MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 16 File information Comments

SHA256 hash:	0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb
SHA3-384 hash:	cf82f04261a50a094de50eb8f1445a3b356ee040019b3127a386946fde05cbd7f2f6a53ccbeb16d598c17470063d8e06
SHA1 hash:	f459a6d327a0fe94cbc141c6fcdc65eff81f18be
MD5 hash:	5112b66efe4673b10d9a1e9d9f3de8dc
humanhash:	mobile-beryllium-tango-uranus
File name:	RFQ 6000069128-Eclipse Supplies & Services LLC.xlsx______________________________________________________.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	791'552 bytes
First seen:	2025-02-03 08:56:01 UTC
Last seen:	2025-02-04 06:27:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:1YfPXqswecl91mDviO2b8bXqU2Sv//FQmmQ/MWzTjspH3hy55kJmDwnCD3J:0weclubX9//2mRLTjsLy55emDwCD3
Threatray	91 similar samples on MalwareBazaar
TLSH	T117F4E1C83B6AA706DD665934DA35EEB442BD1CA87000F9E35EDD3B5BB9BD2105D08F02
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	e0e698a08088a888 (20 x Formbook, 6 x AgentTesla, 3 x SnakeKeylogger)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

499

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4e07f8a8-269c-45ae-beee-91a1a5aa0f27

Verdict:

Malicious activity

Analysis date:

2025-02-03 08:56:38 UTC

Tags:

snake keylogger evasion telegram stealer

Link:

https://app.any.run/tasks/4e07f8a8-269c-45ae-beee-91a1a5aa0f27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.35.23077.898.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a084cb51193558eb19291b

Tags:

micro shell msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected phishing vbnet

Link:

https://www.filescan.io/uploads/67a084bd06d12bc30bf5cddd/reports/c9419a78-ab2b-479a-8d63-55c1f38b0306/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e5c1f5d-fcb9-4b93-a0a1-0b26ed1afc7f

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1605421

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2025-02-03 06:52:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=azj43aoaz5c5yk2rbe2kl4gby2gro4utq72v7d3kocy3ch44xlfq._file

Verdict:

malicious

Label(s):

vipkeylogger

unknown_loader_037

SnakeKeylogger

0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4

SnakeKeylogger

13fd36bd0ad2ef303ded0dac6b7cd6d4326ffebb08ff914eb44a6e75c52e8289

SnakeKeylogger

a8c8535f49c3869518e9d62f95086e5ac36526ea61d4203aa8d2077d33ae9faa

SnakeKeylogger

error

SnakeKeylogger

+ 81 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/250203-kv4pqswqbv/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8137547477:AAGivMJhPHGxbUXvVQxSLRx55JHHJUPnI3M/sendMessage?chat_id=6680692809

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/8b2036cf-e9b8-4a0f-ac2d-ff26a8ad4099

Unpacked files

SH256 hash:

0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb

MD5 hash:

5112b66efe4673b10d9a1e9d9f3de8dc

SHA1 hash:

f459a6d327a0fe94cbc141c6fcdc65eff81f18be

Link:

https://www.unpac.me/results/acdfb2ef-8653-407b-a085-81a9cb81c0ba/

SH256 hash:

12a51c9bbc919248f9d9d0e13bce970e5aacaba392e6ab228f56709edde25723

MD5 hash:

2109f4eea40955febd7fbef9338c8670

SHA1 hash:

13583df853692340577fe1ad575f00d321424a51

Link:

https://www.unpac.me/results/acdfb2ef-8653-407b-a085-81a9cb81c0ba/

SH256 hash:

f406defbd5981f65dff1e05dad0eb97de46341726408ba24564a25da777bc086

MD5 hash:

b37081305b5e9eec83edc0def04751b1

SHA1 hash:

394cd498e406bd6af795f5b3a4cbf62583d10a76

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/acdfb2ef-8653-407b-a085-81a9cb81c0ba/

SH256 hash:

d8ea3c2492e08289a0f5c5e26364b90dc193e02f749c762203d92dbceb8905a6

MD5 hash:

f31079de695f86e61edb89a7a98acebc

SHA1 hash:

6495defbb91b88a35805dafbac7d501eb1084c25

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/acdfb2ef-8653-407b-a085-81a9cb81c0ba/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0653cd81c0cf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 0653cd81c0cf45dc2b510934a5f0c1c68d17729387f55f8f6a70b1b11f9cbacb

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample