MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
SHA3-384 hash: 05924a4d0aa642daede985a34b669484bc6738808082d60287a4142544a268ac825df9c1c1eeb69de230c30b20a83f78
SHA1 hash: b1662422cc24157eed2aef854f06c3b1455a0e2b
MD5 hash: 022fb69d4278fa4bcfd8ec4680e40bd0
humanhash: april-echo-xray-fruit
File name:dhl Ref315835816 AWB 0% 5339494019.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:928'256 bytes
First seen:2025-07-04 06:35:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:v6BvB2RwfE2W97ns3JpY8QJdP4pQoU/F7muyttA5pzBhKCCV:vcp2Rwfc74JpzpQD/F7XytApD
TLSH T1D915D02837ADA942E4BA1E7D452AC17127F5B999316BD28C8CC158DF3EE771113033AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12243/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Gathering data
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41256708-eda9-441c-ba33-faafb9e56ab6
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1728540
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1728540 Sample: dhl Ref315835816 AWB 0% 533... Startdate: 04/07/2025 Architecture: WINDOWS Score: 100 27 reallyfreegeoip.org 2->27 29 api.telegram.org 2->29 31 4 other IPs or domains 2->31 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 57 9 other signatures 2->57 8 dhl Ref315835816 AWB 0% 5339494019.exe 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 53 Tries to detect the country of the analysis system (by using the IP) 27->53 55 Uses the Telegram API (likely for C&C communication) 29->55 process4 dnsIp5 25 dhl Ref315835816 A... 5339494019.exe.log, ASCII 8->25 dropped 59 Adds a directory exclusion to Windows Defender 8->59 61 Injects a PE file into a foreign processes 8->61 15 dhl Ref315835816 AWB 0% 5339494019.exe 15 2 8->15         started        19 powershell.exe 23 8->19         started        21 dhl Ref315835816 AWB 0% 5339494019.exe 8->21         started        33 127.0.0.1 unknown unknown 12->33 file6 signatures7 process8 dnsIp9 35 eraygrup.com.tr 109.232.216.105, 49708, 587 AEROTEK-ASTR Turkey 15->35 37 api.telegram.org 149.154.167.220, 443, 49707 TELEGRAMRU United Kingdom 15->37 39 2 other IPs or domains 15->39 41 Tries to steal Mail credentials (via file / registry access) 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 45 Loading BitLocker PowerShell Module 19->45 23 conhost.exe 19->23         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/022fb69d4278fa4bcfd8ec4680e40bd0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8/
Threat name:
ByteCode-MSIL.Trojan.Genie8DN
Create hunting rule
Status:
Malicious
First seen:
2025-07-02 04:42:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=datomhhjpebvbixid6e5hxw3go3swcur2gmqpm3r5kgcu4qz57ua._file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c40e7dfc-f71f-4c36-af9a-1d43f0a58962
Unpacked files
SH256 hash:
1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
MD5 hash:
022fb69d4278fa4bcfd8ec4680e40bd0
SHA1 hash:
b1662422cc24157eed2aef854f06c3b1455a0e2b
Link:
https://www.unpac.me/results/8664db3c-f5ca-4375-a9f2-fdd5485d3284/
SH256 hash:
59b12fa2f87bb41dcb7edb862622dda6e5b93cbc6dd656de1dfe85a681e6aaa0
MD5 hash:
248f89b8e4ac884526ba9dc67ba62e79
SHA1 hash:
3063bdc24459148094fd5d5f1244c3a741833010
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/8664db3c-f5ca-4375-a9f2-fdd5485d3284/
Parent samples :
19dd29a867f42b43c43e256e31b8a13b48cb322d2bdd412f8184f79d97144ab1
91351b629c068a7a43395c58e3e0ddce96e33bd7519bbc7358dc32a3173fd533
4c8ce4bfddccde88ca6f31bdefdb9fa26b0befd0b57b23b29b50b009b4d63b0b
0938cc6c218174877d4271cf4182449cbd4b0ebe6f4ac2b998ed8f80f14b6d5b
1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
SH256 hash:
396e553a4c7930ad98cfd23504a8dd67c9ee577faf6fbaae762e77f0fe6e5539
MD5 hash:
2b7235bd50bb2bd971d1af3f33e2589e
SHA1 hash:
c313cb3b9e64d6250dbd876859d61b75b0c728ae
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8664db3c-f5ca-4375-a9f2-fdd5485d3284/
SH256 hash:
f1560e8084b5843cb70cbf21220ffb7c738d8f31c036b7be0895d565500b5319
MD5 hash:
ff15200561557bbff87050e98e7461ae
SHA1 hash:
c53cfc89cb0456688a984cd33e7ecea68ff27451
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/8664db3c-f5ca-4375-a9f2-fdd5485d3284/
Parent samples :
50ec898674f779ff3115b5d856c579eb89aa9702db8355a6a8f34616223a889c
07b152394aab317e08fc56aa9fd33236cc8ea7a71d58ab9d7660ac70ccb495ec
1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
ea45642110816d0fb61fedc38fe846875e3d04e62ec9d88ec6854eb2b610ca69
446ac5b2673ba02db508a71c3c821a4f5b2f6d9b0f8e4af62a7b747dceae33a9
ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12243/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments