MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55
SHA3-384 hash: 9c815e0dbf60930e379b930bfdbb5efd03cd2a153fc6aa163865213d32487e0ad9185cce6d14538b7ce996bee6514e9b
SHA1 hash: 3a8560aa77492ae9032c79dceb8473b274b14e57
MD5 hash: a55dc3e1a5474c57d8fd8d8251e32b6b
humanhash: tennis-magnesium-fourteen-floor
File name:DHL_FORM.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'562'624 bytes
First seen:2021-02-10 07:30:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pB3nJr7OuJ0tO2fJ5joXK2LUxv7VNdr1GI1xc8aRVBn3pMKRT5c72qlLmCdsB+oH:F7OL4UJ57xpLpLc8w/dT9T+oGA1b
Threatray 11 similar samples on MalwareBazaar
TLSH 4875C0577B594F95C53C0E32C89B825003F8EE1759A0EB8BA0CC7DF13C229D5A64EDA9
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: mail.hotelconcorde.ro
Sending IP: 89.47.53.20
From: Carmen Gheorfi <carmen@terrazzo.ro>
Subject: ENTREGA DE DHL (NOTIFICACIÓN DE FALLO)
Attachment: DHL_FORM.rar (contains "DHL_FORM.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_FORM.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 07:58:53 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/8d8c53a2-b482-445f-820d-b80557f1c100

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116396/
Detection(s):
Win.Dropper.Bifrost-9830123-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604264
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351160 Sample: DHL_FORM.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Snake Keylogger 2->50 52 Yara detected AntiVM_3 2->52 54 3 other signatures 2->54 7 DHL.exe 2 2->7         started        10 DHL_FORM.exe 15 6 2->10         started        14 DHL.exe 14 3 2->14         started        process3 dnsIp4 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->56 58 Injects a PE file into a foreign processes 7->58 16 DHL.exe 7->16         started        40 192.168.2.1 unknown unknown 10->40 28 C:\Users\user\AppData\Roaming\DHL.exe, PE32 10->28 dropped 30 C:\Users\user\...\DHL.exe:Zone.Identifier, ASCII 10->30 dropped 32 C:\Users\user\AppData\...\DHL_FORM.exe.log, ASCII 10->32 dropped 20 cmd.exe 1 10->20         started        22 DHL.exe 2 10->22         started        60 Multi AV Scanner detection for dropped file 14->60 file5 signatures6 process7 dnsIp8 34 checkip.dyndns.org 16->34 36 checkip.dyndns.com 162.88.193.70, 49741, 49742, 80 DYNDNSUS United States 16->36 38 freegeoip.app 172.67.188.154, 443, 49743 CLOUDFLARENETUS United States 16->38 42 Tries to steal Mail credentials (via file access) 16->42 44 Tries to harvest and steal ftp login credentials 16->44 46 Tries to harvest and steal browser information (history, passwords, etc) 16->46 24 conhost.exe 20->24         started        26 reg.exe 1 1 20->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 07:31:11 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=36nywaetxxh7fxdt4lnfl2r4stgjb7v46boexnhn3ytgwpzxnjkq._file
Verdict:
unknown
Similar samples:
0a32bf464b79ecb571397121f359c05b1cbbc7e1af2e3bcc10d65a2ff9808bc1
SnakeKeylogger
261881b9a0b2810582a67284f52bb08f2da1567353648ca01032b581345d5854
SnakeKeylogger
56cc437c8d3f955ae569373ed5322129298818f77bfc2d728af9473fed554509
SnakeKeylogger
5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683
SnakeKeylogger
705d1bef79134efe898b490d096aecb9c0acbdc889fae25e8f2d88db9429001c
SnakeKeylogger
7801d40fed7d2a6ec57aae8e1e5bf403e8fa0945c0bf2d5bb70722627eb8bfae
SnakeKeylogger
acbe0d54176227f28b98caaf141c82cc51e43a7b5797c1d3c76b01123e3f8f48
SnakeKeylogger
edfb07ec10ae322bbba31f0239c009ccd95f7a1f1f07e6bf7fb1499dda801b76
SnakeKeylogger
ee0b28949b01044f151f04743d49f6310a70de7339ad4936afd79b5c8a724025
SnakeKeylogger
f5aa4fe1049ed94dbf22ad1427013a30762ebd9ac2a89726f9f313b087e2a4a0
SnakeKeylogger
+ 1 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210210-gvlmkn3xm2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55
MD5 hash:
a55dc3e1a5474c57d8fd8d8251e32b6b
SHA1 hash:
3a8560aa77492ae9032c79dceb8473b274b14e57
Link:
https://www.unpac.me/results/56688fae-aeb0-4cfc-b536-78ceabfcfc3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

rar e5052ba0e389482d18ef3cb8d30fcb95a712da7548dafa220bce61a0b34c5f6a

SnakeKeylogger

Executable exe df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55

(this sample)

  
Dropped by
MD5 6f57978f55ce90a6dd0f4a5d6add3e9b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116396/
  
Dropped by
SHA256 e5052ba0e389482d18ef3cb8d30fcb95a712da7548dafa220bce61a0b34c5f6a

Comments