MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc
SHA3-384 hash:	0d87d78795654361cb2fbf01d4822b9973e53a5bb186b0a511f12cf6a3fdd2804ea45fa9dbd83852766d28a3c6ba54a7
SHA1 hash:	15ec128264a592bc2b448c142882225e14e2a8e4
MD5 hash:	b1061a3b30c472b01ad4b7f2b6828a51
humanhash:	virginia-batman-jig-seven
File name:	DHL Shipment.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	684'544 bytes
First seen:	2022-12-06 14:10:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:gwlomomPZef8PtqvyxJlzc0mfZBPLnmrXlyYOt93pMeAdFn/r:1omxi8QEJVjQTmFOP3CvX/r
Threatray	10'093 similar samples on MalwareBazaar
TLSH	T113E4010432F99B26E47CA7FA98A790604BF47E26F895E7198DD231CF5932F845610F0B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	30f0e0ecc8e0f030 (6 x SnakeKeylogger, 6 x AgentTesla, 5 x Formbook)
Reporter	abuse_ch
Tags:	DHL exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Shipment.exe

Verdict:

Malicious activity

Analysis date:

2022-12-06 14:15:25 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/ce12ff73-52d7-476d-9fd8-ea10ec28a7bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/343471/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.9396.9138.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638f4d78a2c2485912c7a875/reports/26619f93-afd5-412a-8f4a-5fc9ea5cf74a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63ea07f4-6959-4c5b-be71-1af716965610

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1129205

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-06 08:26:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6q7wxgl7m4a5bf223kq5fpvgnysvuqlpvncxdjbk3os6pp2pjxga._file

Verdict:

malicious

SnakeKeylogger

4826ace8391d200aa066ceb967aad44fc540670826c59538aa0df039d2c2421c

SnakeKeylogger

4f5ea72df2ff98979013fbfe0781a01d8d487d886ebc5012e037f553527996d2

SnakeKeylogger

6a9d3a6f928c5a2a9ab9abe269027f3b987045fbb30803dd431ae2f56d5f859c

SnakeKeylogger

7ca3180b986a76a7a00df355d6446d98ee5da37fb96854963e3b64d04f1cded3

SnakeKeylogger

8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3

SnakeKeylogger

8878359c93d36d0849467e895c724bd5a171a4ac97f29217aca79645f3c57a40

SnakeKeylogger

bd078e66ca3a624f316e932b32b088b22fbae4042de5446b1ba7f0c485977803

SnakeKeylogger

d943f08a35dc06253557151dbff927a9eb4c26f425d328cf612cb7e5211c3822

SnakeKeylogger

ef208a2f463e7c3b8ea5c01332d60d691018a27fb0baf080fb2b42bad34b1d07

SnakeKeylogger

+ 10'083 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/221206-rg93xsec35/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

52a306f8bff07e33b9d702e44f8cf5e784eeb4d1975930c649d90f8f4b6f8ff8

MD5 hash:

7cb01b5cb6f0870559cd6c1548494c96

SHA1 hash:

cf36eba501b98b8b9990581f3ad31aceb3405d09

Link:

https://www.unpac.me/results/90c4faeb-573c-4a54-b869-259427dbdbc6/

SH256 hash:

483d06312694360c24af7d4c933e445b47ee304c78a0d1dd3b6709a046cc0b3a

MD5 hash:

0cda7a04f641e506427d4ba6b28355e3

SHA1 hash:

aa3ed554a3949e77d8fdc3af514c6bddca28443d

Link:

https://www.unpac.me/results/90c4faeb-573c-4a54-b869-259427dbdbc6/

SH256 hash:

4974d71efe648a2511ec06f646b4a23d655d8f4468f7533e9aee75ffb299cd9f

MD5 hash:

d5f201fa6733f80381add88a95525f3e

SHA1 hash:

58f9e8df2852248504c4dc9ad5575d8f810099d2

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/90c4faeb-573c-4a54-b869-259427dbdbc6/

Parent samples :

e9d61a5e2cda9df77c124e880518c74aa8a04ee9a542afcfdcae72ca75e82363
f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc
85e3e60e6673809467be19cef0db037aa1980342e69a9c0a2c149c44e0664be5
7b63b8442823d5eba78ee2980773223d36ccec4671e389574b13fc02fe488e02
4f44df487a3c894e64c272598c1fb7aa6601879a2073bf5243f82326bcf2b324

SH256 hash:

922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50

MD5 hash:

1ecb63625d636b0b8f8ebdece9fa80c3

SHA1 hash:

5623d5ad21fc63893011bae7e4709c51219fcc1c

Link:

https://www.unpac.me/results/90c4faeb-573c-4a54-b869-259427dbdbc6/

SH256 hash:

dfe555c3b15d2228d35e6841939f5085f992ad61a0a247c13cf86d07bac5b418

MD5 hash:

8ad30db6123857e692b766c45e76531b

SHA1 hash:

3ebf767c08d5eb6e7d3d65b23c8f496e9575913f

Link:

https://www.unpac.me/results/90c4faeb-573c-4a54-b869-259427dbdbc6/

SH256 hash:

f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc

MD5 hash:

b1061a3b30c472b01ad4b7f2b6828a51

SHA1 hash:

15ec128264a592bc2b448c142882225e14e2a8e4

Link:

https://www.unpac.me/results/90c4faeb-573c-4a54-b869-259427dbdbc6/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f43f6b997f67/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe f43f6b997f6701d0975adaa1d2bea66e255a416fab4571a42adba5e7bf4f4dcc

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/343471/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample