MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
SHA3-384 hash: 8a6e759241cbdd4e624026fe6b65f9e42c03efd760d4b5bef65fd80c312c0190ccd997e7d2dcfa5be358389791f42726
SHA1 hash: 570563c437fd1c2e161df5ddb8864d3a8c1bd8e2
MD5 hash: 2826190b28321e119e290e97d2b34706
humanhash: april-illinois-video-idaho
File name:DHL_PARCEL-DELIVERY.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:537'600 bytes
First seen:2023-04-18 05:49:12 UTC
Last seen:2023-04-18 10:18:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:fUrz2a7D1iyZNd32sJRH9zgPDJosvG5pgabAJR:fI2KD1icDvvH89o1gawR
Threatray 178 similar samples on MalwareBazaar
TLSH T189B4E119C075ADF7E6DD0A3600043ADEDF60A5E3B477C13C4BA67899EBAF7042998187
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_PARCEL-DELIVERY.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 05:50:56 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/46775588-d64f-40d6-b916-daa76244afe1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382917/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e2f8cc1735fe5e7566fb3/reports/0040a0c0-e025-47b1-bf39-9c6deebed62d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ade066c9-65cf-43cb-9dbe-a1f88d20f747
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215643
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848571 Sample: DHL_PARCEL-DELIVERY.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 7 DHL_PARCEL-DELIVERY.exe 7 2->7         started        11 kqvxgQQjSVi.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\kqvxgQQjSVi.exe, PE32 7->31 dropped 33 C:\Users\...\kqvxgQQjSVi.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp355D.tmp, XML 7->35 dropped 37 C:\Users\user\...\DHL_PARCEL-DELIVERY.exe.log, ASCII 7->37 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 13 DHL_PARCEL-DELIVERY.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 kqvxgQQjSVi.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 132.226.8.169, 49697, 80 UTMEMUS United States 13->39 41 checkip.dyndns.org 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 132.226.247.73, 49698, 80 UTMEMUS United States 21->45 47 checkip.dyndns.org 21->47 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 14:21:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzz2vzveq64l2zxq7lywaur76jyyghpgaoo6fg26smujxk3fkoba._file
Verdict:
malicious
Similar samples:
397ca8a839fae5e6c07fd3036a25e5df37220967ad381ca181da0a97354ed8cd
SnakeKeylogger
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
SnakeKeylogger
875f736e15e9825359679dd4482ef43a0d4ac3274c9ea4b3a8df90fa5d9ed47c
SnakeKeylogger
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
SnakeKeylogger
9776ff04f5a266245eb0837078897bf8bdc9dac49d9a5cea1f23c146d00c295c
SnakeKeylogger
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
SnakeKeylogger
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
SnakeKeylogger
d8d96fb0f87869e18b2f527be9a50e08768896ae6df8df2311a71bac4281a1e2
SnakeKeylogger
e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
SnakeKeylogger
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
SnakeKeylogger
+ 168 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230418-gjlg8shh35/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6007089764:AAFD9by3UqW3VYmVw-YRcKrJ6hMzB1mxNeA/sendMessage?chat_id=1258525953
Unpacked files
SH256 hash:
a53cd79943099571bba907873c7f4b2bff4420481cb4d80b0f161b75c4c7f53f
MD5 hash:
c5ae7b16ab68462361368929db40ac0e
SHA1 hash:
f01a62d0161d82ffa8919ccd32ae0ff0c74a0e69
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/fcef9c43-5647-438d-aa3e-cf421663482d/
Parent samples :
1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
b559f2c5da63f93d113863c3328df3db4b81cc1e35cb68989ad06a19b9847014
1741ea350d3209cfe4ae7ebd175a40e9e3c6f71f58bb1f3ab9008f493fbfc4bd
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/fcef9c43-5647-438d-aa3e-cf421663482d/
SH256 hash:
a1443e2dfa13fefb07457157e2c1a4cbb9929cf0df0d2ece68da64cddc128c20
MD5 hash:
6ad5c6955b06891ff732f5e70d897b72
SHA1 hash:
91379611c19a2862e7ea0049b9017aca922d7a78
Link:
https://www.unpac.me/results/fcef9c43-5647-438d-aa3e-cf421663482d/
SH256 hash:
5e6f7a7b5b9435bd8148fa54d8f3f34db9e864e39666a87d9bc32b2498d4a834
MD5 hash:
9a1f985e5399e4990488ad39a12c2cb5
SHA1 hash:
7493bc5aa1d2c6900efc7903901dc0ba246b299e
Link:
https://www.unpac.me/results/fcef9c43-5647-438d-aa3e-cf421663482d/
SH256 hash:
b645252d457c8dd8a0f46f2f0a82cb8dbada9b7e42d803dfdce093604917da00
MD5 hash:
3cf211c481fed9b2f6658cc8e7ebabc8
SHA1 hash:
12595cda1dd22c0df487f574aafb36d02462ad3e
Link:
https://www.unpac.me/results/fcef9c43-5647-438d-aa3e-cf421663482d/
SH256 hash:
1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
MD5 hash:
2826190b28321e119e290e97d2b34706
SHA1 hash:
570563c437fd1c2e161df5ddb8864d3a8c1bd8e2
Link:
https://www.unpac.me/results/fcef9c43-5647-438d-aa3e-cf421663482d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e73aae6a487/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/382917/

Comments