MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
SHA3-384 hash: 9fc723ea848a92c1564cd1f0029b6e2f8f826ae18757eb5d50feef14a4ae7781d04b6eff5a3d0824d6399a2df9d52c1e
SHA1 hash: 14fccf8b5e1b56cd5dfb363e9f5be04e815668fe
MD5 hash: 89aed0c676a7e2074932cc923e3bcdb9
humanhash: july-apart-lithium-skylark
File name:PHG98754567000987656789000.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'012'117 bytes
First seen:2025-08-01 07:43:52 UTC
Last seen:2025-08-01 08:02:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 12288:GENN+T5xYrllrU7QY6cZKVW5Cb0xbVft++eMrE/Uc5kfYC28SLPWqYQ1eN+Tg:K5xolYQY6cAYQoVzeSrfL2nLPWVNr
Threatray 292 similar samples on MalwareBazaar
TLSH T14325CF2AEE12A01AE85252B30562E57672352D6C1AC1D87727E0EF87347D9137FB730B
TrID 38.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
34.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
14.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.9% (.EXE) Win64 Executable (generic) (10522/11/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 4cb672d6a2da9a9a (1 x SnakeKeylogger)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PHG98754567000987656789000.exe
Verdict:
Malicious activity
Analysis date:
2025-08-01 07:44:35 UTC
Tags:
snake keylogger evasion telegram auto-sch-xml stealer
Link:
https://app.any.run/tasks/2f8f2492-c4d9-4560-beff-11d634f63d97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18256/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c70590b4775fb21347e1a
Tags:
trojware sharew micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Sending a custom TCP request
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Enabling a "Do not show hidden files" option
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 explorer lolbin overlay overlay packed rezer0 roboski telegram visual_basic
Link:
https://www.filescan.io/uploads/688c705b9dbaf6e4b220b587/reports/f5cfd8e4-fe46-43f3-8e84-b17c9b60e3db/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
Malware family:
MOFKSYS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58b42f13-4db5-4fd9-9084-82ad4f50d626
Result
Threat name:
CryptOne, Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748265
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748265 Sample: PHG98754567000987656789000.exe Startdate: 01/08/2025 Architecture: WINDOWS Score: 100 108 reallyfreegeoip.org 2->108 110 api.telegram.org 2->110 112 10 other IPs or domains 2->112 152 Suricata IDS alerts for network traffic 2->152 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 162 19 other signatures 2->162 12 PHG98754567000987656789000.exe 1 4 2->12         started        16 EjwLpA.exe 2->16         started        18 explorer.exe 2->18         started        signatures3 158 Tries to detect the country of the analysis system (by using the IP) 108->158 160 Uses the Telegram API (likely for C&C communication) 110->160 process4 file5 96 C:\Users\...\phg98754567000987656789000.exe, PE32 12->96 dropped 98 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->98 dropped 176 Installs a global keyboard hook 12->176 20 icsys.icn.exe 4 12->20         started        24 phg98754567000987656789000.exe 7 12->24         started        100 C:\Users\user\AppData\Roaming\ejwlpa.exe, PE32 16->100 dropped 178 Antivirus detection for dropped file 16->178 180 Multi AV Scanner detection for dropped file 16->180 26 icsys.icn.exe 16->26         started        28 ejwlpa.exe 16->28         started        signatures6 process7 file8 88 C:\Windows\System\explorer.exe, PE32 20->88 dropped 164 Antivirus detection for dropped file 20->164 166 Drops PE files with benign system names 20->166 168 Installs a global keyboard hook 20->168 30 explorer.exe 3 128 20->30         started        90 C:\Users\user\AppData\RoamingjwLpA.exe, PE32 24->90 dropped 92 C:\Users\user\...jwLpA.exe:Zone.Identifier, ASCII 24->92 dropped 94 C:\Users\user\AppData\Local\...\tmp2B63.tmp, XML 24->94 dropped 170 Adds a directory exclusion to Windows Defender 24->170 172 Injects a PE file into a foreign processes 24->172 35 powershell.exe 24->35         started        37 powershell.exe 24->37         started        39 phg98754567000987656789000.exe 24->39         started        41 schtasks.exe 24->41         started        174 Drops executables to the windows directory (C:\Windows) and starts them 26->174 43 explorer.exe 26->43         started        45 ejwlpa.exe 28->45         started        47 schtasks.exe 28->47         started        signatures9 process10 dnsIp11 114 192.168.2.8, 137, 138, 443 unknown unknown 30->114 116 vccmd01.zxq.net 51.81.194.202, 443, 49706, 49710 OVHFR United States 30->116 124 3 other IPs or domains 30->124 104 C:\Windows\System\spoolsv.exe, PE32 30->104 dropped 106 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 30->106 dropped 126 Antivirus detection for dropped file 30->126 128 System process connects to network (likely due to code injection or exploit) 30->128 130 Creates an undocumented autostart registry key 30->130 132 Drops PE files with benign system names 30->132 49 spoolsv.exe 3 30->49         started        134 Loading BitLocker PowerShell Module 35->134 53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        118 api.telegram.org 149.154.167.220, 443, 49722, 49735 TELEGRAMRU United Kingdom 39->118 120 checkip.dyndns.com 193.122.6.168, 49693, 49696, 49699 ORACLE-BMC-31898US United States 39->120 122 reallyfreegeoip.org 104.21.64.1, 443, 49695, 49698 CLOUDFLARENETUS United States 39->122 57 conhost.exe 41->57         started        136 Installs a global keyboard hook 43->136 138 Tries to steal Mail credentials (via file / registry access) 45->138 140 Tries to harvest and steal browser information (history, passwords, etc) 45->140 59 conhost.exe 47->59         started        file12 signatures13 process14 file15 86 C:\Windows\System\svchost.exe, PE32 49->86 dropped 144 Antivirus detection for dropped file 49->144 146 Drops executables to the windows directory (C:\Windows) and starts them 49->146 148 Drops PE files with benign system names 49->148 150 Installs a global keyboard hook 49->150 61 svchost.exe 49->61         started        signatures16 process17 file18 102 C:\Users\user\AppData\Local\stsys.exe, PE32 61->102 dropped 182 Antivirus detection for dropped file 61->182 184 Detected CryptOne packer 61->184 186 Creates an undocumented autostart registry key 61->186 188 3 other signatures 61->188 65 spoolsv.exe 61->65         started        68 at.exe 61->68         started        70 at.exe 61->70         started        72 20 other processes 61->72 signatures19 process20 signatures21 142 Installs a global keyboard hook 65->142 74 conhost.exe 68->74         started        76 conhost.exe 70->76         started        78 conhost.exe 72->78         started        80 conhost.exe 72->80         started        82 conhost.exe 72->82         started        84 17 other processes 72->84 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable PE (Portable Executable) Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/89aed0c676a7e2074932cc923e3bcdb9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 07:31:30 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efcu3dkum3adxffj573glljq3k6fha2bzxlawrtkhobpybvlwt6a._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
0b7891b2cd2c16bac66ec4f815af883da8733e91349faa58a0f6e3a76b10a2b6
SnakeKeylogger
21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
SnakeKeylogger
3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321
SnakeKeylogger
a433c4a4a88ea7ade87bf36dd4ef522a8c6f13619f2ebf2bedbec029d59bb134
SnakeKeylogger
bd9d4a2d5627b27b2e43afd37b07ce6c6b2d64a7017def2020c2c1434eae1a2a
SnakeKeylogger
db12d907d783abb07fa0d41ba36198e8ec0783ef91d8399270cd3ec42b24d716
SnakeKeylogger
eb825b11d00bc3ec41e7856a59ebe1027e3f9c9128a177e182f688535f22bfb6
SnakeKeylogger
error
SnakeKeylogger
+ 282 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:mofksys family:vipkeylogger collection defense_evasion discovery execution keylogger persistence spyware stealer worm
Link:
https://tria.ge/reports/250801-jkz35aem61/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Detects Mofksys worm
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Mofksys
Mofksys family
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/1a09dbf1-4818-417c-a468-9f86eb3c19f1
Unpacked files
SH256 hash:
21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
MD5 hash:
89aed0c676a7e2074932cc923e3bcdb9
SHA1 hash:
14fccf8b5e1b56cd5dfb363e9f5be04e815668fe
Link:
https://www.unpac.me/results/7d9f0901-5bad-4f64-a98d-9b5850646d16/
SH256 hash:
2e5988901d71f2addbe2ea644bac577abfe46ede771749f02b0b7358c92b5282
MD5 hash:
d3151d8e9a975b1723ab49b6622657f3
SHA1 hash:
e26065f406727b3e5b35263b9b02f6fc665dcf2c
Link:
https://www.unpac.me/results/7d9f0901-5bad-4f64-a98d-9b5850646d16/
SH256 hash:
997767038a47666f2f52cbcf7755357e7ea9015692d7bebea415f8b26838a1b4
MD5 hash:
15067338f97bc24cc2ac550e51a9dcb5
SHA1 hash:
44882ee8f9ff92edf6a75f61850e9036d857464b
Link:
https://www.unpac.me/results/7d9f0901-5bad-4f64-a98d-9b5850646d16/
SH256 hash:
656c6a5621d6f1774c29b966764cabb1f157c89cef9af2912085fe83fb49d6bf
MD5 hash:
34fac5aa7c30f1234af787ecb9f7c404
SHA1 hash:
e48ccd96a33b8ba062fe811638c6c4af201cca2d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7d9f0901-5bad-4f64-a98d-9b5850646d16/
SH256 hash:
6c8b1dd4c73405dd79112da74e2e99dadf62d4dec857d30ace595c7ec61593b3
MD5 hash:
d6b2aedd1eacb562b194948521818742
SHA1 hash:
ebf881f82ed221efc28003382c6f1b6d3cf9a2b6
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/7d9f0901-5bad-4f64-a98d-9b5850646d16/
Parent samples :
21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
7b2f5b841ea073514d1a9ece6ee47629f3b95fd3613624fd4f1a5ceaa4481eb5
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21454d8d5466/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18256/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments