MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0
SHA3-384 hash: c33ce7af9b4ccf25d346c5b0edb8197ab1435c383cf8938a74ed59c15a8252d7f284db1b16155dd587a3b455f465a69d
SHA1 hash: 9f3f4fa2cda1421625697d030e5c3184332f2e53
MD5 hash: 657c29b061baf8d1c91483df96a68bf0
humanhash: whiskey-hamper-quiet-stream
File name:SecuriteInfo.com.Variant.Genie.8DN.16.13849.30802
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:763'392 bytes
First seen:2025-02-24 10:32:45 UTC
Last seen:2025-03-10 11:32:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:gNL1A6YeXY/e1Thnnn/uJUlLBe/kg4W217KdKU0ubntIGR:2BhxlLBMN4W217KdKUDbtFR
TLSH T149F4CF041398C60AD53F17B859B4C1714FB96EAEF822D3164ED8ACEB7EB67009D62347
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
5
# of downloads :
45
Origin country :
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Genie.8DN.16.13849.30802.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bc4ae9a0fd713c335c9bb5
Tags:
kryptik virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67bc4aee3afc3763bec395c4/reports/40c08af5-9089-489d-90bd-614e6adb6de5/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea4c6181-6053-4ec2-b49c-807e0abd1620
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1622642
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-02-24 08:09:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ibtgcy3p3cy5cuzp6tibs5rnilg54ia3pa6wrmtmw7evlipjflya._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger discovery keylogger stealer
Link:
https://tria.ge/reports/250224-mllhxaxmy2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7572469755:AAHCBLe3bEv-r8VSlR3NztVSSHz6JBpCC7s/sendMessage?chat_id=7207594974
Verdict:
Suspicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/15d0f8fa-b5f9-4f0c-9021-943fe68a3eba
Unpacked files
SH256 hash:
406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0
MD5 hash:
657c29b061baf8d1c91483df96a68bf0
SHA1 hash:
9f3f4fa2cda1421625697d030e5c3184332f2e53
Link:
https://www.unpac.me/results/96d126a6-ae77-4e32-8f75-94f3b57fbe24/
SH256 hash:
e80a463e16b14b43e4112cb8f0cb0cf44ff245be592202042373a02b9ea4deb9
MD5 hash:
bbea1aafd0d7058f6f46c8ceff355f96
SHA1 hash:
14ca07073c0a943129823d6532358a55761a203f
Link:
https://www.unpac.me/results/96d126a6-ae77-4e32-8f75-94f3b57fbe24/
SH256 hash:
46bc7b57a800b3ad3defd19375b6177e88bbf7e1d066aa4c60d38d39e393700f
MD5 hash:
2661337513f0492ff4614feaf3180845
SHA1 hash:
6e2075ae521cd2631b8baccc56d75a027175b6cc
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/96d126a6-ae77-4e32-8f75-94f3b57fbe24/
SH256 hash:
fedfa8506ddc9c8e9a50fd5f79626437960d927329c0ae394d64b2581a32f150
MD5 hash:
b8820c91844409a2ede0b2c8c128fb43
SHA1 hash:
b8185818ab1145c059c3d9b94038ef5f99324284
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/96d126a6-ae77-4e32-8f75-94f3b57fbe24/
Parent samples :
16ac39458488454a5d43d2f0d250fe014bf22ab1542ee6cbd10c6f69ab8d91d8
5a2a58a5c9a50cda175b03b68636c5f68d7dcc73eb19311ceb2940dddc97654e
dcb42b8ad4e7cc40fe12cfef0f5b97fba6073716a6315784ed6dd8847a51e86d
1952bd4cf85d07d155fee0fd9f75b5c5e52af32c20994eb3b248fbd03ffe9fcf
406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0
73894e9dabbea10e1befbf6d68c03b45dd45e8170cc9cac9a2fa420585010ce0
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/406661636fd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/406661636fd8b1d1532ff4d019762d42cdde201b783d68b26cb7c955a1e92af0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments