MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 11 File information Comments

SHA256 hash:	ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859
SHA3-384 hash:	c6c2c984b31be507103f69d75bdc12c664e377407e48d066780b877140f088adc7c593291d6a5bd0ef11de675b17b14f
SHA1 hash:	0c08d44de61b949596ca06e7167432ef462775b7
MD5 hash:	eea6dac7e88653e9ba892e3d783d9e0d
humanhash:	aspen-nitrogen-kansas-two
File name:	Quotation request.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	913'920 bytes
First seen:	2023-05-19 16:10:59 UTC
Last seen:	2023-05-20 15:21:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:a0gJeJLpNaPn0YPX/N+VcOHvrWKc0DNUsGGZzRtKPbJrd7xM7:jgJe8P0JVRvrlv5tnZzRKrpxM7
Threatray	5'740 similar samples on MalwareBazaar
TLSH	T13415D05126A88F05E2766BF66272E13883B52C65F732D2195DD02CDB3D76F823B017A3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quotation request.exe

Verdict:

Malicious activity

Analysis date:

2023-05-19 16:15:42 UTC

Tags:

snake keylogger trojan evasion

Link:

https://app.any.run/tasks/fb30d2a4-5d95-434c-bcd0-095235b33b64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Siggen20.54616.12738.28915.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/88fc1289-dcdd-4be1-826f-ea8f43922ec3

Result

Threat name:

Snake Keylogger, StormKitty

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1237399

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2023-05-19 16:12:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ia2dmbgdrlzwyt3jes5fyrh76fnbymrpjsdg2hb3ntmglbgfbmq._file

Verdict:

malicious

SnakeKeylogger

2c6ab4d6d51bf64c0f95e9f3aba44d33886281974d9c594531be707ed9743cf0

SnakeKeylogger

4e62540930b121dc5eb404032401ac2b37cd86b591e14c4404610a2e59f06b6d

SnakeKeylogger

9925d40e552d694f23587880808c8f53cb41ff2ef2fc5112f37aeaab7d1c6241

SnakeKeylogger

bf15bf7ad5e678a40cca28a50fbe8a4f4aa8b86f3480820d8c0178db3107cb15

SnakeKeylogger

bf36b9ac0998d56e00d4fa60997ba6105f5d9ace84c3e5949fe036d0315d9019

SnakeKeylogger

cc138ced1fbc3fd146c76a8ab520bc6e436b84a4cd26542e8d75ae57c435511d

SnakeKeylogger

e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81

SnakeKeylogger

e5576bd4af80125cef4bbaf71b357486fde975fce56ff17c782644933d542828

SnakeKeylogger

ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636

SnakeKeylogger

+ 5'730 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:snakekeylogger family:stormkitty collection keylogger spyware stealer

Link:

https://tria.ge/reports/230519-tmx2nahd5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot1184434303:AAFeNNVI4VWtGfD8meVCo4D2rV2sUW_5yMQ/sendMessage?chat_id=1054969340

Unpacked files

SH256 hash:

08365899f5b359601b79c9ebb738b45584fb3726f27173e5c2abe7d4284c905f

MD5 hash:

86cf11beb36ab6255d2a836831a87f79

SHA1 hash:

c32bb5e288babe2d6652d1847942fd123298a352

Link:

https://www.unpac.me/results/9e300e53-aecc-45d4-bdd5-6a4a020a05af/

SH256 hash:

1d831390020022040672df2e128f924cf04ef4dd0703ec8de5434c44bdd53633

MD5 hash:

9d8ad7f9fe07714dd82a65401a253784

SHA1 hash:

c1c50b130fe13180774136f41f76fbbd1fb24c8f

Link:

https://www.unpac.me/results/9e300e53-aecc-45d4-bdd5-6a4a020a05af/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/9e300e53-aecc-45d4-bdd5-6a4a020a05af/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

3d402167476b8711934d71822e4acde83976acd96d2ebccfbe99159a4be3cc32

MD5 hash:

29c082effcd9b5c6eda1580ab2555c03

SHA1 hash:

2dfd6e27076d3bfd5bf3a0b29b2016205ff1eb56

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/9e300e53-aecc-45d4-bdd5-6a4a020a05af/

Parent samples :

c9cd4f96ee3af2513298b62ff2f1c877364fb537fa3d70ef5268db133a4b9b85
e7b9e29ce2d8c5beed41169e84a935735691f4d05a3f7d7c0524525ce4c63c80
70f95597d16e02a95345dac9645f5cd89ff8a36b4bdb1863d048e99386f2987d
1e06accb2a34f85db0c813baf9d01defb963bbc03206539ac093bc7958743ca2
726a9e0d8640423c3401fbfacc3e816afd915b964b1d41fb07893c5234f73a3e
be1588c97b371b5b329c2ac781d083829b8d93ba95dee3dc9778a772c5d5edc2
ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859
76a18e031d38dfddde065048a4371e0cb24d09d4a74d266b8e83af944833171a

SH256 hash:

b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23

MD5 hash:

a74d4ff639d43c44d7dcf925dfc3b2d1

SHA1 hash:

1db08e8f485ac81d554e836a784589ab4cee8486

Link:

https://www.unpac.me/results/9e300e53-aecc-45d4-bdd5-6a4a020a05af/

SH256 hash:

ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859

MD5 hash:

eea6dac7e88653e9ba892e3d783d9e0d

SHA1 hash:

0c08d44de61b949596ca06e7167432ef462775b7

Link:

https://www.unpac.me/results/9e300e53-aecc-45d4-bdd5-6a4a020a05af/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ea01a1b0261c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe ea01a1b0261c579b627b4925d2e227ff8ad0e1917a643368e1db66c32c262859

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample