MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
SHA3-384 hash: e318123f37fcf2699fccd42e78a4cfdcae0e9cd878a1cc5255c2f90697c47fc294833c58a3284460f893ab5a2963b599
SHA1 hash: 969ffba156f12350a4dab4f0d9c58b5e8d0a16ac
MD5 hash: 36edfc99cd37b9e01744db59f92b54b5
humanhash: fruit-diet-red-jupiter
File name:Request for Proposal Summer project TPO23010055-(TP)^....%100% dwg.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:737'280 bytes
First seen:2025-08-06 13:41:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3ZVoJcq7EEk27ImEkKtR9W276DwZF6xjAmmKDhB6r0bnnDqwsCVN/D:3YWqO27IhkSR9W276UZF6KmtD/6obnDv
Threatray 3'245 similar samples on MalwareBazaar
TLSH T1E6F4236437FECE31F0F967F42862C23917B56C1DA262D3229DD9ADCB311AB604E15722
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12c992ff-98b6-46f0-8a63-02806d69a681
Verdict:
Malicious activity
Analysis date:
2025-08-06 13:43:42 UTC
Tags:
evasion snake keylogger telegram stealer smtp
Link:
https://app.any.run/tasks/12c992ff-98b6-46f0-8a63-02806d69a681

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19256/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68935b8511d7f9b979e61bb3
Tags:
spawn shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks snakestealer stego telegram vbc
Link:
https://www.filescan.io/uploads/68935b952fbe0788fb1ac0c7/reports/4538115d-76de-4602-a2e5-5c2b79f4343c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5bff8a0-64a9-4cd7-add8-91cbde897c1c
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751371
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751371 Sample: Request for Proposal Summer... Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 25 reallyfreegeoip.org 2->25 27 api.telegram.org 2->27 29 3 other IPs or domains 2->29 45 Suricata IDS alerts for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 55 10 other signatures 2->55 8 Request for Proposal Summer project TPO23010055-(TP)^....%100% dwg.exe 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 51 Tries to detect the country of the analysis system (by using the IP) 25->51 53 Uses the Telegram API (likely for C&C communication) 27->53 process4 dnsIp5 23 Request for Propos.....%100% dwg.exe.log, ASCII 8->23 dropped 57 Obfuscated command line found 8->57 59 Adds a directory exclusion to Windows Defender 8->59 15 Request for Proposal Summer project TPO23010055-(TP)^....%100% dwg.exe 15 2 8->15         started        19 powershell.exe 21 8->19         started        31 127.0.0.1 unknown unknown 12->31 file6 signatures7 process8 dnsIp9 33 mail.tuncaykurtmakina.com 213.142.136.33, 49712, 587 ADEOXTECHUS Turkey 15->33 35 api.telegram.org 149.154.167.220, 443, 49708 TELEGRAMRU United Kingdom 15->35 37 2 other IPs or domains 15->37 39 Tries to steal Mail credentials (via file / registry access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Loading BitLocker PowerShell Module 19->43 21 conhost.exe 19->21         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af/
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 13:41:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=adllzmj2bzpobj2zyzr2mplvqzvhz2wlzepdwy6zmwaje3cqkoxq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
SnakeKeylogger
0f8f4d5651684cb127cb4f921afda71d548b8a75c5976c8b0219586e4dc024d3
SnakeKeylogger
305d9600a596e53e188bb33f97ec95ce57d2532d55f670fef47165f477d837b7
SnakeKeylogger
7e545a76c16dee6d24d3e86c6667c07bcd0f76064f232463b58fd4ec6d930090
SnakeKeylogger
e8e945d0e6a01338aac7ba7c8b5d19bf4ad27824cd328d833a764d4b24ed7d0c
SnakeKeylogger
error
SnakeKeylogger
+ 3'235 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250806-qy9yta1py4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
404Keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/f8f9b45b-ca1d-4d38-9371-5582b07d24ac
Unpacked files
SH256 hash:
00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
MD5 hash:
36edfc99cd37b9e01744db59f92b54b5
SHA1 hash:
969ffba156f12350a4dab4f0d9c58b5e8d0a16ac
Link:
https://www.unpac.me/results/95216634-8e84-424f-a26b-1cd60e23921e/
SH256 hash:
a0f661709e2b5a34e13d362ad8cc7157821e9059b2720c8a334ccec2e3a9d703
MD5 hash:
31cc6da388beb94237f9aa46eaac815d
SHA1 hash:
3d65fc7902fc1b4d752db2d9f1b02d3bf9b50b46
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/95216634-8e84-424f-a26b-1cd60e23921e/
Parent samples :
00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
e9b41f0fbd640613e949417dfe2cc1835e4458e1c20c766b0331274da1f53c79
88b838cc854132e243dc0e2d3ca34f49f0de3c96d5b2bf15b0901bed270702c1
a7f7a2ba4874202dd3c17d81618c0f5f03421b13fe9b48a81f475025f97f2fd3
dfb47b0d9362c1584332c02f37e614f8e54a3f9956cc3df38dbacd20c40c4db5
c43e60dd4fe89c7a4927b13c24972ff021986196b1fafa40e9cdc5ce81b0db5b
8cc4684d5b4c41db041acab6550e5d8d110175b4da2dbe79da04b62cd21b410a
SH256 hash:
00049daf2e95649a724141fb24f6ac431a1a451f4b686dbbb97443379c821088
MD5 hash:
aa8038c1eb2e84e43b46114d91f8b00b
SHA1 hash:
4f7d03e7cd44ca646a2dcc8f53534f3aee9718ef
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/95216634-8e84-424f-a26b-1cd60e23921e/
Parent samples :
9cc3509d0971ef4d17669266b88c3e7c47e47581b277c5c8e4a59b93ef761c9b
1bfc67fda739fb4b9d8ec51ab705c1348396d37eb76be0035183e12b26c7f6ea
00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af
f1f841722dfbf5ae03d0c6b8263565f091570ec9a1e9dc6f93f5759f746e2449
1583f581b4aed3b58c6dfaa9e8934acb0afbfe12ebc7a5c99ee8757242b4f7fa
5d112bae8efc523f75ae6067c634101605b6d4c5ee4bf67a264ad15daa419b71
c5746aba0a4755f24a90f73d4a3220c63cbcd475f9b24b5600778e5e6a49ce8b
ec21d54163c145fd0a8d5f5569913cf9a27bc54bd756028124e01e52e707b69d
SH256 hash:
244e8235aea57e1f59013f03498643e532aa9b8011515051f23b3c8a3bff0fdb
MD5 hash:
3306905cb4652189cfa14529fe62ff6c
SHA1 hash:
733923b057597990b3751c84d9d538110f0c9db8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/95216634-8e84-424f-a26b-1cd60e23921e/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00d6bcb13a0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 00d6bcb13a0e5ee0a759c663a63d75866a7ceacbc91e3b63d96580926c5053af

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19256/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments