MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442
SHA3-384 hash:	02e830cf8669308013ca67c375c67c86600342fac1bfedfc46a7ca43f02f8e7f0a0038529c17980595954fa536f865b2
SHA1 hash:	9fa6d97d911b31ac9afcb7e8986e068024d1687f
MD5 hash:	c28d20922d18bef90ea7222df17e1f9a
humanhash:	missouri-pluto-jupiter-green
File name:	0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	586'240 bytes
First seen:	2025-07-07 15:17:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Ejbfnd//g+z5/f4AYAUezu68DpgqQ+KvYzaTWhP9:Ejb9/nz5Hvd9Gpg2Bq0l
Threatray	3'678 similar samples on MalwareBazaar
TLSH	T161C4F1519557CE12E0EA0BBC1BAAD1761A369FCEA416C74F8FD63CE778B33811185B02
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	a8cccc949494b4d4 (6 x SnakeKeylogger, 5 x AgentTesla, 2 x Formbook)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/13295/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686be562c9eb97473767778e

Tags:

backdoor virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) SOS: 0.02 Win 32 Exe x86

Link:

https://app.malva.re/file/c28d20922d18bef90ea7222df17e1f9a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442/

Threat name:

ByteCode-MSIL.Backdoor.njRAT

Status:

Malicious

First seen:

2025-06-27 08:44:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsreujiekd46ey44oy3gjcfwktt23mr73j73joapkhlskg5harba._file

Verdict:

malicious

Label(s):

unc_loader_037

404keylogger

SnakeKeylogger

7b2118ed1133b43f2521509f4eac9e89b89cdfc389208099cc6e601aaf95c836

SnakeKeylogger

832c9fff9119971e24be408c892db66a20202af2089d4693047b8e785ebc08dc

SnakeKeylogger

b1bd96341b2c06cf1ea7a1a9026222f1a85d8605798be6f7809100b3e0bd11dc

SnakeKeylogger

b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1

SnakeKeylogger

error

SnakeKeylogger

+ 3'668 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/250707-sprrzsgm9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7989208005:AAF_Q0GA79z6GYuSCl4sG25i2uv4Su1T7eM/sendMessage?chat_id=7300263540

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/030f77a2-7f47-409a-9046-9f2170e8a757

Unpacked files

SH256 hash:

0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442

MD5 hash:

c28d20922d18bef90ea7222df17e1f9a

SHA1 hash:

9fa6d97d911b31ac9afcb7e8986e068024d1687f

Link:

https://www.unpac.me/results/54666cf4-3c9e-43a4-88cb-5b4a17552422/

SH256 hash:

fd8e694ab19875cb7fd6d4230f4a9385ec7b1f83fd7c1c98bc874df20c94b0ac

MD5 hash:

f311ad1781cb9620986213d7e39b9e5b

SHA1 hash:

29e4da2327b6f9644f3b394d6933e0ee122edf4e

Link:

https://www.unpac.me/results/54666cf4-3c9e-43a4-88cb-5b4a17552422/

SH256 hash:

a1197118cd085e336de212d6a51e513817076a3beb2dc2728733fae5253e5ae9

MD5 hash:

d54b432df9d4f8f2ab4057e9edcfe2ac

SHA1 hash:

d9dad22013d498a9b1ce8c898eeb5d2aaa3f49fe

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/54666cf4-3c9e-43a4-88cb-5b4a17552422/

Parent samples :

90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6
f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442

SH256 hash:

445db56abc88d3d2f1fc83f35e0de52003f1a1d69efb8e7a97df3b0583bf19bc

MD5 hash:

e47ab9316da64483a8dcfaba34541785

SHA1 hash:

de723d0111481a6df4230709ffbad5f284096957

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/54666cf4-3c9e-43a4-88cb-5b4a17552422/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/13295/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample