MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
SHA3-384 hash: 8870efbc1f5e2354e519aa6c76fce7e11225ef8dc1d54bb812a61c15605e19e1e336319f6db6e67a877ad25b3fdace52
SHA1 hash: a4171f2334384993f0c45723ee0ad5fd38d4a1f5
MD5 hash: 32270b4aba22553c8bc86723927499b1
humanhash: september-kitten-high-zulu
File name:Enclosed attached our new PO for bulk order.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'247'232 bytes
First seen:2025-07-07 08:51:10 UTC
Last seen:2025-07-07 13:22:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:ehvpJXeCtKURzdhE/FvxV7EuJ4y/mxcux5xXyXRLqiUbN+:e1XeCtFRxhENUAt+ty+N+
Threatray 2'004 similar samples on MalwareBazaar
TLSH T104458B4271A5E86AC5768EF1C920D6F393712E07E614C28B0CEA7ECBF4F1F060995A57
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e9f0d2d2b6b2b28e (4 x SnakeKeylogger, 2 x XWorm, 2 x NanoCore)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a.exe
Verdict:
Malicious activity
Analysis date:
2025-07-07 13:27:28 UTC
Tags:
netreactor auto-sch-xml evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/ae7fdfd0-370b-4fa7-bde6-811271bb4b71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12652/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686b8a93c9eb9747376756c5
Tags:
obfuscator phishing virus msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/686b8a919db85bde254e7c09/reports/965aa9ea-9595-431b-ba2e-b88145b95f7e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e0a3d25a-892f-44bd-af17-cddc3365296a
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729893
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1729893 Sample: Enclosed attached our new P... Startdate: 07/07/2025 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 api.telegram.org 2->52 54 2 other IPs or domains 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 66 13 other signatures 2->66 8 Enclosed attached our new PO for bulk order.exe 7 2->8         started        12 DEjfqO.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 64 Uses the Telegram API (likely for C&C communication) 52->64 process4 file5 36 C:\Users\user\AppData\Roaming\DEjfqO.exe, PE32 8->36 dropped 38 C:\Users\user\...\DEjfqO.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpAC04.tmp, XML 8->40 dropped 42 Enclosed attached ... bulk order.exe.log, ASCII 8->42 dropped 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 Enclosed attached our new PO for bulk order.exe 15 2 8->17         started        20 schtasks.exe 1 8->20         started        22 Enclosed attached our new PO for bulk order.exe 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 24 DEjfqO.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 72 Loading BitLocker PowerShell Module 14->72 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        44 checkip.dyndns.com 132.226.8.169, 49722, 49725, 49726 UTMEMUS United States 17->44 46 api.telegram.org 149.154.167.220, 443, 49750, 49757 TELEGRAMRU United Kingdom 17->46 48 reallyfreegeoip.org 104.21.32.1, 443, 49723, 49724 CLOUDFLARENETUS United States 17->48 32 conhost.exe 20->32         started        74 Tries to steal Mail credentials (via file / registry access) 24->74 76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 34 conhost.exe 26->34         started        signatures9 process10
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.13 Win 32 Exe x86
Link:
https://app.malva.re/file/32270b4aba22553c8bc86723927499b1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a/
Threat name:
ByteCode-MSIL.Trojan.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2025-07-07 03:39:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
79
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5rkbpjplzdinxstskqaexsf2wz5eixmuq4a2y7uaaio6zy2smna._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
09dcb03bd67ebe186aa8874c549c4e9c62f10fd0ae483b5bf6dc89e2003ebb71
SnakeKeylogger
48f1f3d8b15ea4297df16072fea427a8fadd695c47ea27c16d933a99deb4f2f3
SnakeKeylogger
52e613978faf4b534d0864a6125d73767b06319e9adaf7d42075527e2b52b3fe
SnakeKeylogger
78f62280687f1306d1b99e72d2a89e928b640cb5b46699a0f51897a77237d216
SnakeKeylogger
error
SnakeKeylogger
f4655548728c3901356c8b6c1cecb9f5531872b1cadd914c057d26136a45d5fe
SnakeKeylogger
+ 1'994 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/250707-ksb7pser7y/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/14f3b66d-3191-46a9-b475-f79552963e0b
Unpacked files
SH256 hash:
0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
MD5 hash:
32270b4aba22553c8bc86723927499b1
SHA1 hash:
a4171f2334384993f0c45723ee0ad5fd38d4a1f5
Link:
https://www.unpac.me/results/f19592ac-6547-449c-9dcc-e69eec585064/
SH256 hash:
a15d497b9db5cd10dcc38f46cf593b19c5a5046b1c8799682debb52836f18415
MD5 hash:
519f8182cceb32c48c397e622c519c99
SHA1 hash:
11921a2d484db1ac9bbaa67a9bddb10e7406cd19
Detections:
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/f19592ac-6547-449c-9dcc-e69eec585064/
SH256 hash:
4aa00222d50b8c8d11c83a4b7065a078949e347fa83ef05be26c02fc57fc3e6f
MD5 hash:
42295567815b2c47b1518faaa7ed6fef
SHA1 hash:
32dcdb8375ddeb9f9b5f1877379e235683788386
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f19592ac-6547-449c-9dcc-e69eec585064/
SH256 hash:
6b3803d57b5033582d424c2c48ca7c535c2c927a12d56269a413cb61c9c569c0
MD5 hash:
8b2d87ec0d6097cf4cbd324745a2befb
SHA1 hash:
7968b1b4a8053b011dff164c9b6d5862f419f7a2
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/f19592ac-6547-449c-9dcc-e69eec585064/
Parent samples :
e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e
27a52e38bbd0eef6a1eafece6090fd12543b92fdb1f909e10b6c1ac2f1981449
b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b
0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
09dcb03bd67ebe186aa8874c549c4e9c62f10fd0ae483b5bf6dc89e2003ebb71
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12652/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments