MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
SHA3-384 hash: d2ee73973d7de1b161f88fc5cb1a587f1219a5f39bb21d702288a6f4f33c17294019ff5f450b65cd3c6a1ddab0e56a0d
SHA1 hash: e0ec657efa2b731e9f509486469ace2bb2bec483
MD5 hash: eb53c17c97ee1e36ed2b04c2ba69c316
humanhash: angel-helium-nebraska-bluebird
File name:Pedido de Cotação 57869_CT QLD_PDF.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:739'328 bytes
First seen:2025-12-08 14:01:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:4MFKfeh2hb94dzCFlRcUPg78SgDHVSSNFH/TubQhxsGUSUwpdQ2j6lgfy:BIBmGFlR878SgDsGFHtUShfQ3
Threatray 46 similar samples on MalwareBazaar
TLSH T1ECF412B296C4D613D9D413B10D71E67103362E5DAD22E31BCFEEEDEB30A9340541EAA2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/623939a1-ced9-419a-b367-54cc2c1594dc/
Malware family:
n/a
ID:
1
File name:
Pedido de Cotação 57869_CT QLD_PDF.bat
Verdict:
Malicious activity
Analysis date:
2025-12-08 14:10:29 UTC
Tags:
snake keylogger evasion auto-sch-xml telegram stealer
Link:
https://app.any.run/tasks/6ce814c2-f325-4542-b36f-a357d7c5c028

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43013/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936da8c881313558a2b81b6
Tags:
virus shell msil
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T05:44:00Z UTC
Last seen:
2025-12-10T08:03:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.SnakeLogger.HTTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.Taskun.TCP.C&C PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan-PSW.Win32.Stelega.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.sb HEUR:Backdoor.MSIL.XWorm.gen
Link:
https://opentip.kaspersky.com/50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8d14cead-2195-4863-8b85-0a4e2cd6a3d6
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.52 Win 32 Exe x86
Link:
https://app.malva.re/file/eb53c17c97ee1e36ed2b04c2ba69c316
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
Threat name:
ByteCode-MSIL.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 08:11:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcxpt7x6emsakbxpqb6ab7lm3cppsewzqet5wrt33mechi3ho4qq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
SnakeKeylogger
60203c6af96861965a089eb2c9aa70ffca1a5dfee35a369e77ad3f17896a8ce3
SnakeKeylogger
707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773
SnakeKeylogger
+ 36 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/251208-rcfcraxrhj/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dfe53717-fc31-47ac-b94b-86bf5bdb7493
Unpacked files
SH256 hash:
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
MD5 hash:
eb53c17c97ee1e36ed2b04c2ba69c316
SHA1 hash:
e0ec657efa2b731e9f509486469ace2bb2bec483
Link:
https://www.unpac.me/results/b7e3f792-9375-4c6c-8b06-c619c4497825/
SH256 hash:
65ff3c159e0d6207aca43001079c062646d480ff9558454ac5666d5c0921ff70
MD5 hash:
2cc742abf147d316fb4243482b739fa7
SHA1 hash:
768f08baf401a952f2eb27cb0e9476d34a48f05b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b7e3f792-9375-4c6c-8b06-c619c4497825/
Parent samples :
6e2b1a9ba0fb924774b35d3fe97e5ee232de78f7292fd7a79c678d6de974751a
d4ac4a98170b7b5606fc03e625be2973bd0f4ad38c653ba4db1558fead88dc0a
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
de0892e8c62f21f2fb6669f8b4bf28a7bd9c014cc5820735491c44ce93fe0f09
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
SH256 hash:
1acf4dd139a98223d2dc554d39d7f1c87c387d7eb6c5f47fe1898d0796e218d9
MD5 hash:
f8f6ab36393555db1c7f890440a99484
SHA1 hash:
8f7854800aa9962851a2ddbf6b719a1bb06b7b6f
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/b7e3f792-9375-4c6c-8b06-c619c4497825/
SH256 hash:
a050e3628c166138174a1239ad064af39cb64f9e60e3cf273b0523f1e4e15633
MD5 hash:
acab1d9c546c65c407a28bff3d135470
SHA1 hash:
beed4671d23730508e2aa6493201a7fbbcbd1948
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b7e3f792-9375-4c6c-8b06-c619c4497825/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50aef9fefe23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43013/

Comments