MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd
SHA3-384 hash: 41ce3cc4e165eff1b574fd75f4fba6ca1552d5bb919abaeee9027dd657e64ce71ab54e63c0a77ba5382b826b523816e7
SHA1 hash: c39508fa283f437191410c374949ff836a22c258
MD5 hash: 152ed623e1038949487ac04aa2297741
humanhash: seven-louisiana-green-snake
File name:KingFreoghtExpressCorp_Quote.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:955'904 bytes
First seen:2022-10-10 13:25:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:E2iNQx5J2uM5ewGPFdp8PYailZWllGIaXOWnGBem6kZ7HijJF9alCfKAdqEb3W:E15pewaXp8waiTFInaGBd6kZ7n
Threatray 5'712 similar samples on MalwareBazaar
TLSH T1CD1527B93180654FD816B075C887ECF36AFB6C615216C1C765D32FAFBC480BBDA12296
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd.zip
Verdict:
Malicious activity
Analysis date:
2022-10-10 13:27:21 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/baa1e086-edba-4b63-8dd4-ab7d4f565aa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318434/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63441d6c37db4f6b29c93e4f/reports/8ab3aca0-ddbf-473e-a330-48e47222b472/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e49ce69b-9407-4981-8767-588fc2503fd6
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087276
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-08 15:30:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygs6xspt5gbbzou45pf6yxczsi7uzxjv2cafrro5yxcrbwojzpoq._file
Verdict:
malicious
Similar samples:
1cab3cdd46b235538186a04af30dd58b0e29e85baf3b650897b6c80c02950066
SnakeKeylogger
1f5f9b2d9867afa54498f1b84493d49d0ee68f42ef0aa55e9f4ca21aabf898c3
SnakeKeylogger
2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f
SnakeKeylogger
4952a1b507d5779ad9e44e2976af3b6f890fb7d9f1bb685bea255300a70cf1bf
SnakeKeylogger
5e5878e7c89a666a6f6c0f3ad414a7c3d47c85d8bab613343b531ef552127ee8
SnakeKeylogger
c61fef7fcacfba05be6a0c2527cdde790b4a57dde45b53168fb6c415fcf2b174
SnakeKeylogger
cda24e3d3a8ba88a8d2d0dab710a930bc5ca13c1c3083971a0714fb318f8f5c8
SnakeKeylogger
f21713f098ba22b69b0303da4fe32dda9e1290f2d5986b9ff18cdd7de6f5d0ca
SnakeKeylogger
+ 5'702 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/221010-qphszacbek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a20cc0fd-5f97-43ab-b477-b1e06aaf46fe
Unpacked files
SH256 hash:
0b2c39cedea900416e712c3e76b034b1ee25ed4736f24aea8724a4d3ab4c04e9
MD5 hash:
5f037cd65e179073519579e0f872954b
SHA1 hash:
9e345b38bfb00b388aee3d45ceae9a57b5cf9ed9
Link:
https://www.unpac.me/results/03b83e27-d71b-4f51-9390-bcac84756ade/
SH256 hash:
edefcf5b874ac9841b5d2488e3b059242a0f3371d5ffd384aa2a9ada8eb5d747
MD5 hash:
31523293174a76f624c12012648ac2bf
SHA1 hash:
9b34e35036d45599a6ebc23a6e5dab771513590f
Link:
https://www.unpac.me/results/03b83e27-d71b-4f51-9390-bcac84756ade/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/03b83e27-d71b-4f51-9390-bcac84756ade/
SH256 hash:
a54a29641cd8ef4ba1328c1e53da3537432584fc7ab2005e441780f8cce2412c
MD5 hash:
fabb2ae4403d9691ab0d9255e856f803
SHA1 hash:
33df30bff30e31d4dda7e7f16f378184af02e2c0
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/03b83e27-d71b-4f51-9390-bcac84756ade/
Parent samples :
2930a136241ab0d4f5aa619efc5e5b5102bfc6c7ecff0cbec01c5e34de0c16e3
1722f3647f5c8733f390dad41091267d5bd6ae2d99dde196480a72e25cb957f1
9059730518e56e22c04263abbb8a57b8aca556b64c30d4da559e5b8a035948ce
93ee3b8189cb523fe9004d4c41225fe8a22f8492ccb0684a44239de72c7c1e78
0bbbbaa51db81a056bf94fd14ec424814f4e498dbd6ecd75e8ab2c55eaed9977
f109c942558d35f55d5b60769fe8b1450561ae58f213e765bd13e54b3592a7f4
040e6ed9a19b41f4ca9c009574b1215169adbbd3b138fabbced22ddad3533805
facc30986e6911b55eb20371486997475a4f19df35919dbea2f41e11543e0511
c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd
fd2b31e56f78ab4ffa163d79630236303472c19a110e5180ee53e576b3de4b66
e15b4c36878dd4b68d7875fd502d4259a53ab0e0d7b800df5fcbcdee3d9e9db4
82fc274736d5f4e6fefd8a01f3b2557b242918db92d8f3a479ab087b3fdfc66f
5260cdeaf4465a57fe46cd497f2c668b73ba985f6ac8f58da0a271dfa9513765
3077029e7ad5032ac31a547d76a7a4b8de9072616eed14123b7b2cb7d80d24d4
63b95c0c691f8d43d8a730fefb97c2b1918865f5c973fe82c2242525a5cf52c2
21fbd43b028f4b111d525516e9fae0eadc1bcdf17f0295c64df28c667b3e07f6
2f559cf9248a782155f4ce8dbbdfe65c1fd714ba355a5dc20683d2a5068178f7
86d3df66b86e965f1d7f5560930641b27d11072d4112530d69e55cc304065f80
087226fe9b34d303eef6c976181df6fbc47c6df940623dbe66ef5bdcceda3715
233dd021d30f8ef21945c433dd9af7031866962a090159291ac175be1dcd896e
5bc6f5be8fc737c678ac7abd3f518b3a371a795ba0f988203b8e9b99fbb54b6d
1f9a0cce25f1860e53b471745a001b8d868ce4d96c3d5365c6c3d39c8b7ceb04
0595d7c8e801465cd4d66ca3a5d5fc5085a3f43cc3d711b6bfd916466ce71f7f
48e86244539459ac6321572a9163170c10e2c2f4c0ed13a974e569f13d8587b9
e1db205d91abb43dcf76bca95eae329c435f225b2470f2659e7a0e12521f8fe0
6193b833d5c00110636baafb60d5ac9a8628e740e0760e9c46fe64a3cd087ffd
62d9377049782f22d0b0fa72740d8e622b9fe813ac7c704a38203aa6a4fd1f0a
69a0d07718616b567009b32ef170e119ff53507030c87bd37154714215600a14
2f126d2852567b5cbafe78d19bcbf6153234d7a92bf7a2341c9bdd80d87fc48a
9983871f3617322d60d6b015baa8d274802ee5535fbfbe8471eb18f551c6cc7d
e8c0ae7df1fa2f0f8e277427039932a90585fc8ab10d30eaf92ad958ce8ecad0
1143bb52d5667b37c3c382c23c1be9ea28d5b2d9000fd1c3cf8aaf94bb0edfca
2e291ac4210ec415003e0e68dd1c3342221c857974ba5b3fe9e450dcd02bc278
3adfda6dc7720c78135fcccb714e09432afde40e5d05669d6c27a4f850ec33fc
80d1a09ae2bf3d82a34620822a32f69d442378e080a75a00851beda86937a879
c96c213d5c0a6408e232cfe53edbbb46cfe2cfcf8f5b7157017dbc5f74cd5867
ad56f94844519340ee763e3a6e7ecebbe0a807dcb0e97c61df4c08e95b692315
94d1e0cab7d2b34901f316596f396f787ece0c7a13d9d83ee5a59f8c4ec8cc1f
52aac6cc862bfc0b62b9462163696c0f2c8bdcfcdf2c84e6548ebc6172d3a74a
8f12408ace9471d375902cfc7673ee0be8c9c35680b54a9c6a327307554812ec
3ea7dec8697f8c7eee3bbe962fe35847fd5b30df209ffad50cd8c4acd6cd8875
8c387ac392d939b83fbbbb491a621cc2d3b0250e76251a2b65ef18a3b3216a63
7e98e210037899dd6d684931933e1d05c6bb40b8ebadf10489b1d0fe197eb926
490ab53684723ca943a2aecbbf06f24bc2aa6c3d75a33700f185b6d546bb9b7c
ea078d6c40824499c38d3e91f22fb11cf15c8c91300f3db02db1cdf59903ea02
d09a5d0c383accbf92f7f74b8ff141ec79a234ea65ed278d5cfeab215f791f0d
8a9f3f087bbd2606d14418f6fcaed5391eb235b9968989715f5329ac289b3463
25b5474f544db8d37b89c7ad1ee1dc24b15acf7c5964dd7790e5ea6765a71ec8
a54a29641cd8ef4ba1328c1e53da3537432584fc7ab2005e441780f8cce2412c
4a3edd54de1116154d4e35a57422633797e2cb35f88a73210dd6230a6b4e10b4
6dce2014b5351f42343b304524e4b242ef335ff91275ea19c01487a97cd9a2ad
b8f6dc528131c71e9cf1d4159f825054e25ca7e5d37cf33b1a6b4dc9b74ca6b1
028a36afde3a2d383a58005f97b76e5bd32dcdb70e25af77664f516efec255b8
0a068da844c76731b28ba4d01286b68791bd8c84a96b20a7eb246effb076a7c1
84c53b0151ffcb22f8c50057daf61f41f6eb39381f41ca4db908fb93170382db
c028ca0e4464f4a0115f8de386a87d87c257aba7811053b3c2d1e5773eafefae
301f88fbd40f05dd85b6b7c42241c092caa0ab3da6b77aa39cd80b1e14bf2c98
36c0ac9a6c731f80a61bd97d43e97766e49df2320a83b4f8bab5146274089d57
2758782d2f4bf1101cfbc91d0e9eb266a928eba933fce802b6412912cf792391
93c60ac6bd6dcc9cf730365d7c09de3651c196cede00ec796726de72de5775e2
86c54f1452b47be6ca00dbcfe347bf0a9bad2ca38939ac910516fb35bae9c61a
81ab797679cc94b5617c85ea6b8f8468d1f1a5b665d62aa2d00d4c024235ed3a
d20df43a0e3f672427f2dec2be68beda3e98a8a125d8bf5dc13c78ec385eb4a4
6e79e2a9693fd5a25d13a687c2e77191722d20278ba029f1e4d64a506f172ef5
512836c9bc6cad8d53b8a62968af861babe516b1449ac9ba791af54b57b387be
bf92dda97bea4708eb59c8983f95fa3836884ac9cca9211ecf08a1e365566ae2
2de133583641244b22c21130ac6bc2e0f288b313c40e0fb4dbe1945d67ee9d4d
ce57700dbb6d98a52ff2f7d64a79adf610ee673f0a69f4955c5092473ac85093
b38d15b67413c498134de6447bd6be31e0247e686017dde1d649a887a0174f2e
d66fd95a8a14bdb238d9b0bce6faa560ad69e2aacd361038192820cc158ab669
fe86b5d6178382ab4a26cb2209fe348360e02397977e2c4b2837a1118e92c4d5
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/03b83e27-d71b-4f51-9390-bcac84756ade/
SH256 hash:
c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd
MD5 hash:
152ed623e1038949487ac04aa2297741
SHA1 hash:
c39508fa283f437191410c374949ff836a22c258
Link:
https://www.unpac.me/results/03b83e27-d71b-4f51-9390-bcac84756ade/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1a5ebc9f3e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/c1a5ebc9f3e9821cba9cebcbec5c59923f4cdd35d08058c5ddc5c510d9c9cbdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/318434/

Comments