561

Signature

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-28 11:56:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=drocairh2cymbk7hvdxr4zyhsbuxact4fkxmbmel2vjnspz5uy5a._file

Verdict:

malicious

SnakeKeylogger

2f6e6357881973427aa992355125e2a7be58586613136a7fa4a84a49dd28dc93

SnakeKeylogger

41130c6ae73f211bab65e86f956f2c11ea1455089d21b5f18316353e5e370437

SnakeKeylogger

c498b83c2623ae4b95259430d63e9ef264941ffa0bfb7a7005f3db8244a69707

SnakeKeylogger

cd004920d1ca92cbfa11e014394a37dac188f65a0c6baf476601d462999126fa

SnakeKeylogger

edbc2a3471d87508b3e4b9174ab90a6a04529a2cef9373e3e1b4f3d97fb3afaf

SnakeKeylogger

eee60f047d393679542dcc545a824cc4946da2ab2c836944ace74ba5044c1696

SnakeKeylogger

+ 9'410 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221128-q6zg2sch2t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

31971b4b3e148fcbf9d46cde09b61586d69c49bffab0b5e9d310e4b33cbac109

MD5 hash:

f52d444e73adca43894107dc048a9493

SHA1 hash:

f99753d07ad99c1ca8132fd4a05dffeefdecd1f7

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/30ffe865-de19-4956-ad28-286db8341147/

Parent samples :

4fc184671e57d103f1d4d2522d561c4e36d0eb1b221c4f05e5e77e044fbc3570
1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a
7e2ff70acafb2544bc87b72e69b8b6796f9ad66a9d57177453d193f2ddb174b0
fa06efa7ae0bfe45997fe30f5cf4a62be3d804ea3347777ed84a0dc87bb2f2e2
6a9d3a6f928c5a2a9ab9abe269027f3b987045fbb30803dd431ae2f56d5f859c
d08aee2638f316b2037d19ad89b2b23e9f12446a5d57b66330482ffb1a0e5be8
54bf780d0d0ac62c5f8542cc4b960152e90ffee21b3a99ab1a9ef06bf6e822d6
971e1093a54debf9b5fbdf5b68d7f59073f98737174f2acb7633c71ec545f554
e65c8404e4199df1515eba17f546cf27c15c2391bc40189ea2636869e9811f6f
085046ececcff959420164dc9ff1f78b7d05abf01d4fe00e35933cf98a0698e5
4c355f38322d2cf4c55c34d6d938a91a71bf90d3263d50548fc51f315cb279a4
bfbe89a923b76a0f6ef973b02eeeef58477da68a752a40a3875047f11c83a68f
4c5a48d3ae028c27963e1af00e3a03450a84960eeb5049a836e2628962525506

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/30ffe865-de19-4956-ad28-286db8341147/

SH256 hash:

3917bab2dbac2e7b0f10543416e1e53b37f8f3fd031b563544c56b0fb8e5519c

MD5 hash:

f79acc2fccf86708eceab7f021eec3b0

SHA1 hash:

92e5938594789b3c130da3f265e085587581d390

Link:

https://www.unpac.me/results/30ffe865-de19-4956-ad28-286db8341147/

SH256 hash:

4ee60523f3c5539d03eddfc2e17cbd4dbf19a18e8909d0d588ad103d6edf035b

MD5 hash:

bff6f69f0462353c9d308ccb4177a957

SHA1 hash:

7cd553cb3f39bd241ac315627c486759299fc218

Link:

https://www.unpac.me/results/30ffe865-de19-4956-ad28-286db8341147/

SH256 hash:

b763a27f3a1fab5ec1b5aa566879eba7d666203ffdb8788d340987a768fe96bb

MD5 hash:

5475aaa99794eeeccd515427cfaae249

SHA1 hash:

0a9ed47b73017a436c196288d2e49c75e448c04d

Link:

https://www.unpac.me/results/30ffe865-de19-4956-ad28-286db8341147/

SH256 hash:

1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a

MD5 hash:

80cfcff11ee2975941fd9b5dcd160f56

SHA1 hash:

79e0f251d84ba40ec4cd39a3545bc2527679df4e

Link:

https://www.unpac.me/results/30ffe865-de19-4956-ad28-286db8341147/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c5c202227d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe 1c5c202227d0b0c0abe7a8ef1e67079069700a7c2aaec0b08bd552d93f3da63a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2286568/

Cape

https://www.capesandbox.com/analysis/339454/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample