MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2
SHA3-384 hash: 3e4e0bcb063365da566c8774bfda761b4778709bf30bd358020ab80404fcef849c635a88721f53122fdb622a7333c2a4
SHA1 hash: e311d243e28bd70fb0fe578d92352414c5180537
MD5 hash: dd008e99875a585d96ec322f8a13413b
humanhash: mars-floor-ink-earth
File name:lPa32RSaCQtZsYe.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:872'960 bytes
First seen:2022-10-26 09:45:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:5Oq/oCJJTT2q2iNa9/fTcaovQgNzcev3NW4ft7vCk2hJPAmT:c6T2q1gMIWtNfZvClhl
Threatray 4'127 similar samples on MalwareBazaar
TLSH T11E056B74379E4F0BD0EACE34A471D1B007626DBB686EDB8ACAD46CF738223A1590D547
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00404080a0a08000 (13 x SnakeKeylogger, 2 x Formbook, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lPa32RSaCQtZsYe.exe
Verdict:
Malicious activity
Analysis date:
2022-10-26 09:51:16 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/2624af61-d834-4004-85fc-0e40a688810e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324294/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aef92b0d-dfc7-42cd-993a-17c9dbe697cc
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098246
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730898 Sample: lPa32RSaCQtZsYe.exe Startdate: 26/10/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 8 other signatures 2->55 7 lPa32RSaCQtZsYe.exe 7 2->7         started        11 bHDWrNNC.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\bHDWrNNC.exe, PE32 7->31 dropped 33 C:\Users\...\bHDWrNNC.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp66BA.tmp, XML 7->35 dropped 37 C:\Users\user\...\lPa32RSaCQtZsYe.exe.log, ASCII 7->37 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Writes to foreign memory regions 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 MSBuild.exe 15 2 7->13         started        17 powershell.exe 18 7->17         started        19 schtasks.exe 1 7->19         started        63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 MSBuild.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 132.226.8.169, 49695, 80 UTMEMUS United States 13->39 41 checkip.dyndns.org 13->41 43 192.168.2.1 unknown unknown 13->43 67 May check the online IP address of the machine 13->67 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 158.101.44.242, 49696, 80 ORACLE-BMC-31898US United States 21->45 47 checkip.dyndns.org 21->47 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 10:16:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgqjllupkvrbmkszd6ehdouk5tcg2q7iowqz6lgvnv5zya5vnsza._file
Verdict:
malicious
Similar samples:
0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6
SnakeKeylogger
50109664df17c305d63866d276484eff9131d9fb4bbb091275f07d940e7435b5
SnakeKeylogger
79cb1e9c71dc8b1e72e7329b4ab9e968688680c37671ed6df39d58d04f21aad9
SnakeKeylogger
7a96faef83e248093584f633bdb3057dda34f1e028683d54401fba6143cf2c32
SnakeKeylogger
b6692385658a68fc7071fa263592322ff531ccf8267deccd9445a835b322760f
SnakeKeylogger
c48b8f82638c46dbc8aa4a738cb29a8e392b6c4f5c7a04ad31f20d567dae119d
SnakeKeylogger
e9b324b307af4d894e742a33c0d2ce31977128848c23219e4958664ac89cede7
SnakeKeylogger
f16fc4f79d0488b15b0b1b8d161a56cfae261bf98ab2390b5006379c09e7043e
SnakeKeylogger
f51ac312a42b7ea58a385ce561b36ecb9cc5ccc5bbdc9bbf5aaadf7576b2c159
SnakeKeylogger
+ 4'117 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/221026-lrmgqafcfn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5542941782:AAFlsn_FCfYT7D_ZthXK_Udd4a15AE58_Wg/sendMessage?chat_id=2054148913
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec5a61e2-400a-4749-85b4-8ce944ee7562
Unpacked files
SH256 hash:
1d1fe4549305d756c9553adff01b0e2b02eddae66f3268098fe14153eb4a2e50
MD5 hash:
c10be5e04b4346f50844d0e995bc74a1
SHA1 hash:
97b5adccd3a8a6613c5ea817c55fd7c7fb1ccff1
Link:
https://www.unpac.me/results/43d4c9d7-f1be-4f5f-bc79-b47c49990b7f/
SH256 hash:
11423f4b9cdfc09f847fc866ce1fa1720e0bc62c2ab8dcec054c94de00ed9589
MD5 hash:
76784618e4f7472327171a450500e1a4
SHA1 hash:
8e2f53cdbfae8870acd66c6b4b059709f173b9cd
Link:
https://www.unpac.me/results/43d4c9d7-f1be-4f5f-bc79-b47c49990b7f/
SH256 hash:
3ba16a92b2b40d38c6e5e30f882a4c60b3838611868d990b7d986eb4018c17cb
MD5 hash:
16d6f358cc62b12dc869da8a59b03eda
SHA1 hash:
5eaf3662fbd4193086df2ba7233e9652542be8a3
Link:
https://www.unpac.me/results/43d4c9d7-f1be-4f5f-bc79-b47c49990b7f/
SH256 hash:
23a7bc3eeb660d9fff41463277b64129ac2cc43faf9a3d26b100aa259835b08b
MD5 hash:
ada887c0b6c740480c3585d4c4a2587a
SHA1 hash:
3617aeaa16ef0a75248bf194f21dbfd688065699
Link:
https://www.unpac.me/results/43d4c9d7-f1be-4f5f-bc79-b47c49990b7f/
SH256 hash:
badf4994b0c994b2894ffa59e53475e76aeb98e32310b3e4733ec952117ddcdc
MD5 hash:
41738b1f4b60af050cc7bce2c11670c0
SHA1 hash:
35846789ca0194b4fa16217cbddc13a043a318f3
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/43d4c9d7-f1be-4f5f-bc79-b47c49990b7f/
Parent samples :
6909f3a01da363efcaf05aa899b1223818923972ba34b90ae6ef8fd062d0cd4e
0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6
605995d682d1e7f038aa33ab39ba0a6e8330aa8f13836c0d21cec48a4a56e46d
b3905eeb2235f6893aadc3bdc789cba0860dcd240d7149371c5fa03c809e4b59
b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2
4ade79259ddc557d6b0abf68de4b5fbe61e532db6eae5b29ef30e3a71bbf17e2
d65163defaea092a6be7661cdde670e18e54ae79790ffa5f64385daa5ceccabe
SH256 hash:
b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2
MD5 hash:
dd008e99875a585d96ec322f8a13413b
SHA1 hash:
e311d243e28bd70fb0fe578d92352414c5180537
Link:
https://www.unpac.me/results/43d4c9d7-f1be-4f5f-bc79-b47c49990b7f/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1a095ae8f55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324294/

Comments