MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0
SHA3-384 hash: 514fd96b7cbf44fc21334627287a0d3dd9366d808aeefa5c6061395ab3e45dde8171e3c3508da9d04be88ef1010f9938
SHA1 hash: c2ace26d5c446f68adc19e152957e4705e38ab3e
MD5 hash: f90994fba9963bd01118a4d1b60c432f
humanhash: summer-robert-berlin-lamp
File name:Payment.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:824'832 bytes
First seen:2023-01-23 18:25:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:rqYk9kwtTA51UByjqNQNgqEOlo02qpv2mwmq36y11w0i2Xmd3pOP4P:rqJ9hU13kQNprS4pv9qjvNXmFKc
Threatray 6'824 similar samples on MalwareBazaar
TLSH T16C0501D932D30E61EBB7DB3DD0E2921503B9F56666B3E348248412E89D03653FE81BE4
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 18:25:44 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/957880f5-8a66-482d-84d0-2724a83b7480

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356008/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Moving of the original file
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ced13ffcc41339192e6919/reports/243e3cd8-fef2-408b-8083-c23486fad10d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c816612-3f2e-44b5-887b-33f5740533ff
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157497
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790234 Sample: Payment.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 11 other signatures 2->54 7 CVbVyaUL.exe 5 2->7         started        10 Payment.exe 6 2->10         started        process3 file4 56 Antivirus detection for dropped file 7->56 58 Multi AV Scanner detection for dropped file 7->58 60 May check the online IP address of the machine 7->60 62 Machine Learning detection for dropped file 7->62 13 CVbVyaUL.exe 14 2 7->13         started        18 schtasks.exe 1 7->18         started        30 C:\Users\user\AppData\Roaming\CVbVyaUL.exe, PE32 10->30 dropped 32 C:\Users\user\AppData\Local\...\tmp4458.tmp, XML 10->32 dropped 34 C:\Users\user\AppData\...\Payment.exe.log, ASCII 10->34 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 10->64 66 Injects a PE file into a foreign processes 10->66 20 Payment.exe 15 2 10->20         started        22 schtasks.exe 1 10->22         started        24 Payment.exe 10->24         started        signatures5 process6 dnsIp7 38 193.122.130.0, 49709, 80 ORACLE-BMC-31898US United States 13->38 40 checkip.dyndns.org 13->40 36 C:\Users\user\AppData\...\tmpG360.tmp (copy), PE32 13->36 dropped 68 Tries to steal Mail credentials (via file / registry access) 13->68 70 Tries to harvest and steal ftp login credentials 13->70 72 Tries to harvest and steal browser information (history, passwords, etc) 13->72 26 conhost.exe 18->26         started        42 checkip.dyndns.com 132.226.8.169, 49701, 80 UTMEMUS United States 20->42 44 checkip.dyndns.org 20->44 46 192.168.2.1 unknown unknown 20->46 74 Moves itself to temp directory 20->74 28 conhost.exe 22->28         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcbearnmjmklviqqapp4ec3apuvsu77n2cn24yryfp3gzuqn6dia._file
Verdict:
malicious
Similar samples:
19f5de1fab76d8bdac9d3bab7ec590152f1b9b4f154d1c429a1fd1acb65ba628
SnakeKeylogger
2b3aaa175f97c142679b9d9e7e9b9a2b2d85bf3990b1f9276f0dc79b0aaab06e
SnakeKeylogger
59403e64a6441e0e6e1f5abac201ed76f81afbd8ab74e39f59f33830c02eaded
SnakeKeylogger
5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2
SnakeKeylogger
8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95
SnakeKeylogger
a84aad3732ea9ed162f345bddceeb44da8b25e0ab4fd4e55848c1804d00d652d
SnakeKeylogger
d8bc28c6a7d6ae161559b95369d0e50226295913f78f3fc48bdfadb61ee753a5
SnakeKeylogger
f1296c58d318f766077a9c3b3d36d60dc4dd27012e728af8be0a41432daf19bd
SnakeKeylogger
f2f3f4bcf9febcaaea784f53985e4b2e61373cd5463f2e594b1db39486b81e17
SnakeKeylogger
fc34aca4f3035bcc925c891cb0c14aa20ba17b60d2d4f397a0327ce77e4c19bd
SnakeKeylogger
+ 6'814 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230123-w269zsee97/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
e41ac679b8e2bd4f54c287b31c08273f43ecfdd98323c978ee45b10d88d31a09
MD5 hash:
9952994396b86946179eadd694056be3
SHA1 hash:
cada1c778d507c6b2fbb4903f7c06cdc7cc90c7f
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/698999aa-49d0-4503-9806-18787da13ece/
SH256 hash:
99f92744f82068f019307d9c5a1a27d45dac44377b73fbd0fd4d60400b426466
MD5 hash:
ab46d4a45cb2ae223185fc49f4bc11c7
SHA1 hash:
b09c8dcb1b1e078772e0f0b396b6e112cd40623b
Link:
https://www.unpac.me/results/698999aa-49d0-4503-9806-18787da13ece/
SH256 hash:
414c4eb67fc02f8952e946d9f010bc2999535a20b9255e6fafe1d3d78a592654
MD5 hash:
2394a6b9268fe741d3570c880c77384c
SHA1 hash:
85b267a692ceca449b3782a631cadcafa31f076f
Link:
https://www.unpac.me/results/698999aa-49d0-4503-9806-18787da13ece/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/698999aa-49d0-4503-9806-18787da13ece/
SH256 hash:
18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0
MD5 hash:
f90994fba9963bd01118a4d1b60c432f
SHA1 hash:
c2ace26d5c446f68adc19e152957e4705e38ab3e
Link:
https://www.unpac.me/results/698999aa-49d0-4503-9806-18787da13ece/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18824045ac4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 18824045ac4b14baa21003dfc20b607d2b2a7fedd09bae62382bf66cd20df0d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/356008/

Comments