MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
SHA3-384 hash: cc3bed5e93845233f7682354ff31e751c729e979fd0599ea54c382a53163eea37e64daa3c4cf6f2de429a7195f8229d0
SHA1 hash: 94163a06efc4784bbb04f1fdcf6b0321de3aff0a
MD5 hash: ca056a3aebdf8862e08c794f6f0a6f61
humanhash: sixteen-connecticut-glucose-equal
File name:SecuriteInfo.com.Win32.MalwareX-gen.12551.26135
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:929'792 bytes
First seen:2025-02-20 03:00:08 UTC
Last seen:2025-02-20 10:28:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:frT5UqCUfsgddZWQbQRqdPCYjkYUaqhqpDoIDpZLFUOvGUTSsFmeCiK2+9Hrs:f2ZwhtxTphtBSsFmnizO
Threatray 13 similar samples on MalwareBazaar
TLSH T16015AED037246B17ED6F4B32D056DCB492B1955AB285FBDE6CC86B9B38C9301A909F03
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
5
# of downloads :
504
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.12551.26135
Verdict:
Malicious activity
Analysis date:
2025-02-20 03:01:33 UTC
Tags:
netreactor snake keylogger evasion
Link:
https://app.any.run/tasks/1d7d5f19-41c1-47b3-a6bd-c443a77d069f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.12551.26135.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b69bbf28ab76d43a5c13b6
Tags:
backdoor virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff0e9381-c33c-453d-981d-8f83dcfc2a02
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1619631
Signature
.NET source code contains potential unpacker
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf/
Threat name:
Win32.Exploit.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-02-20 02:57:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfjl2thylud5cvp64d6z65nvyxssv4zmecmu5m5sjd55ap76t7hq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
snakekeylogger
Create hunting rule
captiveaaloader
Create hunting rule
Similar samples:
a69b613b4c99988b72e10c917489d5a7006b53abc75f7706b578e8b27f3252ab
SnakeKeylogger
aff2d8ebd4a9c0218b8df1314b12fd2dec7706b7f1cea2029c663c53e52ff187
SnakeKeylogger
b00f2a45170a731d423dd77ccad80fdaaab538d52d4f938ad53eca799eba2b23
SnakeKeylogger
b8a1cbfde7cd26809f6a8a90d88d09c0558fb2417dca15d7edd5e3eac3e07073
SnakeKeylogger
error
SnakeKeylogger
f5416d2c5f567506a87fd4be6b16ff2f5aac8f0176ba08fd57be4580c28e3ff8
SnakeKeylogger
+ 3 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger discovery keylogger stealer
Link:
https://tria.ge/reports/250220-dhefrawrt7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendMessage?chat_id=7207594974
Verdict:
Suspicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/24f23f85-6902-46bd-8002-cec32d78ddf7
Unpacked files
SH256 hash:
1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
MD5 hash:
ca056a3aebdf8862e08c794f6f0a6f61
SHA1 hash:
94163a06efc4784bbb04f1fdcf6b0321de3aff0a
Link:
https://www.unpac.me/results/cebaf937-bd58-478e-b109-289ea00a19b3/
SH256 hash:
42e49d95997df589b0a6446311212a811ff1b4b4b967a88364cd1ba8e7f45cf5
MD5 hash:
472c2c51fe8be8e1c6c0a200d35d195c
SHA1 hash:
060d6e717d801e0bcfa6d373e764cfac9076dcb0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cebaf937-bd58-478e-b109-289ea00a19b3/
Parent samples :
1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
f61181498e9c1492eccf2949c1dbddf1bcb9c41aee98c4b960d663f15e4d7838
SH256 hash:
a8fe98a55fa9f772b729bc567b0c47a7e51ef8288adc38ff6437091fc1bc541d
MD5 hash:
6a6ea8bd11e5d79e4cdb6d3afc80ebdb
SHA1 hash:
80bae6fa336b5284e69dad973382376832e94f0d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cebaf937-bd58-478e-b109-289ea00a19b3/
SH256 hash:
fedfa8506ddc9c8e9a50fd5f79626437960d927329c0ae394d64b2581a32f150
MD5 hash:
b8820c91844409a2ede0b2c8c128fb43
SHA1 hash:
b8185818ab1145c059c3d9b94038ef5f99324284
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/cebaf937-bd58-478e-b109-289ea00a19b3/
Parent samples :
16ac39458488454a5d43d2f0d250fe014bf22ab1542ee6cbd10c6f69ab8d91d8
5a2a58a5c9a50cda175b03b68636c5f68d7dcc73eb19311ceb2940dddc97654e
dcb42b8ad4e7cc40fe12cfef0f5b97fba6073716a6315784ed6dd8847a51e86d
1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0
73894e9dabbea10e1befbf6d68c03b45dd45e8170cc9cac9a2fa420585010ce0
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1952bd4cf85d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments