MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a
SHA3-384 hash:	a2c90e61fc73646ee0c12fbe68569e5464b1544d095a5f260554c13198f8756832c599be5c2b804e1133ba9f8ca5d515
SHA1 hash:	cfd47e1aebcf6beea8c4fae741543f1d3ea6ccc1
MD5 hash:	9323f7a482830e191c832f174865dfbf
humanhash:	three-music-alpha-beryllium
File name:	e-dekont.html.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	827'400 bytes
First seen:	2025-10-03 09:09:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:y9FafINR+V236+49+fb32Vb4a30seJKxMJSkR:y9EfINj699+TmV4akNJxX
Threatray	3'805 similar samples on MalwareBazaar
TLSH	T1E6054CD1B150C89AED6B09F1AD2BE5302497BE9D94A4810C56DDBF1B76F3342209FE0E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e-dekont.html.exe

Verdict:

Malicious activity

Analysis date:

2025-10-03 09:50:34 UTC

Tags:

snake keylogger evasion stealer

Link:

https://app.any.run/tasks/c5580172-50f6-4f01-9c6a-d61eced2bf0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/30014/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68df92cdc21e799f5cd49226

Tags:

injection obfusc micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Stealing user critical data

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature masquerade obfuscated packed packed packer_detected signed vbnet

Link:

https://www.filescan.io/uploads/68df943974e5a289899fac5b/reports/0b2556b0-6107-45b5-b9de-740d63f8ee8a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-02T04:37:00Z UTC

Last seen:

2025-10-04T12:41:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ad78c5fc-6645-4a3a-9f24-328f391d1ef2

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1788627

Signature

.NET source code contains potential unpacker

AI detected suspicious PE digital signature

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a

Verdict:

inconclusive

YARA:

7 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.46 Win 32 Exe x86

Link:

https://app.malva.re/file/9323f7a482830e191c832f174865dfbf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a/

Threat name:

ByteCode-MSIL.Trojan.VIPKeyLogger

Status:

Malicious

First seen:

2025-10-03 09:16:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aakzch5ljzgo3vjmt7fbl7efkzahxojlentt3vcgh2k7ozwhgsna._file

Verdict:

malicious

Label(s):

404keylogger

unc_loader_037

SnakeKeylogger

543b0d455d409155d088d96f0ea8ec6ae11edd0d18d5c39e949d4557b9cdca5d

SnakeKeylogger

67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0

SnakeKeylogger

9b82825864714597159caad95b64b68cbb976756b1989d4d38e782858e510589

SnakeKeylogger

cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6

SnakeKeylogger

error

SnakeKeylogger

+ 3'795 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/251003-k7s4rsap9y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8312745310:AAEhdBEB8q7xCv5udIA3y6bArUxzticzw9s/sendMessage?chat_id=7286478455

Verdict:

Suspicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/72d0f3df-7d38-4c29-9245-b8906d60a5cd

Unpacked files

SH256 hash:

0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a

MD5 hash:

9323f7a482830e191c832f174865dfbf

SHA1 hash:

cfd47e1aebcf6beea8c4fae741543f1d3ea6ccc1

Link:

https://www.unpac.me/results/2c705ff5-559b-43d7-8d6b-2ae7a2ecf48b/

SH256 hash:

cc2b98223c9dcaf35c31d2eb743780aa3ea50177043e82633dda11aa7b7ff66b

MD5 hash:

014ace331af3642ddb3d3aa754e94950

SHA1 hash:

2ee54a101d1817ffdf1154d6bc19a7fa6db81c97

Link:

https://www.unpac.me/results/2c705ff5-559b-43d7-8d6b-2ae7a2ecf48b/

SH256 hash:

e3db4d662b071f414841750a8051b3f852a70ce0c0ffcc6f321a34dd5c1e07e5

MD5 hash:

b677ecbc3fc806e7c585680b5035621d

SHA1 hash:

47c693faef23a9a35f1c0595a3f47a56fa120b71

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/2c705ff5-559b-43d7-8d6b-2ae7a2ecf48b/

SH256 hash:

3080d6598d2fb84ed4b6d9665e6d70c1be4b48b4bfac9afda293f341da835293

MD5 hash:

1314366c635919e37371a7a1347e9a11

SHA1 hash:

d49f881fa9058962baf9f5606775cb08d7ada0b4

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/2c705ff5-559b-43d7-8d6b-2ae7a2ecf48b/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0015911fab4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0015911fab4e4cedd52c9fca15fc8556407bb92b23673dd4463e95f766c7349a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/30014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample