MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6
SHA3-384 hash:	93d1a6a9a64d6efccd4bcc44e15c34876185f30157557849b186197d4f9bd7f4e631db42f4884521e9a6a2a44e82e172
SHA1 hash:	a517c5c5c6fc4737c9c7af3a266ff1b5958281c9
MD5 hash:	430a34f8dd4ca18604ff1fd84115e61e
humanhash:	india-pizza-leopard-mississippi
File name:	Request - CSR-204S095-25-0062.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'054'720 bytes
First seen:	2026-02-25 14:32:42 UTC
Last seen:	2026-02-25 15:21:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	12288:7IMUm85aCEblLoRyEYLzXAPbCML87sgMXaO4RAwSW/+2PmvszdvWBn/F:7DtvllLoRymbJ8wgMh4CzWm2dzdeht
Threatray	12 similar samples on MalwareBazaar
TLSH	T11225E162CD43BB24C56C47BC812703D023F0E9039356D72FAFFE86E659A2BD5CA16166
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DeepSea

Details

DeepSea

DeepSea decrypted strings

Link:

https://research.acce.ciphertechsolutions.com/results/268589b9-cf4d-4d28-80e1-93eb6c203c89/

Malware family:

n/a

ID:

File name:

_24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6.exe

Verdict:

Suspicious activity

Analysis date:

2026-02-25 14:34:51 UTC

Tags:

netreactor auto-startup

Link:

https://app.any.run/tasks/cc0c5f98-0b5e-4040-8b68-6459a658ea93

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/54580/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.51673276.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699f08408fffa866e3b2111c

Tags:

autorun virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Running batch commands

Creating a file

Launching a process

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Stealer.gen PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.b

Link:

https://opentip.kaspersky.com/24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6/results?tab=lookup

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f06ebf3-af21-4412-ba46-5a1c619bbd89

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86

Link:

https://app.malva.re/file/430a34f8dd4ca18604ff1fd84115e61e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6/

Verdict:

Malicious

Threat:

Family.SNAKEKEYLOGGER

Link:

https://tip.neiki.dev/file/24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6

Threat name:

Win32.Spyware.Negasteal

Status:

Suspicious

First seen:

2026-02-20 04:03:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=esqh5634swaaxcoti2b2xye47dt5o53eqp2ynk6ko2oc7gf3m7da._file

Verdict:

malicious

Label(s):

purecrypter

vipkeylogger

SnakeKeylogger

6f998e066e89d74f97f68b8b300cbf96f10df8bca0f96b78082e54ae578c6808

SnakeKeylogger

d602128bef26396a9ce57e55bdfdd512b3f8e292cd7e7de5870e3ec81dcc884b

SnakeKeylogger

dbd4edd258813db2cac4abddb2a4230b62874591c09daa6ffbcd5c9022ebd042

SnakeKeylogger

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/260225-rw21vsaw9g/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

.NET Reactor proctector

Drops startup file

Executes dropped EXE

Unpacked files

SH256 hash:

24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6

MD5 hash:

430a34f8dd4ca18604ff1fd84115e61e

SHA1 hash:

a517c5c5c6fc4737c9c7af3a266ff1b5958281c9

Link:

https://www.unpac.me/results/e167a4de-3086-48d0-bb06-d40d96b648dd/

SH256 hash:

dd7a7994e1c11477a4c3482e3929c6561ea5120110a48f201ebaac7ef1e9367e

MD5 hash:

40e48b6aabafa732b2d5b52105e2e48a

SHA1 hash:

1f4cde519b1f78056c67ef0c3885044ad8a847f1

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/e167a4de-3086-48d0-bb06-d40d96b648dd/

SH256 hash:

a6a6cf76c8a7dd497424f636ddaa9c58a77971f9b267b257f1906c0388c281d6

MD5 hash:

f0ff6d188e5191a7295ae1e852259e7d

SHA1 hash:

c3f1b28ff5806069dc6b694eb2c40af6bdc27078

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/e167a4de-3086-48d0-bb06-d40d96b648dd/

Parent samples :

24d6cbd8f4eb920651f82adb1288cd4d5227f6bcd8fe71341ebdeb434bbfae01
b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
6f998e066e89d74f97f68b8b300cbf96f10df8bca0f96b78082e54ae578c6808
dbd4edd258813db2cac4abddb2a4230b62874591c09daa6ffbcd5c9022ebd042
787603ed370b21f4b0c042915f7fec0e3ad9f1a74f9bea21a99f9e7a5232a31c
cf790980d19ae946d6de6a03100ec1c207ceff95cf7e220d90108c2749fd0f63
24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6
5524f65612afc339bd726ce2d20c9b8040a2137c7c23d8b68c47fe35a02c616d

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/24a07efb7c95/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/54580/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample