MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
SHA3-384 hash: 0c83348ccac75386b338d0b4a564e80823b4b9ce5f18f8d18d63c96fb5a513d15dd5a6bf32d8364ff41da1d2b1eb38b9
SHA1 hash: c266c2cd2fd10176fe15f68b820763ba3ad383f8
MD5 hash: 5bf405f3b6f01c84ca0def74ae668d7d
humanhash: stairway-queen-whiskey-berlin
File name:SecuriteInfo.com.Win32.MalwareX-gen.2027.10035
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:885'760 bytes
First seen:2025-07-03 04:18:08 UTC
Last seen:2025-07-04 06:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:G9kZZIUoUasvM6s0xLCer0eGwIqO5plg3YiARB1jOhmp9IShLZrtPsRPT6QCK:bZvM/05tQbC3YiAT1yq9IaVrt4i
Threatray 1'914 similar samples on MalwareBazaar
TLSH T1DA15E0142258DA3FD85607BCAC30D0725BB59F8F2419E29B8DE83CD774BEAC3355126A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 69c8c4a68e88f0c4 (5 x SnakeKeylogger, 4 x XWorm, 4 x Formbook)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
39
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
Verdict:
Malicious activity
Analysis date:
2025-07-03 04:33:29 UTC
Tags:
auto-sch-xml snake keylogger evasion telegram netreactor stealer ims-api generic
Link:
https://app.any.run/tasks/f08f9af2-4b93-4808-91ec-61eb32ea8cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12092/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.2027.10035.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68660481900df8e7f865ee90
Tags:
fareit spawn shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap obfuscated obfuscated packed packed packed reconnaissance roboski stego vbnet
Link:
https://www.filescan.io/uploads/68660483bf2a41982c80c17f/reports/12556cf7-5ed8-44bc-9d9b-51afd13be7b6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2c3f503-36c0-47b5-9352-d1e2eeeba9e4
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/5bf405f3b6f01c84ca0def74ae668d7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c/
Verdict:
Malicious
Threat:
Win32.Infostealer.Pony
Link:
https://tip.neiki.dev/file/06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-07-03 03:18:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2q64oezweeifuw6fsz5genxkawfhnopt55hmzoe6kyrahqg65wa._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
05ddfe68f52650bb4edf167f1e37883c77dced2d90b57e4cad1d8e640dbf81bd
SnakeKeylogger
06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
SnakeKeylogger
4fd75f4ed83532d4fbfaa5470b3cfeae159c00b6198950afa119a437dab01afb
SnakeKeylogger
78ae05e4fa25ebe63c5368f050f53c0b363cf110e184be1d5d6646465c0c1cf5
SnakeKeylogger
error
SnakeKeylogger
fd5286ddadfab05124317901d942f68250587d4d97a59acc45f9f565580060ac
SnakeKeylogger
+ 1'904 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250703-exk3hstqy6/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7650742332:AAEWicQCAe69rgKJ2eUqh0157h3RuudklDQ /sendMessage?chat_id=7886581547
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0ba0cf80-9a79-44d6-8508-7c952595aed9
Unpacked files
SH256 hash:
06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c
MD5 hash:
5bf405f3b6f01c84ca0def74ae668d7d
SHA1 hash:
c266c2cd2fd10176fe15f68b820763ba3ad383f8
Link:
https://www.unpac.me/results/d5c8c413-fda8-42ef-abdc-b436e609ccca/
SH256 hash:
59a55cabc517cfb4c9041b87d4711f86a81819177e8e5e32a3aea43f94ffe66c
MD5 hash:
35f530f66534dd3392758a9a0c9dd10b
SHA1 hash:
2baa6eeac6adbbdaf5186d16f3136dcb519c7e0b
Link:
https://www.unpac.me/results/d5c8c413-fda8-42ef-abdc-b436e609ccca/
SH256 hash:
c635066ffdab6cebd6597492667f4336850702aea23cabb3100c6b316716efe0
MD5 hash:
4f79041053775bf108d36810c7b3e781
SHA1 hash:
77385a3bda862dac614562448f864e4a3a530345
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/d5c8c413-fda8-42ef-abdc-b436e609ccca/
SH256 hash:
476da8e91c7d054dcb23410f30990c961d45da01c1f3a51521e2b5947b17e250
MD5 hash:
26ceb1d604746cd6401c273b3f65ea11
SHA1 hash:
cc80cbee2cadf9815c40e4ea829766a7bd8d7ab0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d5c8c413-fda8-42ef-abdc-b436e609ccca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06a1ee3899b10882d2de2cb3d311b7502c53b5cf9f7a7665c4f2b1101e06f76c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12092/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments