MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c7a8d747c0858343c409b41d793ed9409bd16d0f730891b7a2ec7feb5cd4395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c7a8d747c0858343c409b41d793ed9409bd16d0f730891b7a2ec7feb5cd4395
SHA3-384 hash: f5ac0437e989a36321909ab321fe6edfc1e6cda7313ead4a934053bd22e954c89753815fea284f3c7512fb3e1d67a3b4
SHA1 hash: 7343a035ae2578edab52641de081cfd152464f67
MD5 hash: 7cb90a6bdb53e506818e5b4cffc27f6d
humanhash: sink-nine-coffee-seventeen
File name:DHL_FORM_00099271654_P.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'317'888 bytes
First seen:2021-02-15 06:50:45 UTC
Last seen:2021-02-15 09:25:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'601 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:rhGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzz8MDzAK/3LhHWUJ+eBlsi7ZZHET6:4zHSvi7AYaf+dk+gzIK/3lV6iu6
Threatray 19 similar samples on MalwareBazaar
TLSH 9455AD32A5B25AD4ECA58E724D19D189FFFA1D059890834FE45832F12633F8AE3445FE
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: centoswp.internew.gr
Sending IP: 185.78.221.121
From: (DHL Supply Chain) <Maria.Sisternas@dhl.com>
Reply-To: result.box2019@mail.com
Subject: ENTREGA DE DHL (NOTIFICACIÓN DE FALLO)
Attachment: DHL_FORM_00099271654_P.rar (contains "DHL_FORM_00099271654_P.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_FORM_00099271654_P.exe
Verdict:
Malicious activity
Analysis date:
2021-02-15 06:52:30 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/dc66975c-5e08-432b-b3f5-7cf4526aff1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117114/
Detection(s):
SecuriteInfo.com.Artemis7CB90A6BDB53.3547.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Sending a UDP request
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/607770
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352916 Sample: DHL_FORM_00099271654_P.exe Startdate: 15/02/2021 Architecture: WINDOWS Score: 84 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Snake Keylogger 2->34 36 .NET source code contains potential unpacker 2->36 38 2 other signatures 2->38 7 DHL_FORM_00099271654_P.exe 15 6 2->7         started        11 DHL_FORM_00099271654.exe 14 3 2->11         started        13 DHL_FORM_00099271654.exe 2 2->13         started        process3 dnsIp4 24 C:\Users\user\...\DHL_FORM_00099271654.exe, PE32 7->24 dropped 26 DHL_FORM_00099271654.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\...\DHL_FORM_00099271654_P.exe.log, ASCII 7->28 dropped 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->40 16 cmd.exe 1 7->16         started        18 DHL_FORM_00099271654.exe 2 7->18         started        42 Multi AV Scanner detection for dropped file 11->42 44 Machine Learning detection for dropped file 11->44 30 192.168.2.1 unknown unknown 13->30 file5 signatures6 process7 process8 20 conhost.exe 16->20         started        22 reg.exe 1 1 16->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c7a8d747c0858343c409b41d793ed9409bd16d0f730891b7a2ec7feb5cd4395/
Threat name:
ByteCode-MSIL.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 05:32:43 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lr5i25d4bbmdipcatna5pe7nsqe32fwq64yisg32f3d75noniokq._file
Verdict:
unknown
Similar samples:
0672e1e0fdcf5ce94a55e35855458ae01f17124ad09219673a526c0ae1aeec57
SnakeKeylogger
237f8b4365da5b034b1f6a0f9761dc8f472670a48de278636ca4751475e6f750
SnakeKeylogger
2c2323849ce8b94fdba446df7ff61ff3048507771fa126b486ddbe07d40c7c89
SnakeKeylogger
32f1de5afc9dcd3a7f12a950219cd9e838445681f4089bff7a8f3b2ed05363f5
SnakeKeylogger
56cc437c8d3f955ae569373ed5322129298818f77bfc2d728af9473fed554509
SnakeKeylogger
7801d40fed7d2a6ec57aae8e1e5bf403e8fa0945c0bf2d5bb70722627eb8bfae
SnakeKeylogger
bdbfa9d8186cfa1a4c04fa542f78f4c794c7554e0422001f430bf0db01eab52b
SnakeKeylogger
e4284aaa6ccfa009dd95cc4d35c49f592d708453dec75a41390caf26781e638f
SnakeKeylogger
ed21e9b47bc6e3343b98a6a69795c35c0b9ed34d9963a65e5df0afdcfdad9820
SnakeKeylogger
f5aa4fe1049ed94dbf22ad1427013a30762ebd9ac2a89726f9f313b087e2a4a0
SnakeKeylogger
+ 9 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210215-kyxb2pehj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
5c7a8d747c0858343c409b41d793ed9409bd16d0f730891b7a2ec7feb5cd4395
MD5 hash:
7cb90a6bdb53e506818e5b4cffc27f6d
SHA1 hash:
7343a035ae2578edab52641de081cfd152464f67
Link:
https://www.unpac.me/results/3d32ccfc-260e-4803-8038-ed454eeeae8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/5c7a8d747c0858343c409b41d793ed9409bd16d0f730891b7a2ec7feb5cd4395

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar 3e99167a7a136a15241f1e89ffcf223f09696b8f32df56d02b17d789ec150e1e

SnakeKeylogger

Executable exe 5c7a8d747c0858343c409b41d793ed9409bd16d0f730891b7a2ec7feb5cd4395

(this sample)

  
Dropped by
MD5 0438dfb1ada915db75799f6ca06bcec2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117114/
  
Dropped by
SHA256 3e99167a7a136a15241f1e89ffcf223f09696b8f32df56d02b17d789ec150e1e

Comments