MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace
SHA3-384 hash: 4cb6f943b1739286629fa52a94c6beeb69be189fbf0fd38f68495a5462f2c53d6298fba18e6a96776e99306c7fb0220b
SHA1 hash: c40cadd7ff7d06b01d7b0885ded58c5738069a07
MD5 hash: 7e3009685ee8ea8c2d08dffae1241ad8
humanhash: failed-apart-mars-oklahoma
File name:Ramona voy 2022025.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'095'680 bytes
First seen:2025-04-17 17:25:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:6A9km6k/IwRYbiBeKGCtesas1cSjOAit:b9sk/IRUnEVsDjO9t
Threatray 1'103 similar samples on MalwareBazaar
TLSH T11D35CF6096A65B17F5FBCA319BF13412CAFABC453E02882F795263464493BF01DD4B2B
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
563
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ramona voy 2022025.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 17:27:58 UTC
Tags:
evasion snake keylogger stealer
Link:
https://app.any.run/tasks/aa4c2bbf-09d9-4324-b16f-1b023a7a1916

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2744/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68013eb8280f5f89a0d09e06
Tags:
autorun shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/680139bd90767142c3d9657d/reports/9b5701d5-5e47-4a6e-b3f2-104f0f14e89f/overview
Verdict:
Malicious
Labled as:
Ser.Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc494b51-6fb0-4dc4-8b14-750b10c17ffe
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667774
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates executable files without a name
Drops PE files to the startup folder
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Copy file to startup via Powershell
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667774 Sample: Ramona voy 2022025.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 checkip.dyndns.org 2->36 38 checkip.dyndns.com 2->38 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 64 11 other signatures 2->64 8 Ramona voy 2022025.exe 2 2->8         started        10 .exe 2 2->10         started        12 svchost.exe 1 1 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 34->62 process4 dnsIp5 15 powershell.exe 13 8->15         started        19 Ramona voy 2022025.exe 15 2 8->19         started        22 .exe 14 2 10->22         started        24 powershell.exe 11 10->24         started        44 127.0.0.1 unknown unknown 12->44 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\.exe, PE32 15->30 dropped 32 C:\Users\user\...\.exe:Zone.Identifier, ASCII 15->32 dropped 46 Creates executable files without a name 15->46 48 Drops PE files to the startup folder 15->48 50 Powershell drops PE file 15->50 26 conhost.exe 15->26         started        40 checkip.dyndns.com 158.101.44.242, 49711, 49716, 49719 ORACLE-BMC-31898US United States 19->40 42 reallyfreegeoip.org 104.21.16.1, 443, 49712, 49715 CLOUDFLARENETUS United States 19->42 52 Tries to steal Mail credentials (via file / registry access) 22->52 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 28 conhost.exe 24->28         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 08:34:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iovxjqsohysuv3geqfsw6ta46wob4grjttb5rmtdbhpej7dlblha._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
832c9fff9119971e24be408c892db66a20202af2089d4693047b8e785ebc08dc
SnakeKeylogger
a9052b6f2e3a6fdc491c9065c665f39d17c55ab3fa79638fcb91f366b4af4a23
SnakeKeylogger
b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1
SnakeKeylogger
b96f452f9f9a7db0d10679b7f454ed54848a44a6f27e415cc8293f2f7079a686
SnakeKeylogger
+ 1'093 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250417-vz1trayjx8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/e6b88d74-2356-4cad-bf85-80d839e879df
Unpacked files
SH256 hash:
43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace
MD5 hash:
7e3009685ee8ea8c2d08dffae1241ad8
SHA1 hash:
c40cadd7ff7d06b01d7b0885ded58c5738069a07
Link:
https://www.unpac.me/results/f26b6a13-1582-4f27-832a-581bb6f0df19/
SH256 hash:
56282703d2b0623f87dd8f4475b60aa8f7c79626520653a3246b1ae64fbfb4b4
MD5 hash:
2c153bef8b7595edc47c14ecf739f961
SHA1 hash:
19561f19f31d8f4cb39ff0115c3bda8dca8df894
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/f26b6a13-1582-4f27-832a-581bb6f0df19/
Parent samples :
4be074b62daf882649c946d79f11c98a73193953e7ec121c53b70e627a2efccb
4bbdd58770252f5b0d50238c0eb324510fd39b051a7a7b98e871514f1c97ca20
50b29f921683e704827a4675c82612894867a47764a4e7cfba0a2e0288363823
853b49c1e4fc2c040164ce927b7eb619feef66bb61d16b223ec352673a336e12
2fb7505c8296c864ebf2e99348f4465997be63da7f99867170772a7aeea7d35f
80c99fdb06e5324132ca5341b60c2e459418b0d51293a151d97fc6d00690202f
96052806a7a588c539c7f3a2ed2602f63a5e0cb72f950c89776000fbb281ecf5
3bfd2c6af168d397b930e8d36735d9fe0098d6c3ab33ec56db5531e69ecef066
1470466736f1071fab6030a80096fa9a7692b5906ce76d3e6fe5563e3d0c24b3
81dec5b97ca5f11ee7c15d7374c04a5bc89546c3b4db34ae1433ea15a729f55e
cd4a1be3d2ec77f007d4dd51d29e2bd49cd07c13725cc693fabf7b5bd443581d
5dc2790fddfb80029dc4e2fe2ff5a9ef0e1f9d57fe27c10e2073f77aad2889ef
43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace
SH256 hash:
0e662a95c6171440be04374fe369bd05a5fa68f07a199d3bb18829189317b065
MD5 hash:
30b04d59ef54cccf0e64e489b9e6ff6b
SHA1 hash:
bbd7d88c7abb89768716d415634e242289ead1b9
Detections:
MALWARE_Win_DLInjector02
Create hunting rule
Link:
https://www.unpac.me/results/f26b6a13-1582-4f27-832a-581bb6f0df19/
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/f26b6a13-1582-4f27-832a-581bb6f0df19/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43ab74c24e3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 43ab74c24e3e254aecc481656f4c1cf59c1e1a299cc3d8b26309de44fc6b0ace

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/2744/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments