MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b67ab8fb362ddb271c827e44adf17bddb3c67f5d49c9d67c60797b04967c8442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b67ab8fb362ddb271c827e44adf17bddb3c67f5d49c9d67c60797b04967c8442
SHA3-384 hash: 2b42794a87adbe6dd3b7eaad84cdae33e7133c0beefd0d7f5e015893f859f74c447aaca5de4289493f506f2bd29d8cf1
SHA1 hash: 07643139af2b388cff674a182d66bc1fecbf62aa
MD5 hash: f272ec9e92d957a49d9b5095be81a763
humanhash: item-hot-louisiana-florida
File name:Original Invoice PL&BL Draft.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:817'664 bytes
First seen:2021-02-24 11:54:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kEa3LLUEMthvoPTG16KJQ+WRyrSvGk1Qj1Uag8K3xuwx3yO7B:SLCsG16KJJOnej7guwxCO7B
Threatray 7 similar samples on MalwareBazaar
TLSH 140501B435235F15EAA907B443209A6407B46D2E0AA6D21CFD8AF3DFB532BDA150F643
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: df0.gvuwx.cf
Sending IP: 161.35.219.90
From: DHL Express <support@dhl.com>
Subject: Consignment Notification: You Have A Package With Us
Attachment: Original Invoice PLBL Draft.gz (contains "Original Invoice PL&BL Draft.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Original Invoice PL&BL Draft.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 11:58:56 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/937e04af-af99-4f2f-be8f-06b0c9557d4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118957/
Detection(s):
SecuriteInfo.com.FileRepMalware.10494.19006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/616622
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b67ab8fb362ddb271c827e44adf17bddb3c67f5d49c9d67c60797b04967c8442/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 08:10:03 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wz5lr6zwfxnsohecpzck34l33wz4m725jhe5m7dapf5qjft4qrba._file
Verdict:
unknown
Similar samples:
0a31dde9dd611de5afef82eac6581588c5d8b034106a1f4eac68958b8bd526c2
SnakeKeylogger
34b8598fe95c5cb429075ef2fe2f9246da1f9009a8fe5e735ed6f415ce2e9526
SnakeKeylogger
79562d8eedb874a33326581e124fa4c43cb24a4eb82bcadcc15502c5040bda44
SnakeKeylogger
958071879f7b081197e907c916e6a35a24a49c1d2c38b30ec7de0f5f66a1881b
SnakeKeylogger
977e4d9c036d2572bfb14753b11e21a3f8a689baa1ce7fc3f7324df76c027384
SnakeKeylogger
98a4aad3557b1ce781c3d2369b9823fdc1fb902643f923c73b5ca42c84ca25f7
SnakeKeylogger
ce76fc43c1ae2fc7d499a24d0d93b8ffae25e9d3ef6d6c8086e54ffd0d29ff31
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210224-b2r3jpep36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
35431bcf185866081012ad92154ee02c34ef8342a9d0f178e722c5d53d348de3
MD5 hash:
c96c46b470f19cb374f91df5726cef5c
SHA1 hash:
bc25998e6e8d7f99ac5f4066461a1e976659a290
Link:
https://www.unpac.me/results/34bb2e37-59f1-4c1e-ac47-c2f1305d72c8/
SH256 hash:
d85cf9d33593806e7c28536adda8aa448e04144abfa7e65131b56130345e3658
MD5 hash:
13542cdfc428c6dc495ff9d4ec20f34f
SHA1 hash:
afad1651683862f73bfcefdc3ea2bc439adf173b
Link:
https://www.unpac.me/results/34bb2e37-59f1-4c1e-ac47-c2f1305d72c8/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/34bb2e37-59f1-4c1e-ac47-c2f1305d72c8/
SH256 hash:
b67ab8fb362ddb271c827e44adf17bddb3c67f5d49c9d67c60797b04967c8442
MD5 hash:
f272ec9e92d957a49d9b5095be81a763
SHA1 hash:
07643139af2b388cff674a182d66bc1fecbf62aa
Link:
https://www.unpac.me/results/34bb2e37-59f1-4c1e-ac47-c2f1305d72c8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz f9f2e7dc08c5d3e21a5bdf487908ca4059a1636bdfbff05b84e7e0df088b2b00

SnakeKeylogger

Executable exe b67ab8fb362ddb271c827e44adf17bddb3c67f5d49c9d67c60797b04967c8442

(this sample)

  
Dropped by
MD5 24875c162502a954116b8cabfef0da00
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f9f2e7dc08c5d3e21a5bdf487908ca4059a1636bdfbff05b84e7e0df088b2b00
Cape
Cape
https://www.capesandbox.com/analysis/118957/

Comments