MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
SHA3-384 hash: f69364ee62c4498656842fd160b999fbcd5a2cf48440e27bd6456e4de23948e3cf7add1e9ed7bc7c807e578bde3d2e11
SHA1 hash: 072a5bcf3642e64be1a5d124bf22698b3efd3ae4
MD5 hash: 05efdca9e8b3d881d1ebdaceca847767
humanhash: south-sink-finch-spaghetti
File name:MV ZENKEN MARU.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'012'736 bytes
First seen:2026-03-23 16:18:31 UTC
Last seen:2026-03-23 17:35:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'302 x SnakeKeylogger)
ssdeep 24576:VlL5eMJyMWgcm7ShRckwBh8IWC31Sy1D0v5U811FNQ:VlL5eMJyfgH7cEBhJWC31nqUwN
TLSH T1A1250219B298CA02C5F7A7F92BB1E07A03B55D9EA461D74B8FDE3DDB3962B005904343
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
RoboSki
a decrypted ReZer0 component and possibly a decryption component
Link:
https://research.acce.ciphertechsolutions.com/results/e5ad211c-0e15-43e9-959c-9633c355c0f9/
Malware family:
n/a
ID:
1
File name:
70cbbdc0573cc57f49ad37aed8f5d570ebfd7f200deb9a88cd9ecb7511961df5.zip
Verdict:
Malicious activity
Analysis date:
2026-03-23 10:31:28 UTC
Tags:
arch-exec snake keylogger evasion auto-startup telegram spyware stealer
Link:
https://app.any.run/tasks/fa10b3e9-e2a7-4ea5-9bdc-77ee0ac0900b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c1167f390b99647412f5f7
Tags:
autorun virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
krypt packed similar-threat vbnet
Link:
https://www.filescan.io/uploads/69c168012000fc76c3f9c86e/reports/7030609f-98b1-46c3-a0e0-d44584ea6ea7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.WinLNK.Powecod.e HEUR:Trojan-PSW.MSIL.Stealer.gen HEUR:Trojan.Win32.Generic Trojan-PSW.Win32.Stelega.sb Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Agent.gen Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa849980-4146-4b4b-a9d9-b764f0b660b5
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1887761
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1887761 Sample: MV ZENKEN MARU.exe Startdate: 23/03/2026 Architecture: WINDOWS Score: 100 31 reallyfreegeoip.org 2->31 33 checkip.dyndns.org 2->33 35 checkip.dyndns.com 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 49 13 other signatures 2->49 8 MV ZENKEN MARU.exe 15 7 2->8         started        13 powershell.exe 15 2->13         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 31->47 process4 dnsIp5 39 checkip.dyndns.com 158.101.44.242, 49693, 49700, 49701 ORACLE-BMC-31898US United States 8->39 27 C:\Users\user\AppData\Roaming\pKlBpLr.exe, PE32 8->27 dropped 29 C:\Users\user\...\MV ZENKEN MARU.exe.log, ASCII 8->29 dropped 51 Adds a directory exclusion to Windows Defender 8->51 53 Injects a PE file into a foreign processes 8->53 15 powershell.exe 23 8->15         started        18 MV ZENKEN MARU.exe 2 8->18         started        20 pKlBpLr.exe 14 4 13->20         started        23 conhost.exe 1 13->23         started        file6 signatures7 process8 dnsIp9 55 Loading BitLocker PowerShell Module 15->55 25 conhost.exe 15->25         started        37 reallyfreegeoip.org 172.67.177.134, 443, 49704, 49705 CLOUDFLARENETUS United States 20->37 57 Multi AV Scanner detection for dropped file 20->57 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2026-03-23 08:56:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=facaepfychujzup4npwfmffgrgjjupbd62etsfbbo3d3f665jopq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
error
SnakeKeylogger
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/260323-tsk92sfz9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Unpacked files
SH256 hash:
2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
MD5 hash:
05efdca9e8b3d881d1ebdaceca847767
SHA1 hash:
072a5bcf3642e64be1a5d124bf22698b3efd3ae4
Link:
https://www.unpac.me/results/520ecd2a-c315-4336-b807-968c5658edf8/
SH256 hash:
69bbfe65cd575c08b943d09a9c7727e3fb52d1e426509b39f1afd76cde81b639
MD5 hash:
d3a0a82edb69ec2bfdc74f4fe462a3f3
SHA1 hash:
3950c82647eea8d1a89dd8096168550c7321156a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/520ecd2a-c315-4336-b807-968c5658edf8/
SH256 hash:
c34bce52bec1082bb93c560ace3bf62ae3f03b13e00b3200d86f662e3f08301b
MD5 hash:
a78bae91fa7d9d83460b200a20957e25
SHA1 hash:
7ccfe46686e91dfa601dd30cfe34086648751fc6
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/520ecd2a-c315-4336-b807-968c5658edf8/
SH256 hash:
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
MD5 hash:
e29ddeebef1fd4ef69698fa2ee7b1d65
SHA1 hash:
919b0e3bfc023f595dfb4e83688a96970dc5fa2b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/520ecd2a-c315-4336-b807-968c5658edf8/
Parent samples :
8b012d3d775bd32f503cb84a6889d786c06623eeb8c840bd8c03073971530f52
88e156291d0a765e5c9b60daa6bd53c6ad75022e63ab286effe120aa6c16c222
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
046ebdd9e30338c5c6880ca8e8c7da3c37a3fd05611e9c21310ec5989f98095a
9612b142e2991ff8c9b66b283b9727cd8d2b5afff8521e8bb8806d36dcab5c43
08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
f034f4756f307c1c27424059cec7bc7f975493377588e086ea94721b38a68999
6a3368fb5ffab1283df539c6f17cb1244b563f5a3ad94d96adcde2dcadab66ae
7c40815633530147ad907fdc252aad2761fe35088020db35c4325dcc0f4d3329
dc31630436166d019ad9472db3b82f498ad0ed02d4cbd6a000d8b0dcee246e3b
d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
4fb1c62f75a74fc547b2aa6ce7d8d147419212045f4d0a83d571fb93e4610613
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
94826673c7f54435e62ddb5d187cd852cbbadd0ddeab528bb7ccc0def7f65a73
2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2804023cb811/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58877/

Comments