MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 19

Intelligence 19 IOCs YARA 17 File information Comments

SHA256 hash:	324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
SHA3-384 hash:	53c57f5d478f3a5908a0a41e28fee798115457ee9ee870a89e6332d096cc89a3dd76fb9af5f801f5df7fe0a00e69e214
SHA1 hash:	912a7202d2766a5a44a5be5884ccac57e0648455
MD5 hash:	a1162e627cbd00a8821bb8e1ca7f71e4
humanhash:	tennessee-potato-burger-wyoming
File name:	324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f(2)
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	593'920 bytes
First seen:	2025-10-14 11:21:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:wj7plkO0e5PrhmKu1emeHWcsPYAnyEIdE0Rgj6C5b8McVSYqbdvnJ5N:wj7psexrNLmUyHnDIdPG2C58MKSYqbFN
Threatray	3'810 similar samples on MalwareBazaar
TLSH	T1F3C401A83215D917C56253345A70F2B8137E5DE8F911E296BFDC7E9FB8A4F026C40A83
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe SnakeKeylogger webmail-ki-lojaobrinquedos-com-br

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a1162e627cbd00a8821bb8e1ca7f71e4.docx.exe

Verdict:

Malicious activity

Analysis date:

2025-10-14 11:22:16 UTC

Tags:

evasion snake keylogger stealer

Link:

https://app.any.run/tasks/0e62f54b-f7f5-44f7-a105-41733a50f0a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/32677/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee324497a16d00a8d9d0f3

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap config-extracted lolbin msbuild obfuscated obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks snake_keylogger stego vbc vbnet

Link:

https://www.filescan.io/uploads/68ee32499da6b44f3c8b9451/reports/9873020b-4a39-4db2-a18a-e7990a04d302/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-14T03:32:00Z UTC

Last seen:

2025-10-15T20:01:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.MSIL.SnakeLogger.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan-Spy.Agent.SMTP.C&C HEUR:Trojan.MSIL.Taskun.gen Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.Crypt.TCP.ServerRequest PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f/results?tab=lookup

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6f8b16b-c0ec-4f43-9c91-865e1e32d530

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86

Link:

https://app.malva.re/file/a1162e627cbd00a8821bb8e1ca7f71e4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f

Threat name:

Win32.Trojan.Taskun

Status:

Malicious

First seen:

2025-10-14 12:35:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gjh42fpj23y3bgi22wkdumlyamogbdmhfs4bb3xpjdyrffkjbvxq._file

Verdict:

malicious

Label(s):

unc_loader_037

404keylogger

SnakeKeylogger

543b0d455d409155d088d96f0ea8ec6ae11edd0d18d5c39e949d4557b9cdca5d

SnakeKeylogger

67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0

SnakeKeylogger

9b82825864714597159caad95b64b68cbb976756b1989d4d38e782858e510589

SnakeKeylogger

cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6

SnakeKeylogger

error

SnakeKeylogger

+ 3'800 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/251014-ngbnksfz4g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/ab71f19b-e81b-439f-9e38-f1c5f19df70e

Unpacked files

SH256 hash:

324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f

MD5 hash:

a1162e627cbd00a8821bb8e1ca7f71e4

SHA1 hash:

912a7202d2766a5a44a5be5884ccac57e0648455

Link:

https://www.unpac.me/results/58f9cba5-a0f3-4bc6-b133-12f3e99decf3/

SH256 hash:

b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511

MD5 hash:

2a576318d07470206dd7c45f7d896078

SHA1 hash:

3096b2a5ccd98583949a9f57842d5547b50bbc29

Link:

https://www.unpac.me/results/58f9cba5-a0f3-4bc6-b133-12f3e99decf3/

SH256 hash:

f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe

MD5 hash:

48e1fdaf7662517c4e0f968966d4d7b0

SHA1 hash:

6320e1973e714027f3d4280c125ff36f51848f81

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/58f9cba5-a0f3-4bc6-b133-12f3e99decf3/

Parent samples :

2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341

SH256 hash:

1765a0e9f782f1d0383f459d2ad8e6c3ef1ad883aca8b94dd1f9badc1b937e65

MD5 hash:

366dee42cad0372f92a799544c1060e1

SHA1 hash:

81219a2c0b52ecbb5646450b3a768be72ba602e1

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/58f9cba5-a0f3-4bc6-b133-12f3e99decf3/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/324fcd15e9d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32677/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample