MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 17 File information Comments

SHA256 hash:	3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a
SHA3-384 hash:	1655b44c78986231304891f63f3a632594d4be2972a3e60f617b07ad88a76924ad45241c48e222a228c5b093cf693bac
SHA1 hash:	fe991cf54e15852f94083cc5e5de2d3aa1662358
MD5 hash:	1ec8195374e1e7e4e7fe82d80e2a36c5
humanhash:	december-mississippi-arizona-chicken
File name:	SecuriteInfo.com.Win32.CrypterX-gen.24076.19505
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	846'344 bytes
First seen:	2025-04-07 06:35:18 UTC
Last seen:	2025-04-07 13:39:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:CYsYqBCCwfdSn0YZ2uz3BeSFNalp1j5fQ7Khjb3NM4vzM9NsV6utPmW+B0zwDGx7:zfV/Da34vp1UU3NMFsVHm1EILy
Threatray	1'254 similar samples on MalwareBazaar
TLSH	T1A105F064336CE903D5B643F51820D7700376AE9E7A21E3C69EEA7CDF38A1F415A4069B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	0068617171617000 (6 x SnakeKeylogger, 2 x MassLogger, 2 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

1'396

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d868240ec5f70a523ebd5d5fc62287bacb7899773a6693234875e9e28f370074

Verdict:

Malicious activity

Analysis date:

2025-04-07 05:37:01 UTC

Tags:

arch-exec snake keylogger evasion telegram stealer netreactor

Link:

https://app.any.run/tasks/dc6a7057-ca87-479b-b846-c9540f819319

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/961/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.24076.19505.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f3647de011fe619fabd396

Tags:

kryptik virus spam msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature obfuscated packed packed packer_detected signed vbnet

Link:

https://www.filescan.io/uploads/67f372592d430c849e09d32d/reports/a226256e-7327-40f3-a3c6-dbc22f5fce41/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/78ae392e-28ae-4c0d-a266-750434b8048e

Result

Threat name:

PureLog Stealer, Snake Keylogger, VIP Ke

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1658031

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2025-04-07 04:16:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gvb4wp4tlebxw3yxpk2e54lv6fybooa3gn2z3fyjwrrgr4siaeva._file

Verdict:

malicious

Label(s):

unc_loader_037

vipkeylogger

SnakeKeylogger

80edf30940ba58cb632cb8b5bbed7f57df1dbc9c682ddc744b9ed44af3583db8

SnakeKeylogger

9af845b97c1682091cfafe6b2186821883bd912cc3113e4dfafb0ca0f72206cc

SnakeKeylogger

dc14e11fa87b2110c957be1632f6ce7c9f4d02a53401337d4a9d60d42ecb4b4a

SnakeKeylogger

+ 1'244 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger stealer

Link:

https://tria.ge/reports/250407-hcza7a1ygw/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/72acdce2-efbb-4d1b-a07a-04cf485b1f09

Unpacked files

SH256 hash:

3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a

MD5 hash:

1ec8195374e1e7e4e7fe82d80e2a36c5

SHA1 hash:

fe991cf54e15852f94083cc5e5de2d3aa1662358

Link:

https://www.unpac.me/results/cb06482f-2cc7-4375-bf2b-d03f4928d5e0/

SH256 hash:

4c87f22ce2466f1e1447d80155a69833eff54dad60df6f292484976e2c2f805b

MD5 hash:

1f92cd38cabcac55f53583ff74d369ff

SHA1 hash:

2275f5b0aec3f7d17854906bb5a7f00451d1d31f

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/cb06482f-2cc7-4375-bf2b-d03f4928d5e0/

Parent samples :

69f684f1e3a4c73362a0e9d775ec1717be3e730bee70a096b578775c0df39ddf
4347740628dde81f0d24411f390e00f168155026dae9bc80e2e6837e381860a0
f280bb4d1036eb4e6e7410ed52db364722e9d0efab5f4030834488f0136bc52b
3ab9c6d950c228d286795fd61b70a4bd7c1c3de889ccac47dc68d5f23a24408e
8c3a0f760deceeb69b81b809d2a16cb2ff5979f4b332fc4243eed61fb2111e17
3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a
d28358e40350fd9a8b4433a33131b7f567d66c1f9a20b6bd276178b585304580
e36801a3e24d697a55c6b00e156a88d1a27d81b83ab4c50f1ec6e6ca7d455d31
e28ab1b33d7446770039a494f9642261f70e85d95439f22bc61e6267c21b53c9
74a3ca19e62c2633b41517a640acf4e1e9d8588c9c7829fef8dc2602fd242e8d

SH256 hash:

12a2f126b6a88fedde71ebc6054072165de6a09ba5c0de06566ed2a62a98b0a2

MD5 hash:

28865899e7e5ae991fadaa1c0e1d5884

SHA1 hash:

54660ef797b69faee513ef6cf5c462f7a743e89e

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/cb06482f-2cc7-4375-bf2b-d03f4928d5e0/

Parent samples :

867af082ab5f5e7468aab5bca97063c60877f44c2d39c0ad02f1a1e721c92260
ab68d4e831745aa5364ad14203a0a9669a5362913b09263eb4e06681f62007c5
1792b62467af9326272e0190ddd1e22c6217f23637ab47b9fbe0098ca3800c6d
8e4108d867c054d193cca6c2f9fcfa7288d7a1b9e6ac9e41ae60cfd15b1e0572
a29feb5a19c2eb1dd0a09402eabca6d9a721c4f46e5f1ec013e36ee3069e0f3d
0d53038edfae7a4ff9c96ade284680a5a46c5958942262357c89f0740ad02458
9899807e67d1974a32123f6967f1c46c05f8c0769f5c1ba5127f966a697a2c77
69f684f1e3a4c73362a0e9d775ec1717be3e730bee70a096b578775c0df39ddf
755f9071cf58c7d3729758cc3143fcd738b813977ca81ef2067a27e113881a9d
3ab9c6d950c228d286795fd61b70a4bd7c1c3de889ccac47dc68d5f23a24408e
3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a
a6d1bf193f5a5f2f6f9e766dffb51b66122e96dc8d2b76c3674fe2968d32c811
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
2bc972f3ec09f8d1bdc1b25a3fe57db9a08577117d3a0d0ce5e5282e976d9111
64298970a96368b940e957cef55f70a07d63151df38c3b73818e83c4a4caebf6

SH256 hash:

dbc8aeaaf93139de8ac983be5a5090ba4565ebee4b917ef308de5e4e38ed9991

MD5 hash:

61f3077f951d4593de20d5f031118dd0

SHA1 hash:

bae4770d0f20357726b45db14639abe781786548

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/cb06482f-2cc7-4375-bf2b-d03f4928d5e0/

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3543cb3f9359/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip d868240ec5f70a523ebd5d5fc62287bacb7899773a6693234875e9e28f370074

SnakeKeylogger

exe 3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a

(this sample)

Cape

https://www.capesandbox.com/analysis/961/

Dropped by

SHA256 d868240ec5f70a523ebd5d5fc62287bacb7899773a6693234875e9e28f370074

Dropped by

MD5 9aaf54e6eb2d0254da7ccb03ab2ff8c3

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample