MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 19

Intelligence 19 IOCs YARA 17 File information Comments

SHA256 hash:	4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
SHA3-384 hash:	0437fa31bf8ff3e50c3c54f93a45eade938b963b6a7fa19f349a57ae5b68931c748d2d1fe90251c0c114621feee20d64
SHA1 hash:	1384346d4eecc4285a2dbed0b76b508626d982a2
MD5 hash:	406526610fcee514890099a2b4989adb
humanhash:	paris-johnny-texas-alabama
File name:	4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	543'232 bytes
First seen:	2025-10-14 11:05:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:4mq8qFvYDUhvk9k4NJgP6zVTs+9WluyQtWzBBWnaY2:lfKZBJyzZo5QtqBUa
Threatray	3'797 similar samples on MalwareBazaar
TLSH	T13EC4120EFA57C239CE1C2FBBC423A1BE01F6B215B5E7F3960BC98C694D54749868A417
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe SnakeKeylogger webmail-ki-lojaobrinquedos-com-br

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Első rész aláírása_0077125172_09október2025._1700_HU docx.z

Verdict:

Suspicious activity

Analysis date:

2025-10-09 11:36:23 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/2099e46f-44ea-4611-997c-f715dacc4a0c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/32668/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee2eac97a16d00a8d9d011

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68ee2f004f3013c55e4d4071/reports/f15f8aa8-cd08-4254-8181-97103b342b76/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-09T02:50:00Z UTC

Last seen:

2025-10-16T02:58:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Agent.SMTP.C&C PDM:Trojan.Win32.Generic Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.SnakeLogger.gen Trojan.Crypt.TCP.ServerRequest Trojan.MSIL.Taskun.sb HEUR:Trojan-Spy.MSIL.Agent.sb VHO:Trojan-PSW.Win32.Stealer.gen

Link:

https://opentip.kaspersky.com/4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84f66925-4d0f-4756-b137-90a4db4723cd

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-09 05:50:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijkset4yild4wr6v2xkiruxukz2kyvapfndfeymn2iktvtj42fiq._file

Verdict:

malicious

Label(s):

unc_loader_037

404keylogger

SnakeKeylogger

67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0

SnakeKeylogger

cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6

SnakeKeylogger

fa8d09a3d211aaefb69b1438a2b3bb45cb30b84162a02d7d291d8cbc9b56b508

SnakeKeylogger

+ 3'787 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/251014-m723sa1py9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/3c66f904-f182-4558-ad7e-2a55d2d8a625

Unpacked files

SH256 hash:

4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151

MD5 hash:

406526610fcee514890099a2b4989adb

SHA1 hash:

1384346d4eecc4285a2dbed0b76b508626d982a2

Link:

https://www.unpac.me/results/92879630-a4c7-44ed-9253-86a4e12f1a37/

SH256 hash:

cc2b98223c9dcaf35c31d2eb743780aa3ea50177043e82633dda11aa7b7ff66b

MD5 hash:

014ace331af3642ddb3d3aa754e94950

SHA1 hash:

2ee54a101d1817ffdf1154d6bc19a7fa6db81c97

Link:

https://www.unpac.me/results/92879630-a4c7-44ed-9253-86a4e12f1a37/

SH256 hash:

6435be4709969ab35d322858fc7ac1b07592a24378b3f409d37c91f70233af32

MD5 hash:

c86b6805fa92a406177d18396b41ec8e

SHA1 hash:

32d4008463b4203557341e699694f814cffa3358

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/92879630-a4c7-44ed-9253-86a4e12f1a37/

SH256 hash:

f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe

MD5 hash:

48e1fdaf7662517c4e0f968966d4d7b0

SHA1 hash:

6320e1973e714027f3d4280c125ff36f51848f81

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/92879630-a4c7-44ed-9253-86a4e12f1a37/

Parent samples :

2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4255224f9842/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample