MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5
SHA3-384 hash:	f5879cd6563d8d9cccdff2974970b7a4ab39e6864e75841b6a37b95c6ec81eff78b3c756bf4c94baf09fc0a9732c6f9c
SHA1 hash:	c90d7e3d67a028ab7b9056f102022c8d0f788f9d
MD5 hash:	50a29fb7be0331c395ccd99d9dd6640e
humanhash:	tennessee-island-summer-speaker
File name:	Enelelektromarket YENİ SİPARİŞ 0191621#25032024.r11(657 KB).exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	759'296 bytes
First seen:	2025-09-18 06:32:13 UTC
Last seen:	2025-10-09 14:02:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep	12288:DR3j3x7bSrCtT6CaYg1l+G2HC3Lx/bZBjexGNbGDLjXxcMci8KNlr8Fmx7untvf5:DR3j3x7+WtTDaYgn5T1ZBzN+LjX23aTm
Threatray	1'580 similar samples on MalwareBazaar
TLSH	T181F40294236AEE12D1E51FF40930C3B917387E9AA520C30B4EF6BDEF38397605695297
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	404Keylogger exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Enelelektromarket YENÄ° SÄ°PARÄ°Å 0191621#25032024.r11(657 KB).exe

Verdict:

No threats detected

Analysis date:

2025-09-18 06:42:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8aba005e-f107-4f95-975d-7edae949fa9b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/28068/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cba7f5243203254647636e

Tags:

snake spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap formbook krypt obfuscated packed packed reconnaissance roboski snakestealer stego unsafe vbnet

Link:

https://www.filescan.io/uploads/68cba83473287948292e64d4/reports/667bff3b-28ce-4763-a700-98b26b5b5fe3/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-17T07:45:00Z UTC

Last seen:

2025-09-17T07:45:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/64fda108-6d07-4eba-8b47-4e6ac5bb3e7b

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1779752

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86

Link:

https://app.malva.re/file/50a29fb7be0331c395ccd99d9dd6640e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-09-17 12:58:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bckvhqowqmkjlpk4zlwqmrpwcqnnxtgmtlcw2jmljcjxrw6eko2q._file

Verdict:

malicious

Label(s):

unc_loader_037

404Keylogger

34de6149b542022b17b89aec00c7ce4dae3ec04ab4fdc380afa2a3aa211396df

404Keylogger

5e72fe9c6707f14a3a5b8d71812774a4880123f2742e4027be1c6bcee1dd6b09

404Keylogger

67c01a468b92e5f7801dcaf9705430e64fd04fd4c14a63f6b83e68d239ac3d06

404Keylogger

d850bddfb807d66ca18009750ae4821d82db0640f87e13deb4b80d80b9d5a6f7

404Keylogger

error

404Keylogger

+ 1'570 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250918-hcmmdsbn71/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/e6589f27-ada3-4431-819a-4adc59dc3c4b

Unpacked files

SH256 hash:

089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5

MD5 hash:

50a29fb7be0331c395ccd99d9dd6640e

SHA1 hash:

c90d7e3d67a028ab7b9056f102022c8d0f788f9d

Link:

https://www.unpac.me/results/7dc996a6-2b6d-4431-ae34-97d9af5cba07/

SH256 hash:

1e600279c45482d0275ebf76e28f5d7a734b6f8acb1ebdb6e479ba423268041d

MD5 hash:

a61f0cdabc4f363bc05f226140ce3d86

SHA1 hash:

4e84fe262024e9bc19d4db3cd9d10544e480b58d

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/7dc996a6-2b6d-4431-ae34-97d9af5cba07/

Parent samples :

089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5
3011905982645d621f3168cfb565220f158126bc58820062a944aa74974c988d
7a4d557a530f7630d2d22b60c1ed5adf386cb57401bfe73da141adbf1e9e91e4
bbe3c1845567df994a78b290fef9260d54f6ae3d9a0e2b121fc28ec3f34557db
bf5d4bb21e15865a524ba81f593b1b718f2d0271f88d72e1e47e7a527aed7a8c
adc160c60196c30582d2a7c2f9101fda8fbc5695cc13e9cb1af82700a5ed3a3a
2a0b600cca2a594f2f6599e97b89569f794b4eb32271c1feabbd9b00e85df6c8
d43bf77dfd38841515a7a450ef72d3b6bb9c382b743eced0e81bd2a610ae6bc3
7680072c7e4eeb8448e41ee73bc4503076e31ff3c6538553f7b89e74acdb7fb1

SH256 hash:

ef3fe0a3b5d395ef71e817988e1c91f1ded725c2bf075ed8f578d0b35cb3ab0e

MD5 hash:

b813509d7952540b1ccb360963313dd7

SHA1 hash:

6e1271f0e09af8580a3e83d48cafefdb065325eb

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/7dc996a6-2b6d-4431-ae34-97d9af5cba07/

SH256 hash:

b2ac00d97c373c7efe7b9a54ce8b9f8b317ef919f29c45e3cdcfac3545674800

MD5 hash:

3d4e92fe67d6c1780f213fd51c36df1f

SHA1 hash:

8285892de43aa6bf4fd6bb52d05c937095c7b1be

Link:

https://www.unpac.me/results/7dc996a6-2b6d-4431-ae34-97d9af5cba07/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/089553c1d6831495bd5ccaed0645f6141adbcccc9ac56d258b489378dbc453b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/28068/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample