MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 16 File information Comments

SHA256 hash:	2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
SHA3-384 hash:	a8070c762577ca4d68099af25841df386ee503f337355d40149f1f523b3b8a29b0dd6578bb2b67876076bb92bb2a0d8b
SHA1 hash:	92a1bb188aaffc7bf2992f3f4c869328c9813703
MD5 hash:	9b52d8498324a615edb04157f0cbe8be
humanhash:	delta-hydrogen-saturn-september
File name:	Parte prima firma_00554352517_14ottobre2025_1100_IT.docx.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	592'896 bytes
First seen:	2025-10-14 11:01:07 UTC
Last seen:	2025-10-14 11:05:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:fj7MBeO8XtYFKleO+COqXrlRZWpmmebGPr1llfnQ0qbdvnJ5Z:fj7MonPTiqXrlrWpzPPr1bVqbFZ
Threatray	3'813 similar samples on MalwareBazaar
TLSH	T12DC401683212D813CA65A3B40571F27812BD8EE9F511E782BFD97E9F78BAF110C14693
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe SnakeKeylogger Spam-ITA webmail-ki-lojaobrinquedos-com-br

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Parte prima firma_00554352517_14ottobre2025_1100_IT docx.z

Verdict:

Malicious activity

Analysis date:

2025-10-14 11:02:16 UTC

Tags:

arch-exec evasion snake keylogger stealer

Link:

https://app.any.run/tasks/39e3719d-cdd6-48c7-85df-9749e767214e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/32660/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee2da704e22ce9acd9ebdc

Tags:

underscore virus micro smtp

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68ee2daf9da6b44f3c8b93d4/reports/4cf4a19f-55e7-4b7b-ad96-be25a18ee3aa/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-14T04:48:00Z UTC

Last seen:

2025-10-16T04:46:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Spy.MSIL.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Taskun.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan-Spy.Agent.SMTP.C&C Trojan.Crypt.TCP.ServerRequest Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Crypt.sb

Link:

https://opentip.kaspersky.com/2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f6b1335-f08f-42ba-9b7e-94e90e21b8fd

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86

Link:

https://app.malva.re/file/9b52d8498324a615edb04157f0cbe8be

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-14 11:00:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f3jwnrmvzgh37yaonexw27qg3urxxqx44cahbnqq4iqaqo63d7sa._file

Verdict:

malicious

Label(s):

unc_loader_037

404keylogger

SnakeKeylogger

543b0d455d409155d088d96f0ea8ec6ae11edd0d18d5c39e949d4557b9cdca5d

SnakeKeylogger

67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0

SnakeKeylogger

9b82825864714597159caad95b64b68cbb976756b1989d4d38e782858e510589

SnakeKeylogger

cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6

SnakeKeylogger

error

SnakeKeylogger

+ 3'803 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/251014-m4y7qayxdw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2470d4b5-7bde-4d94-8563-08e4b69a0a58

Unpacked files

SH256 hash:

2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4

MD5 hash:

9b52d8498324a615edb04157f0cbe8be

SHA1 hash:

92a1bb188aaffc7bf2992f3f4c869328c9813703

Link:

https://www.unpac.me/results/9e7d2399-fa28-4e23-8c8e-41319aa92e3b/

SH256 hash:

b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511

MD5 hash:

2a576318d07470206dd7c45f7d896078

SHA1 hash:

3096b2a5ccd98583949a9f57842d5547b50bbc29

Link:

https://www.unpac.me/results/9e7d2399-fa28-4e23-8c8e-41319aa92e3b/

SH256 hash:

f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe

MD5 hash:

48e1fdaf7662517c4e0f968966d4d7b0

SHA1 hash:

6320e1973e714027f3d4280c125ff36f51848f81

Detections:

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/9e7d2399-fa28-4e23-8c8e-41319aa92e3b/

Parent samples :

2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341

SH256 hash:

9c582b09461ef5cb975f1b545e21acdfcb954d5cc88becc97b2e1ed754c709bb

MD5 hash:

732967744e3c63a1e81ee12dc622f8bb

SHA1 hash:

7fa486ccdd907e34c7f6a1ec833cd7bbf8a92555

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9e7d2399-fa28-4e23-8c8e-41319aa92e3b/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2ed366c595c9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample