MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 16 File information Comments

SHA256 hash:	3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc
SHA3-384 hash:	178d40c11a37a5dfaffe9bcd923446308c8bb79bec5d8b1d73fa79444a73bccbd40a8d69e31bb8514b85c579ca096783
SHA1 hash:	3a7224a3d088eca9738eeeaed06a18833bd17d11
MD5 hash:	287525e72239fa5ff5f9aeecd4b00f4b
humanhash:	mango-dakota-illinois-wyoming
File name:	3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	550'400 bytes
First seen:	2025-08-12 14:16:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef471c0edf1877cd5a881a6a8bf647b9 (83 x Formbook, 33 x Loki, 31 x Loda)
ssdeep	12288:5Ov5jKhsfoPA+yeVKUCUxP4C902bdRtJJPitlhwPOImZaXY:5q5TfcdHj4fmbYhwPOIhXY
Threatray	2'849 similar samples on MalwareBazaar
TLSH	T103C423A16698CC63EA917331C07ACEE509787972CD422B5D07D9F64E3471383A6C6B3E
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc

Verdict:

Malicious activity

Analysis date:

2025-08-12 18:06:15 UTC

Tags:

evasion snake keylogger telegram stealer

Link:

https://app.any.run/tasks/b00956cd-5626-4df3-97f0-41dbf4e514d8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20591/

Detection(s):

SecuriteInfo.com.W32.Trojan.VORE-2106.1542.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b4eb1fca70bd90e8f0bcc

Tags:

emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit compiled-script fingerprint lolbin microsoft_visual_cc netsh obfuscated overlay packed packed packed packer_detected threat upx

Link:

https://www.filescan.io/uploads/689b5dad9ef4d2ff7cf8a0e9/reports/55b1d5f1-ea60-4687-a63d-d1f79d0cd7a8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66fcca57-153c-4e21-9803-c110340fe1b0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-07-23 03:28:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hm5wdivrppcu4ks6hkvf34543hl2etwqqxezkuhjr4ppjibhjw6a._file

Verdict:

malicious

Label(s):

autoit

unc_loader_036

vipkeylogger

SnakeKeylogger

69f81d677a41d9cdcea7d67ca0afb52708ad74b40788e2f101d414bcc5b6b670

SnakeKeylogger

6dfd8a72f4d4d7ed38ac75342f99d74a1a96441f886b51c54d41760761c47e92

SnakeKeylogger

894818bb6ba572653922e19b95efe6f6238c12215314901b79793174a65e04bb

SnakeKeylogger

9c01f3a82e49bfa8d66bffbcf50a162c45cf654f4a3f125b2052138fc29ffc39

SnakeKeylogger

a1ccd9be7279ef1a5bb7fa795cedfa20cf68b3a01dc23d887eeb045f47408fde

SnakeKeylogger

+ 2'839 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger stealer upx

Link:

https://tria.ge/reports/250812-sxe36aswfw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/4470ad0c-e5d3-4969-b14d-2c3bbb7ab0bc

Unpacked files

SH256 hash:

3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc

MD5 hash:

287525e72239fa5ff5f9aeecd4b00f4b

SHA1 hash:

3a7224a3d088eca9738eeeaed06a18833bd17d11

Link:

https://www.unpac.me/results/224f2b9b-41e3-4191-b6d8-59ab0df45f67/

SH256 hash:

9c704a8ae47beb3d7f0cd28ce4a37c4557ca82319cba44ebbff92338e52621b1

MD5 hash:

21199c254d8445dbb4a737d9f3591282

SHA1 hash:

62aed27f7c8079b51b991283056e83decc81778b

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/224f2b9b-41e3-4191-b6d8-59ab0df45f67/

SH256 hash:

b352acbef195ecc88a7c318495fcf063c9a658ead9c272f6c8f0476d9473cdbc

MD5 hash:

0c660cef43679db358d9840d3229a77e

SHA1 hash:

9d45e10e258764a742eb6b98b4b37900b3a3f737

Detections:

win_404keylogger_g1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/224f2b9b-41e3-4191-b6d8-59ab0df45f67/

Parent samples :

96abef8f09eac5255051d01cd3dc6e7eec5945d933e4240a90495c4544b06db0
894818bb6ba572653922e19b95efe6f6238c12215314901b79793174a65e04bb
3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3b3b61a2b17b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b3b61a2b17bc54e2a5e3aaa5df3bcd9d7a24ed085c99550e98f1ef4a0274dbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20591/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetUseConnectionW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample