MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
SHA3-384 hash: 2d866fda5b6400788d8292e10efa1b29971b1cace00d60a377573fe5e24fb33cd6b9ec028786f77a0243ba21272fca84
SHA1 hash: 5cbae2649da060bac1602e62ba641b1d85b24fc4
MD5 hash: f8217bd63821efff73b3e0f55d6a1a88
humanhash: happy-eighteen-princess-magnesium
File name:Request for Quotation - CRPO-02 Project.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:594'944 bytes
First seen:2023-05-08 18:23:17 UTC
Last seen:2023-05-13 22:56:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:+8ds7D6nFhjN9OB7Vkm3DpfVLkLfWzaWR3z:+8e4VN9bm3NKSh9z
Threatray 5'344 similar samples on MalwareBazaar
TLSH T12EC4F04271E5BF51E42E4BF42864324507F2316B60F4F26C8EE761D96AEAF401B41EAF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation - CRPO-02 Project.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 18:23:39 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/5dd3a940-56a2-4eee-b1fc-256e4b0df3ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387585/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/64593e44c2315c7ec20e7c91/reports/fbe4619f-e35f-40bc-9cf3-4556e85fa767/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a419df1f-9808-4171-95ef-5eaf853f7913
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228583
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 16:28:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
51
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slykkvbg4uca3sabgp4qredkzxnkgodze6bva75qxnrnln4gypha._file
Verdict:
malicious
Similar samples:
0143b411f3c0c02a845fa45cca9fd02df3da4334ad748fd119759f877c1e7ef2
SnakeKeylogger
39284637e45691feb034477cb6d51b662892a17b883ce42cee8d8e2fcdda4817
SnakeKeylogger
b33a98ce498846037fd68b2055d835464a1350c9c067e250689a2be1f17dc987
SnakeKeylogger
+ 5'334 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230508-w112kscb37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5300146648:AAHnGWyIYhkCfGzD7b3SfmLZj94Y8lXxD90/sendMessage?chat_id=5116181161
Unpacked files
SH256 hash:
d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6
MD5 hash:
915aa3d78cab8eb6920c2cf8ab39e6a1
SHA1 hash:
f4dc2ac541b600883e4648aafbc92f5e0b1811f0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/5356611e-40a9-4e63-a0a4-0bbc404269c7/
Parent samples :
9432b4cd9f8a31640bf60b6cf8bece39ee0b0f110d2d43e429d9d203e1feaf41
8d31760b4b183db7fbb1cce9c5dab77e264c27484eb49193c6ebd0cc1deeaccf
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
05bec361a7f7ce8bb453225e15f0911068f103c51eee5e553f783955f65ed54c
54bae76ab64ae74ef5b97cef8aaffa2ec1254df6fea46d54c1387b6f5d5fb025
b43c354874e511906b2a3abef9db96af2a2d0aec46c8d04fe7357bcebdf03a4f
7e039e4d466d67e2e7fe4cf46aa141db13f2454161ebc86ec1dd02c33113d154
34ae82b3da999e17e5b62fae65be1827e3f6a54c599c68f1a02666772b70eb09
d4086b64b176925017dd2db176cb3754e172bcec944037e1f3ea53ce48c1303f
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
c9234000f8f576a39a7d2a957826094c1c0e37b141ef26ee2e8e36a62e09805a
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
0f629b4e11087c4e000457daa326269c1ed26198d5a5e8f963d10e0be9dd77a7
4df7854ec37d3d2d2f8b87ef3811ac4b4ea2f16c0d37329a91a4ebeca78337fb
d253e991b0afb6b3e9cfaf8dce2e56c93e6ac838ce8f4a6c1c0b4752527009c6
SH256 hash:
05f7e29c582ff0de5dbcfd938909c8bf6d7f0ae872dadf183dead5ac5ddf7f18
MD5 hash:
e36f468d17f279e8ebee251ca50da75c
SHA1 hash:
f4946c597262e0688bf54f569e8e72a782927bed
Link:
https://www.unpac.me/results/5356611e-40a9-4e63-a0a4-0bbc404269c7/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/5356611e-40a9-4e63-a0a4-0bbc404269c7/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
00f30fc8ea2fb5bdd03f365f32ed6f6cf41bda0ac51eed1aee20155ce4dac436
MD5 hash:
f1528feb750d0b3d66ea562c41ebde4b
SHA1 hash:
5ccab29a3906e224bfe734ec6a520c1cd8e2ebe8
Link:
https://www.unpac.me/results/5356611e-40a9-4e63-a0a4-0bbc404269c7/
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/5356611e-40a9-4e63-a0a4-0bbc404269c7/
SH256 hash:
92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce
MD5 hash:
f8217bd63821efff73b3e0f55d6a1a88
SHA1 hash:
5cbae2649da060bac1602e62ba641b1d85b24fc4
Link:
https://www.unpac.me/results/5356611e-40a9-4e63-a0a4-0bbc404269c7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92f0a55426e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 92f0a55426e5040dc80133f908906acddaa338792783507fb0bb62d5b786c3ce

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387585/

Comments