MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 15 File information Comments

SHA256 hash:	3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee
SHA3-384 hash:	059e69f96d4c2b0c04fde119d4d139fe0f6e1b308a26f7c3bea9861f7f6b972f8013869faed4f2c11f7ffbf3a2ad2969
SHA1 hash:	306f990cbda3c1623ac60aef55f83e9a4939bc12
MD5 hash:	1c1586b0ec21775d68707e5215a655b0
humanhash:	five-yellow-bluebird-cola
File name:	3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	319'488 bytes
First seen:	2025-08-12 21:38:16 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	6144:sB/gZ35XW/1W9fjJxBBBxzpfllhQH2ImJtJwYFB04OVIWwbfD6ub:sB/gZ35XW/1W9fjJxBBBxzpfllhQH2Io
TLSH	T10F64B4693ED8D800E7BF447696F85028C6BB745304A48D9D1AF1F0613ABEA00AE57FD7
TrID	68.6% (.DLL) Generic .NET DLL/Assembly (236632/4/32) 21.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 3.0% (.EXE) Win64 Executable (generic) (10522/11/4) 1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	AntiSkidding
Tags:	dll keylogger SnakeKeylogger stealer VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21004/

Detection(s):

Win.Malware.Generic-10008460-0

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689bb4609901157561b5ab1b

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 cmd evasive hacktool lolbin netsh overlay overlay reconnaissance stealer telegram

Link:

https://www.filescan.io/uploads/689bb46c9ef4d2ff7cf938a5/reports/78a7281b-be1d-4237-874a-2faa2a27d66e/overview

Verdict:

Malicious

Labled as:

MSILHeracles.NotFoundKeylogger.Generic

Link:

https://www.hybrid-analysis.com/sample/3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e578bd1-14bf-4b49-90c5-e4110aad4f10

Score:

75%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee/

Verdict:

Malicious

Threat:

HEUR:Trojan-Spy.MSIL.KeyLogger

Link:

https://tip.neiki.dev/file/3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2025-08-12 21:44:35 UTC

File Type:

PE (.Net Dll)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h3orwqplam2shguy5k7rey5ep5wy4znen5wuy5k5abnurn3tjtxa._file

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger keylogger stealer

Link:

https://tria.ge/reports/250812-1hhjqs1sdt/

Unpacked files

SH256 hash:

3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee

MD5 hash:

1c1586b0ec21775d68707e5215a655b0

SHA1 hash:

306f990cbda3c1623ac60aef55f83e9a4939bc12

Detections:

win_404keylogger_g1

Link:

https://www.unpac.me/results/c023e1b9-fab7-4b61-a269-7aff6c6f8375/

SH256 hash:

890f9050f0c7298bf8fc3b6e4c94b87ad4d5fc036ca28dadbce9b6976b4cd000

MD5 hash:

1bcd741ce3321891fc64365278a54e21

SHA1 hash:

1c049df7cc7981a34a0970783447f7780a1f6b9d

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/c023e1b9-fab7-4b61-a269-7aff6c6f8375/

Parent samples :

a34ccdfe8ceb7ee12467b9882523fd442baa897a5dd1ac115f3a88fcf7110d80
3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/3edd1b41eb0335239a98eabf1263a47f6d8e65a46f6d4c755d005b48b7734cee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21004/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample