MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3
SHA3-384 hash: c4808aeba0e4074770c78bbb352fd39984e35be58ed85229f6a1cd4b484f93b700897a1816b252c986beb57247889101
SHA1 hash: e85b9d76ac0206231f2c220d50258ad00b95973c
MD5 hash: 597aa266d91d43bc998ece5ae7cf0783
humanhash: dakota-missouri-single-gee
File name:DHL-AWB.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:682'496 bytes
First seen:2023-04-01 07:24:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Kx9qHqYCP6imOMt++FufBbmyj3N4QBVsFiChVOzZlBJOvnk+Ps4F5UApdfZ5:Kx9qHqYbimXep6yTNbQFrhVYPOvn1dF7
Threatray 363 similar samples on MalwareBazaar
TLSH T1A5E4011037DE8A2AC53687BD80E0D0F06336CCDAE562CB2B4EC9BDCBB3D93565625156
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b89494c4c4d4d4d4 (2 x AgentTesla, 1 x SnakeKeylogger, 1 x StormKitty)
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL-AWB.exe
Verdict:
Malicious activity
Analysis date:
2023-04-01 07:32:37 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/8473d035-2022-450a-82c9-5de52c3723bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379203/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/6427dc50155a6f1443f9d511/reports/8f973d00-e517-457a-bbd1-26e621ee73d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f89a090-06ac-42ca-a84c-f1941fa17cb4
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206298
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839212 Sample: DHL-AWB.exe Startdate: 01/04/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 5 other signatures 2->61 7 DHL-AWB.exe 7 2->7         started        11 ZGiEpsEiPhxwJ.exe 5 2->11         started        process3 file4 39 C:\Users\user\AppData\...\ZGiEpsEiPhxwJ.exe, PE32 7->39 dropped 41 C:\...\ZGiEpsEiPhxwJ.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\...\tmp8850.tmp, XML 7->43 dropped 45 C:\Users\user\AppData\...\DHL-AWB.exe.log, ASCII 7->45 dropped 63 May check the online IP address of the machine 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 67 Adds a directory exclusion to Windows Defender 7->67 13 DHL-AWB.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 21 ZGiEpsEiPhxwJ.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        25 ZGiEpsEiPhxwJ.exe 11->25         started        27 ZGiEpsEiPhxwJ.exe 11->27         started        signatures5 process6 dnsIp7 47 checkip.dyndns.com 193.122.130.0, 49695, 80 ORACLE-BMC-31898US United States 13->47 49 checkip.dyndns.org 13->49 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Tries to harvest and steal ftp login credentials 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 29 conhost.exe 17->29         started        31 WerFault.exe 17->31         started        33 conhost.exe 19->33         started        51 132.226.247.73, 49696, 80 UTMEMUS United States 21->51 53 checkip.dyndns.org 21->53 35 WerFault.exe 21->35         started        37 conhost.exe 23->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-31 09:16:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okboswptl3ydfmn6xgpdne43tb4jgi4t2ixjh4xc5dfnjvsnb3jq._file
Verdict:
malicious
Similar samples:
189d5e75f300e21f30ae87cef1c384a3e33e26b5546b8404090bffe3251d4a34
SnakeKeylogger
2e5243c0f25a508026aa4bc82e7cdddd2df91f556c8509ac6e2b60d3ef17b517
SnakeKeylogger
87c1f33e1a2f359854fe99b0724a05efcfe41b143a3e7c5470dd3a7c63a508c1
SnakeKeylogger
90e926a50fdd51897942e407e917649f7cfdac92a9f95cc73d263c8f7fff695e
SnakeKeylogger
ae0a26ad0575bf99d4015962b33290c3bc1395b91a8355b5c9f2340fdf577db9
SnakeKeylogger
bd636a268d4511297bcf90fde8103829bf21a31e7075b93aae30824af3e3703d
SnakeKeylogger
c130d7ecfd4247d4b31878fc53e77b29f6cf286a977964d32069baa3769d4779
SnakeKeylogger
cab3e26e0ef44ba9322a03c14bc81a9f35a897c2da066eb6605d879a49ddc078
SnakeKeylogger
cf30e92c897a307421160bcc8072cd2901b89331de784059a1a1608d2ca80123
SnakeKeylogger
+ 353 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230401-h8ypjaaa61/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5830295968:AAFBRUyMVqMJG31ucaTPOD0EwQdJVbJGSoc/sendMessage?chat_id=6163418482
Unpacked files
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/bcfba1db-a065-4ad5-bb00-47109be6b6a3/
SH256 hash:
eae8c0ecef448f7f09974dcbf5e2f64f273f40bc82784d919c9ee5108d12294f
MD5 hash:
11ad437976d7e7b68f05fabbe611df4d
SHA1 hash:
502b6eb1c9e2993ac715705a3193af0b6170e26d
Link:
https://www.unpac.me/results/bcfba1db-a065-4ad5-bb00-47109be6b6a3/
SH256 hash:
4db73bdd596305d44bbb3a96704a6f27a80d3975eab66c7d37b15da22b2e4cdc
MD5 hash:
65cc373f070f3856c0fc09aea776f65a
SHA1 hash:
16410f02c828eded34efe49d01418490eb8a26a0
Link:
https://www.unpac.me/results/bcfba1db-a065-4ad5-bb00-47109be6b6a3/
SH256 hash:
7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3
MD5 hash:
597aa266d91d43bc998ece5ae7cf0783
SHA1 hash:
e85b9d76ac0206231f2c220d50258ad00b95973c
Link:
https://www.unpac.me/results/bcfba1db-a065-4ad5-bb00-47109be6b6a3/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7282e959f35e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7282e959f35ef032b1beb99e36939b9878932393d22e93f2e2e8cad4d64d0ed3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379203/

Comments