MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458
SHA3-384 hash: 664531e56d99aceb3655dfcd08129b500f8355bf410ee4fa02d951261b8b5cd8b69cd9ce69b4a961b82e0363f273ac34
SHA1 hash: 3b1de825948c088d7863007488b16e023a03e12e
MD5 hash: 2f65f6400af059013971b2f3370d0330
humanhash: golf-lima-sad-nevada
File name:Request for Proposal Summer project TPO23010055-(TP)^....%100% dwg.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:733'696 bytes
First seen:2025-08-01 11:22:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:bxnUtBX1CLu6Xtc/eYEFD/877SrJmRFggfUYN7NER4s2IFhMRImvENRZIWmZAsF:FnUhsu6dcmYEFLWSryf5NKR4sIevKfAE
Threatray 3'480 similar samples on MalwareBazaar
TLSH T136F40121FE27E802F49023774752E57933A51EAC95C0C2B27AF9EEDB799D6010F63252
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 4c36f2cca3dc949c (7 x SnakeKeylogger, 2 x MassLogger, 2 x a310Logger)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8cad9ffe-a350-4f65-bddb-1f24fb2abf8d
Verdict:
Malicious activity
Analysis date:
2025-08-01 11:28:10 UTC
Tags:
telegram snake keylogger evasion stealer smtp
Link:
https://app.any.run/tasks/8cad9ffe-a350-4f65-bddb-1f24fb2abf8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18294/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.40725.30846.23849.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688ca373af3050dc8d331b56
Tags:
spawn shell virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/688ca3783228e5a4037f0ec4/reports/862c1205-f432-489e-908a-2dc981535026/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb14f725-4436-48d2-a02a-41a3770725d6
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1748376
Signature
Multi AV Scanner detection for submitted file
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.34 Win 32 Exe x86
Link:
https://app.malva.re/file/2f65f6400af059013971b2f3370d0330
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 06:15:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aslgcrasp6qc6s5fqhrgpoxkypbmfxjsczt2tcmdjsf7bqbsqrma._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
0f8f4d5651684cb127cb4f921afda71d548b8a75c5976c8b0219586e4dc024d3
SnakeKeylogger
29eeed93c836f8c75b109eae3ed94bd49fc2a7ea73928eb54bc3b296b6839f4f
SnakeKeylogger
305d9600a596e53e188bb33f97ec95ce57d2532d55f670fef47165f477d837b7
SnakeKeylogger
7e545a76c16dee6d24d3e86c6667c07bcd0f76064f232463b58fd4ec6d930090
SnakeKeylogger
e8e945d0e6a01338aac7ba7c8b5d19bf4ad27824cd328d833a764d4b24ed7d0c
SnakeKeylogger
error
SnakeKeylogger
+ 3'470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250801-ngsbbsxzcx/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dd5e3523-97a5-48b2-b812-b49ed7e137cf
Unpacked files
SH256 hash:
04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458
MD5 hash:
2f65f6400af059013971b2f3370d0330
SHA1 hash:
3b1de825948c088d7863007488b16e023a03e12e
Link:
https://www.unpac.me/results/c72f3e9d-58af-4ae1-ad17-87b30c8e2514/
SH256 hash:
29d51566dde57cdbf72ff339016b2d97204f45d9cceeab62ca96830c86560c99
MD5 hash:
5a06bd97e69276d20b6f667f32986aae
SHA1 hash:
4f1e4d8875353a5bff4a7d03eb44d6fdd71995a3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c72f3e9d-58af-4ae1-ad17-87b30c8e2514/
SH256 hash:
967146c82ece78864f1b9fc82ed6d5f4022813c1530e7b5cfde0eddee5ce0305
MD5 hash:
034bc9b16ef9e131e34454cd52685397
SHA1 hash:
af31017ff5a6a0391daf989ea55f8c1fb7fd902f
Link:
https://www.unpac.me/results/c72f3e9d-58af-4ae1-ad17-87b30c8e2514/
SH256 hash:
d468457077028562c83e9d62efd2d63bce27e38403df8edef95bdb79156929cb
MD5 hash:
f2710ab0d8c3cc1bd70417925135142f
SHA1 hash:
e879f8fe440c907f410484835b464c94cc34f3c4
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/c72f3e9d-58af-4ae1-ad17-87b30c8e2514/
Parent samples :
d12b6c7f1ea27f3a05a0e9916ce6cca0ecbcc0dab405a93b1ee0b8f9dc529cfc
04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458
31c8a8d67d03f8148f257f63941b3f89e16d95829ecbcae7f8c38b14ca1d34e7
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04966144127f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 04966144127fa02f4ba581e267baeac3c2c2dd321667a989834c8bf0c0328458

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18294/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments