MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56
SHA3-384 hash: 1d0caeca9c21aecc129af4f78aa39f79a0e2e93c746043e267fc681e31be401e7ed831cd2bfae04efba4b8672045252f
SHA1 hash: 8585bdd94acff8528e2711b2618579001e1581e9
MD5 hash: fae8a94e9d180cb6ebd19baaff00ed22
humanhash: nitrogen-five-oxygen-red
File name:Drawing.img.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:861'696 bytes
First seen:2023-04-03 12:24:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:l5CBWKdq1FbwwJLwrb53qOYfm+E9myYyG8ZFTOwl59+ay2j+DpfwPfdM7m3St5:Ofrpx3qOYfXEkYlvSwl59SDpfiIm3U
Threatray 22 similar samples on MalwareBazaar
TLSH T18005183EFDF49104EA0F1EB16732300592FC1492DA2AFD6D96853EA307DB526A9E3741
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c4236161712323c4 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Drawing.img.exe
Verdict:
Malicious activity
Analysis date:
2023-04-03 12:31:34 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/b71b4fe5-eb3a-4614-9e6e-9b7cc9d3073f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379614/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1941.27549.23013.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642ac5a2877a0f1a5afc2bfb/reports/d0563b9f-29e6-4689-91a7-2fcfa92a23c7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab570eb2-20ae-43f0-b12f-4484cccbc58c
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207497
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 840415 Sample: Drawing.img.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 46 checkip.dyndns.org 2->46 48 checkip.dyndns.com 2->48 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 6 other signatures 2->64 8 Drawing.img.exe 7 2->8         started        12 QYYyhioLPC.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\QYYyhioLPC.exe, PE32 8->38 dropped 40 C:\Users\...\QYYyhioLPC.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\tmp211.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\Drawing.img.exe.log, ASCII 8->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 powershell.exe 21 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        28 RegSvcs.exe 12->28         started        signatures6 process7 dnsIp8 50 checkip.dyndns.com 193.122.6.168, 49700, 49701, 80 ORACLE-BMC-31898US United States 14->50 52 checkip.dyndns.org 14->52 54 192.168.2.1 unknown unknown 14->54 74 May check the online IP address of the machine 14->74 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        56 checkip.dyndns.org 24->56 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 11:15:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
19 of 35 (54.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=egedpiy6luf6qazuwmzbnuchoafd6cmd3bd6uyaz6ws6mohgt5la._file
Verdict:
malicious
Similar samples:
1035c0af69138d45af1e8a10682c5fe707ac7e4334ea1517744da7ac67dad711
SnakeKeylogger
1f4ba3e37b0bb7a99563ad72e2314d7b3d1a0af6810576c2155facff5cda4944
SnakeKeylogger
653acedbfd1cc43d370d69f63265a58ac180689929c376ffa72fa0d3410b4cca
SnakeKeylogger
6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce
SnakeKeylogger
68d4adb3846e92a85cef8d51f130b2cb8631ce5e7395fc9cd18dfcffe40a5271
SnakeKeylogger
69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29
SnakeKeylogger
9c9e8b1e8e1abce02b30be300191b7424c10e0bec236fd9000e5b641c9ffc8ae
SnakeKeylogger
af6fb4c1ccf63b051ee34879d049105a0cc2226cb6f0f03c2d1efa7a67c62a16
SnakeKeylogger
d79b67e9e7380e870103acd7b29951d0a4cb5f6da18c28a21070463aad65be45
SnakeKeylogger
f218cb48273b179ab9c039a0422797a4f1a567cf893c12ce3e6d8b5bc0932b0c
SnakeKeylogger
+ 12 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/230403-plmr3sgb8t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
b3989d4d18d05065dd8bc0d989e0ad0fd01d00b36725463391ea9f84d216022e
MD5 hash:
97db6cd8b591dbd4acb5b473043b4d84
SHA1 hash:
d293b10d89063db8b5532ea55d5242c646fde36c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/de77511a-0f77-4b18-b59b-6bcbc04f3e44/
Parent samples :
529570238c49330b949a4cc1a6623e05bfe5ac9af493b701321d786e6d838068
c975e6ea0c4d29a77b8fb8cc4ca15453387a066b4b237c45076b35b2475480aa
077c21196f9977ccbb68c78ec7c2687bda9b3be0ac0a387080e337d841ee1fac
259003dd09af10934997d24fb92c517aa1e1881b006a71f4646ae85f6a6c6ae5
008a18d1c20cb7b7bf26846bafe486b277c90bbb0cc7d1380645513818f5041c
d0a101d03dba528a94c83f78c965018dee7fbc198ebfa5c251ad788672b7a127
218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56
4d83125a53744cf0b65a3fc7160965548b504348d1d26146e35420aecf5d26c2
SH256 hash:
9d9536e58881c3372adeaa0d111c08eda5a3b030386007f44f4174bd9c6b1b85
MD5 hash:
50169ddb605f595cb5c2021374f59063
SHA1 hash:
9b869892ea2a0aa0b349b3533a4cfc264aad3841
Link:
https://www.unpac.me/results/de77511a-0f77-4b18-b59b-6bcbc04f3e44/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/de77511a-0f77-4b18-b59b-6bcbc04f3e44/
SH256 hash:
ca05892ec1d48663a71a2ea36fb3020389aaa1160c6465c9c74fa43a0e850e08
MD5 hash:
9d9c73e2944431af0997aeb1f0b179bd
SHA1 hash:
4df259cf6db48e20ae5096e1a5e0354d6510f496
Link:
https://www.unpac.me/results/de77511a-0f77-4b18-b59b-6bcbc04f3e44/
SH256 hash:
5ff8f47b90c1bd95ead1f6e722f1e1ef70fb1f0ef758ecccf636bcfc2c042864
MD5 hash:
28ab032f001b0b93de195f0cf1417199
SHA1 hash:
3388c783c72451dd5411aa82919bf273460b14b8
Link:
https://www.unpac.me/results/de77511a-0f77-4b18-b59b-6bcbc04f3e44/
SH256 hash:
218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56
MD5 hash:
fae8a94e9d180cb6ebd19baaff00ed22
SHA1 hash:
8585bdd94acff8528e2711b2618579001e1581e9
Link:
https://www.unpac.me/results/de77511a-0f77-4b18-b59b-6bcbc04f3e44/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/218837a31e5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379614/

Comments