MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 16 File information Comments

SHA256 hash:	09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c
SHA3-384 hash:	aa19338e65296d0b40abd0b3692a0188eea40b1e1a5759ad4877deade64f48f0c45592be0d0356002963ae4266ab4f52
SHA1 hash:	aab747f34aabc85edd95697a080cc504fd119bb4
MD5 hash:	9005ac6371c30817ae904ba0d95d0ac2
humanhash:	spring-arkansas-oregon-blossom
File name:	Devlas-otomotiv Malz. sip. AMP282104 DİŞİ 2P() 20W adet.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	715'776 bytes
First seen:	2025-05-13 08:33:17 UTC
Last seen:	2025-05-21 09:08:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:8QBdCNBuWRCNphrTfoRzmKjbaFwFQAtpzhbX5uu2SIVx3n+AbKyVz7Bkb:QN40W1Uxba2QEhbsu2SByVnC
Threatray	3'584 similar samples on MalwareBazaar
TLSH	T1EEE412582659DA17D8A91BB61E33C3FC53B95F8CA802C303DEFABDEB753A3091542641
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

514

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.7159.22187.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6823053e4a59e5a2ce042ead

Tags:

keylog virus word

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/682303dcc7418694c8a99a2d/reports/d657daf4-99d2-4b16-a6f8-c0690c1bf4b3/overview

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/355b092f-7d1c-4824-b112-29f3192b3ded

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1688747

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-05-13 08:35:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bg4pkcdbawiwxjdqlinwjshe2tqohjquneuovpotkx3nlfpsvf6a._file

Verdict:

malicious

Label(s):

unc_loader_037

SnakeKeylogger

54f015287731308328345efdc18a593d3b5a57efdd04278efb9da7f5127df37f

SnakeKeylogger

7b9d010e0fe5a9696c5fb1020d8a3c9e1272e7442f4ba841c83d3b0ee001466a

SnakeKeylogger

eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc

SnakeKeylogger

error

SnakeKeylogger

fea39de44dd9f6382637a9a218d2d5002627ce79a37f2dfe0d6bacb51a2de873

SnakeKeylogger

+ 3'574 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250513-kf6ksasyfw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/5eb9669d-0d3a-4b38-baea-758a8f583af8

Unpacked files

SH256 hash:

09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c

MD5 hash:

9005ac6371c30817ae904ba0d95d0ac2

SHA1 hash:

aab747f34aabc85edd95697a080cc504fd119bb4

Link:

https://www.unpac.me/results/9af11232-50b5-439a-b765-74bbd1bb175a/

SH256 hash:

22a03f25544fecf96ca7f38781824e302238529b6e59cc10cfecf240043bd294

MD5 hash:

bee219cadf5a780865c3548d9936bc38

SHA1 hash:

077405987d76832010142540e3f9c5fc1f1c314a

Link:

https://www.unpac.me/results/9af11232-50b5-439a-b765-74bbd1bb175a/

SH256 hash:

6d8d0c92305e6e3be0487976a069cdeb74fe72001225a7e7692541eaf8c70cf4

MD5 hash:

a5ab214d4921a1b1348037bc7864c33e

SHA1 hash:

8fcfb7f0972186e89b3d1c52e288edf90ead2d01

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9af11232-50b5-439a-b765-74bbd1bb175a/

SH256 hash:

05255375285e6d3f3aec9dc521516c5d382e1dbf312fa2957596a2d2795de89b

MD5 hash:

0dab2528d4f158ce481c36defd57de96

SHA1 hash:

bcd7f10706c52160ac04d908571cfdaffcec426d

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/9af11232-50b5-439a-b765-74bbd1bb175a/

Parent samples :

6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610
d4020dbe1d51f7f27e253deeb65f1fed6b788091f5adad460f035256ae198a81
1cd78b97b2f8e944dc6273a6df40f2e619985c0e0fe2a550abdc1af79cf7a105
09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c
0aba07d01429aed2703c4045ef036dcad9b7f93ab2eb9f8f416f940934fa970b
83a13fc360142a9ff6cef0334ef32f4413fd83ca44664fd3f1bfac32d400fe81
73e372310d115ab293bd376484a4a83c4d4b6a5936c922a75ae4fda5ab3b7219
2f853fc6240da7009e8c4759a9a6281c02f635dafb83872de2fee28776b9c671

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample