MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c
SHA3-384 hash: 40b52961b8910019e90f4869d0fba7d4961e386f66ea6969c7090ccd95508e5c4406d34c34be117818a2b8dae6316756
SHA1 hash: b44d632881cba1e7057d82398e18e3d651a14718
MD5 hash: 941c1986977c9cd8812653ae22f29392
humanhash: mexico-seventeen-nevada-don
File name:DHL SHIPMENT DOCUMENTS.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:833'536 bytes
First seen:2022-11-24 20:04:50 UTC
Last seen:2022-11-24 21:30:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:uBRT+Yq87N9nmobPdEZKnZmtWemvPqvI+C:nYq0NYobOKnIktuIB
Threatray 9'744 similar samples on MalwareBazaar
TLSH T172057DCF59613E08C29DBEB06817348C7EA194504588E1E4E7E91BD95A37FBDCA8123F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL SHIPMENT DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 20:07:44 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/9790ec95-391f-4e3e-a417-8749806628eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338186/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.24282.26413.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637fce7094f9bac087b34137/reports/f2bd68a0-6200-41df-9269-d9aa8adefe58/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2e00c36-d7b9-4d51-b4c8-f7ad2078e525
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120724
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 20:05:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 25 (64.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncn2wyh4dmqxmp2ywc3rn3eqzhri3rljrd7rwnjayxnnpklzmbwa._file
Verdict:
malicious
Similar samples:
2d4807b948984f8b7f170d662a8c055f53420770e82428a9315001d3d420d610
SnakeKeylogger
50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0
SnakeKeylogger
658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0
SnakeKeylogger
7370349d22f65927955d817fde07a3c9e1b5235fe3091278ad6899d8026422e3
SnakeKeylogger
7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5
SnakeKeylogger
ba7fa01438610d59a23d6daaa7dac208e3a99ff8dd10dfd6d9be2a59d4ff557e
SnakeKeylogger
f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01
SnakeKeylogger
f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d
SnakeKeylogger
+ 9'734 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/221124-yttp2aae6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4cbcff76-4441-4864-ad7a-b38da74c766e
Unpacked files
SH256 hash:
a4dea87c44153bb33ce223c0193582b6ef2e73f17d632ecb4392fcb2830fa7ec
MD5 hash:
d19ef48d7f6d470b405e3577b65131b4
SHA1 hash:
f53b620e189662da1daf92a874c5510e64a5f0f3
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0e23c16c-78bd-44ef-861f-6c31ca3e71b3/
Parent samples :
a7f5873d043294de859736362df3aa0fb6c50ece6b9325c9b48cde35d9cddf8a
86b69e37fb4f94c2b24904bbb004474b8f57abecc6332ff595c1eacc7ab59bf6
460924c55f59314a09c710e31d9c215fdb471eafbb5d6bd348972fee078a316e
2e873b3c9f0817c1d492ee2b05319fdd277a4535c1623592c2c097f811ac45fc
cce8ba621c797e9782cc2c56058cbb25555b367673a5f70aff660dd0bd509390
15e607b94fb0b5d7cd1b5380d2f7f91634d5772218fdbadefb41e5b20ccead5d
bb6240ace6a64b0d45a7180d0b0f482597f69e270de56f7cfb47049d096b720d
15e5350ed0a3c724d2d904f87e87adadb2f658a71584b486409302c8a5b99c85
622c2192e22e7e407ee6f870dcd26689a2998571c725ac4d7f2682ec72de0fdd
30204f8d475b5d9da3ab0f5282468414fb3680aea9e171f2be3677c3531c34e7
9f8bd35c99417ab86d20781c7f4737a247ab64354e73ffbc52d5c5e35f8cdc14
2b3bc8ae8908f619944ca14696ecec764b92d6ff891838d1a7fe951580b8edea
d742297ca5cc509b66ce7090284d5a996b4bf3fb284797442402fff10ae47e74
62807c3f8896bab3bad4537ffc327dc1775e250c0f0d8822f2df585e843e3f47
454529ef92f2ff17bdfb7f8ec8df852fd1f7c7919a021adf1b6b1d41b4519ef6
a888f1a58c8c2ab3a2ae32743d0362fe01f145e76b4196c21b9c2bafc978e7fb
76cec159d26635e1caf4cd67b798904fac19e37ec5f85ca63f7a0b3d66de91e0
04a99d8b230a027d26f94dbb34a80129744482e7bf4ef5d4c94de770da6f4d84
42b6acf48bac461e6e74d778b14ff37c892369020eda38a64ff1e33ed9453206
689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c
8f5a23cb25c7cb7ec6ea3a53261ed6c7983751eabaccae62dd964b8dee5259ee
0ca6f42f7efb21a5b4a93bbe6c2c4f69e9f9381f2a858872dd82df7e01332f7a
b13ea396ab71dd043b9df28dd8c484d432382228c03c8bcf57c01040d5a39ca6
33f56d6b8fadc1fb40a9485acd63a7cf42d81c5a494799513f4adddb523f84c9
b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1
2b290eb25ebac77c8286c8bee0ca6b59898f1aac63c7aed531ce031864c29a73
SH256 hash:
31dd34711b3897a6cf0ef0fabf107b75b8b62ff25a054ce05f68248efef3a4ed
MD5 hash:
c2624526cfd49a18e82eb9bb1eb558ed
SHA1 hash:
bbef358c64d90266ed356a2f829eb1a1f1495361
Link:
https://www.unpac.me/results/0e23c16c-78bd-44ef-861f-6c31ca3e71b3/
SH256 hash:
4266003684354dcc1b96ebf61cab0d7fb2880dc4afda9bd152b8be67fb32d346
MD5 hash:
b09318824776f188b81122085a9597c7
SHA1 hash:
73121e9aaf5b66e0f2333594e49a3c52c0181a55
Link:
https://www.unpac.me/results/0e23c16c-78bd-44ef-861f-6c31ca3e71b3/
SH256 hash:
655a281afa575c22b89953c92e5038eb0c248293ddda858cf340691e5ebe54ab
MD5 hash:
5ea446183a07dbbcaf6cf312ff1057e7
SHA1 hash:
666bc8f866dca1259e00b02689a3bcf7bea7b036
Link:
https://www.unpac.me/results/0e23c16c-78bd-44ef-861f-6c31ca3e71b3/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/0e23c16c-78bd-44ef-861f-6c31ca3e71b3/
SH256 hash:
689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c
MD5 hash:
941c1986977c9cd8812653ae22f29392
SHA1 hash:
b44d632881cba1e7057d82398e18e3d651a14718
Link:
https://www.unpac.me/results/0e23c16c-78bd-44ef-861f-6c31ca3e71b3/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/689bab60fc1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 689bab60fc1b21763f58b0b716ec90c9e28dc56988ff1b3520c5dad7a979606c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/338186/

Comments