MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b59387424fab533c46c56bc259e1804ce9a2524fef9158a3ff479d6bf1043ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	7b59387424fab533c46c56bc259e1804ce9a2524fef9158a3ff479d6bf1043ee
SHA3-384 hash:	62a7c5e1e8d29e195a031c8b93d2b6a857a579ca6e8b4107b8b0189808780568aefadbfe78104365c25ecc863ab6ab9e
SHA1 hash:	cc05ffae9181538f786d37b614ebc53ef3b36d87
MD5 hash:	f9640a798354465bc64fd08b9de50402
humanhash:	early-uncle-sodium-iowa
File name:	UPS Notification Letter.cmd
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	982'528 bytes
First seen:	2022-11-08 15:35:58 UTC
Last seen:	2022-11-08 17:45:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:MUEkQPPR7qIa+Xsjd7eR+s7rc0ZLlUwYEyOOQhlKgdJegcxePOJHcqtFA:MU0ZqeXgd6R+qc4xnJhU2gPkOJHch
Threatray	8'345 similar samples on MalwareBazaar
TLSH	T11825BFA034B01FB9E67ECFF64624266483F33DA9625AF60E4CE170EA1573F924660D17
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13097/50/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	cmd exe SnakeKeylogger UPS

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

UPS Notification Letter.cmd

Verdict:

Malicious activity

Analysis date:

2022-11-08 15:48:32 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/6065c82f-8873-4a6b-9091-f8a68e6156ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/330659/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.4547.27189.23943.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/636a776ac0dbe6b5f9a4b46e/reports/c7a3f0c1-d5d8-4890-9e07-81f9af52781b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a775c33f-2baa-4772-87a8-76ef06fd1e19

Result

Threat name:

AgentTesla, Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1108427

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b59387424fab533c46c56bc259e1804ce9a2524fef9158a3ff479d6bf1043ee/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-08 07:59:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pnmtq5be7k2thrdmk26clhqyathjujje734rlcr76r45npyqipxa._file

Verdict:

malicious

SnakeKeylogger

32df08aad657ce92e28ff241d127158682cfea1d9260ba44fc5b06bcf4ac7612

SnakeKeylogger

4a2077c64b24049a2dfcfb0d2788d4160f1b21bdea9fa588ac69ed8fcd1ecd6e

SnakeKeylogger

56592952894bf0d4b991d0bac813dab7d21517c5c0c79cce2faf8a50383cc3bf

SnakeKeylogger

60af9df81cf538b49e2411b69acfbcd2df44edffa4c4912e16c64d2618d22a8c

SnakeKeylogger

b47aa7b5477954f8d297266a203475a4e9f7b1152cb3a804c29402511157848e

SnakeKeylogger

ba58c8bf97ee6b5372eaa5c85f82bf8ca23f84f5e72f29f00e9e84757f23bca2

SnakeKeylogger

bd101151493572e15312c745f4216063668d99a1ac5d24584595975eb5ecde1f

SnakeKeylogger

+ 8'335 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221108-s1ydxafghj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

20f29e6ffe3b3b7ca4f1207e2be817cc1dd85563e05eb28742ed28d30106ad8b

MD5 hash:

04adc5b2d06ef21d9ae4742fd60487c1

SHA1 hash:

ed5d35f7f88474e92e895c8847036963435ef5dd

Link:

https://www.unpac.me/results/b4fd1645-bc3f-4057-a7ca-115190e5a9a5/

SH256 hash:

cfaaf07eac5fea23fa393f2bb5158e323fd5dc197131243043860cf0718026ed

MD5 hash:

fcde959a18867c1fd1fc42e4162d9f82

SHA1 hash:

ed226874df93374922c0011c913e770ce8eb1f1b

Link:

https://www.unpac.me/results/b4fd1645-bc3f-4057-a7ca-115190e5a9a5/

SH256 hash:

13e80fde971ff150ba6cc8008a9be6c02401fa85925b91662b84f1da7b0826d8

MD5 hash:

0d529117d051d9f40242787b84fe9e0c

SHA1 hash:

90623a4bc25293f51803b60cdcad2e54fbcee67f

Link:

https://www.unpac.me/results/b4fd1645-bc3f-4057-a7ca-115190e5a9a5/

SH256 hash:

7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9

MD5 hash:

dd8b9511dda8eb7c84e1621046828883

SHA1 hash:

7f715270ffcadcba5c3148d2a0cecfaaf6c2e805

Link:

https://www.unpac.me/results/b4fd1645-bc3f-4057-a7ca-115190e5a9a5/

SH256 hash:

72763ffb3f368c05dfe6e9d9b8c25ffcd5b5767194956936680f19a963840dc3

MD5 hash:

ba18e7842ab2844aead9a29ea71b5a05

SHA1 hash:

7559edd18b33cac6568c40c538e15e5fa2b775b2

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/b4fd1645-bc3f-4057-a7ca-115190e5a9a5/

Parent samples :

4b28969cc4f30f407d15a6d462105ac3f164585ae720d35a8249bd5c91fc51d5
7b59387424fab533c46c56bc259e1804ce9a2524fef9158a3ff479d6bf1043ee

SH256 hash:

7b59387424fab533c46c56bc259e1804ce9a2524fef9158a3ff479d6bf1043ee

MD5 hash:

f9640a798354465bc64fd08b9de50402

SHA1 hash:

cc05ffae9181538f786d37b614ebc53ef3b36d87

Link:

https://www.unpac.me/results/b4fd1645-bc3f-4057-a7ca-115190e5a9a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 7b59387424fab533c46c56bc259e1804ce9a2524fef9158a3ff479d6bf1043ee

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/330659/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample