MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3
SHA3-384 hash:	ef1a1a7bfa0411d64aa05315aa3477c882999abe75ebc63c78847e6e229215c0a0d1c402263f29adac0acfee60b1ba5e
SHA1 hash:	3ed5a9ecc563a98d86910b5de0de32df5f779a7c
MD5 hash:	05ba0ada6656a633bdf6c0c89120fbc5
humanhash:	equal-uncle-florida-vermont
File name:	PO#80967.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'093'632 bytes
First seen:	2025-06-26 09:16:06 UTC
Last seen:	2025-06-27 07:21:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0b768923437678ce375719e30b21693e (143 x Formbook, 25 x MassLogger, 22 x SnakeKeylogger)
ssdeep	24576:A5EmXFtKaL4/oFe5T9yyXYfP1ijXda8HB6Mub+Ts:APVt/LZeJbInQRa8hdub+
Threatray	3'592 similar samples on MalwareBazaar
TLSH	T10335AE0273D1C062FFAB95334F5AF6115ABC79260123A62F13981DBABD701B1563E7A3
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

477

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rl_73279a96db5afd794bd62b193a1644092d45ec85b7f8484025e5ada6a3dbdaf5

Verdict:

Malicious activity

Analysis date:

2025-06-26 09:16:20 UTC

Tags:

arch-exec evasion snake keylogger stealer

Link:

https://app.any.run/tasks/704c729c-17b3-4beb-a372-851ddedb81f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/11215/

Detection(s):

SecuriteInfo.com.FileRepMalware.1244.20009.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685d0fe4b06783b9ebd7f852

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0a6c55b-00e6-4f42-99e2-14b3b6002087

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1723331

Signature

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

Threat name:

Win32.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-06-26 02:07:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gsyza4welry44g576brzh3226ttvgsjowip73sjtkd3iwvg7tlrq._file

Verdict:

malicious

Label(s):

404keylogger

SnakeKeylogger

2cbc13099ee1ba4b8c671bfca525bb2c5c057c2fc13df105dec2852a8b672e50

SnakeKeylogger

34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

SnakeKeylogger

aaafef5626e290054972c26d16da85181085846beb59b95cd066546a622f87f9

SnakeKeylogger

bd359e9c378164ced9b83d3b0e76f94bda81911fd848b44aed89275ff7b1c314

SnakeKeylogger

error

SnakeKeylogger

f057e765a9c2a0dc4fbfdff5817cc4aeed1a0fedfeacbde7961dd32f6adc8e08

SnakeKeylogger

+ 3'582 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger stealer

Link:

https://tria.ge/reports/250626-k8r8vssrw7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cc7ca94e-2b9d-4805-a55c-a7bc2cd0b986

Unpacked files

SH256 hash:

34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

MD5 hash:

05ba0ada6656a633bdf6c0c89120fbc5

SHA1 hash:

3ed5a9ecc563a98d86910b5de0de32df5f779a7c

Link:

https://www.unpac.me/results/282976d0-c55a-4d25-9944-bfcdc9572cff/

SH256 hash:

ef8ba4be77cba9ddd2b41f191dfac798f9c369fd5bddeef750c100d5428c9cc9

MD5 hash:

ef89629e44642963f780a1adfbec9bdb

SHA1 hash:

d698a95c3568eb38c172331466d9b5e1cf02ca42

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/282976d0-c55a-4d25-9944-bfcdc9572cff/

Parent samples :

69f7f5184a172ad43c5cb32d8c2c5dba5c8b67838b2f895117ddb362b805cf68
bf9f84205245698621d7d37f6bf5783d735d4840f514c79c9166c07b84b9a043
89dcebec2d13a5469569db4075b595797b914b8f2c472547415eb6f4ca05d023
e700543bf24e34ae3c78f7f7db0f32b543fafd561674ff35bd227efbec3591c8
a5a895ef9fd3d2a7cb217cebe4674173fee2813c9242d386210624de34af29d9
ef8ba4be77cba9ddd2b41f191dfac798f9c369fd5bddeef750c100d5428c9cc9
edf0d05f27b9a5ed1f4b216d2ea71997b02a2b05be07ec0d54e4f9e99897c797
6ef7e6b7f68656ff45e2d4a671b740aad9ca63a1e0fba6a4a11528b728f93589
34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3
75d631734ecc86eee16c3775b08cf678d5ec0a24dbaa4b9edc09545b401dfa84
e6955c6feb002c426cd1fac9174ca3ac8bfc32d2956fa355e6a82d7ec6b0994d
db315f043f2618d06b9990a644773ac6c45905ac86febe0d1796928eb6670173

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/34b19072c45c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 73279a96db5afd794bd62b193a1644092d45ec85b7f8484025e5ada6a3dbdaf5

SnakeKeylogger

exe 34b19072c45c71ce1bbff06393ef5af4e753492eb21ffdc93350f68b54df9ae3

(this sample)

Delivery method

Other

Dropped by

SHA256 73279a96db5afd794bd62b193a1644092d45ec85b7f8484025e5ada6a3dbdaf5

Dropped by

MD5 f007991b39f52eeb59f8292128dae578

Cape

https://www.capesandbox.com/analysis/11215/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample