MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 21 File information Comments

SHA256 hash:	2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866
SHA3-384 hash:	b831ffdc21c10d913e8314024d0855e7573ff5999e8522d80a2f39f8824fa1b0e833f2aea3b6801b2ed572bdb87186e2
SHA1 hash:	b1f7f5f10bec7402055307ad972a7630ce7ebc65
MD5 hash:	c2e7a1f34005ad9a920caefd271fc4b6
humanhash:	sierra-venus-pizza-happy
File name:	2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	523'776 bytes
First seen:	2025-11-06 10:54:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (60 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:3z7hU5I5yuNHIgzSFKxWltRohBfSTso93Ux95xWKcI5owsAp+:3f+iN57Gtene3UUKw
Threatray	4'082 similar samples on MalwareBazaar
TLSH	T19FB4129668C09960C09273708836CD51497939719E1A73BE872DF96F7CB03C3EA67B4E
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	adrian__luca
Tags:	exe SnakeKeylogger UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	523'776 bytes
File size (de-compressed) :	1'030'144 bytes
Format:	win32/pe
Unpacked file:	91f364727c5515a37f48a0b1a9eb0782ef5cd2f7d2ad49f1f44beabea75089d2

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INVOICE-09876545678.eml

Verdict:

No threats detected

Analysis date:

2025-10-20 05:05:58 UTC

Tags:

susp-attachments attachments attc-unc arch-exec

Link:

https://app.any.run/tasks/3a4e1f4a-19da-43de-a49b-4181d51a798f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/35937/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c7e81ea0f3e915c238677

Tags:

autorun autoit

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Sending a custom TCP request

Creating a file

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-19T20:46:00Z UTC

Last seen:

2025-11-07T15:49:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82d5efd2-20a4-44d4-8f2c-8203acc2caa0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/c2e7a1f34005ad9a920caefd271fc4b6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866/

Threat name:

ByteCode-MSIL.Trojan.SnakeStealer

Status:

Malicious

First seen:

2025-10-19 23:55:42 UTC

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftow7nwkzzti7cb2ryatijeojbgzuniex5qlkpd7kx5nl3doxbta._file

Verdict:

malicious

Label(s):

404keylogger

SnakeKeylogger

51baf7fe0bb25ca0810b31eb224f2c779ccdb6086151139dfcf95ebc70bad029

SnakeKeylogger

60935340a8e15bd11c18985a23267dbe3f2576de3cb4d0cb118f8815e45746e3

SnakeKeylogger

624fe4205bb4581a794e454cdcb181f3d5affd7ee3e452db13c0773dda65ba6a

SnakeKeylogger

bbeb60069be1fdb21ef420628bb1294bcdac1441d29cf3c91cbc2dfd7e7e07c1

SnakeKeylogger

+ 4'072 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger stealer upx

Link:

https://tria.ge/reports/251106-m1bbgszpfv/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops startup file

Executes dropped EXE

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/932ef77b-6368-454d-94f3-c8ac47632855

Unpacked files

SH256 hash:

2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866

MD5 hash:

c2e7a1f34005ad9a920caefd271fc4b6

SHA1 hash:

b1f7f5f10bec7402055307ad972a7630ce7ebc65

Link:

https://www.unpac.me/results/199aea2e-8ba7-4d1d-8cf6-817c952e6ce4/

SH256 hash:

ab074c17469c78b73adabc252b28e58f94d33b35cea7d3c4cba735a4d625a457

MD5 hash:

8eaa8a9fee469ebc5b4552a148d67d19

SHA1 hash:

c20c781989f22a2e2c1f73c3e6e1b37d8190af00

Detections:

win_404keylogger_g1

win_masslogger_w0

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/199aea2e-8ba7-4d1d-8cf6-817c952e6ce4/

Parent samples :

ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8
b50a00929e501313e1973833528b15251bdc410bf43f0328617af7c702096ad8
b7d078fa73d4a05c8216beddcb32493375d8457879525e026712e2a3e5198d89
cf960781f1a616c0277102db1d353fd73fa2c1e2642dac9e9a31aa21b8d5854f
42f5cbb12c4e13fb288fa434f31141d11f75f6a886623668d2d10f883dfc912b
4af374bbae171062a58c22a6a310fdeb2da768cf2bee3bceb8e7677a51c150fa
66fb500e98e755b7ec119c1e9477621ff55e1f08bcca1361c500cb3966d0fb6b
61f18c9b35079e3e414ea5d991e5bc8c1d408941584173d7e4d6d89721ff2d5d
2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866
91f364727c5515a37f48a0b1a9eb0782ef5cd2f7d2ad49f1f44beabea75089d2
ef191e2d10681d7e07d403c5a0f5c595fb55c54c9a66ddd6cabdb7af0d6f65b2
d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

SH256 hash:

23683bd149f4709ada08cef8653600eaeaf865448c63a9c18f03a12a088e9d45

MD5 hash:

bf8be5ef035ed1b45b423cb0b9fd5154

SHA1 hash:

9343a085a5ba91a2d905426027381a39d4c0f7bb

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/199aea2e-8ba7-4d1d-8cf6-817c952e6ce4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SnakeKeylogger

exe 2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866

(this sample)

SnakeKeylogger

exe 91f364727c5515a37f48a0b1a9eb0782ef5cd2f7d2ad49f1f44beabea75089d2

Cape

https://www.capesandbox.com/analysis/35937/

Dropping

SHA256 91f364727c5515a37f48a0b1a9eb0782ef5cd2f7d2ad49f1f44beabea75089d2

Dropping

MD5 8a4de4e21f3a0cad442d0dc90f8c3d3f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample