MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7
SHA3-384 hash: 457ee2ccec27b517d9696ac7b5d1fbe5616309f7deaab6560e4207c88e4603af4302ebede112ade80aeb1cd22d5c8421
SHA1 hash: 9494d0542f7c84704a07256f495334c06ab13941
MD5 hash: 0016a687be1fcb3f02e3db1b977302bb
humanhash: illinois-potato-saturn-stairway
File name:Fatura Ödemesi Hakkında.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:848'896 bytes
First seen:2025-05-06 06:24:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Xjlo36JSzcFlvdSpJuGU/UPmzz9gpAWpV4zpStCFCjiXdk/PIfnpFE9D:XjtEcUuBq4t5FwuTE9
Threatray 3'779 similar samples on MalwareBazaar
TLSH T1CA05E0283A548606DD9237750263D1716AADBECB9836C75A4BEB2FBF7F11600463F342
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fatura Ödemesi Hakkında.exe
Verdict:
No threats detected
Analysis date:
2025-05-06 07:12:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb659e25-0889-4eba-9631-60f7825521b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3223.4913.8053.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6819ac2d432e243ac3e47c86
Tags:
snake spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6819ab11d95f3e34e9618241/reports/29a72d03-ca40-435f-9fd5-f205f57984cb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c297b8c6-0879-48dd-b4d9-c26c7269ada9
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1681846
Signature
.NET source code contains potential unpacker
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-05-05 08:01:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kni5bq7zv4rqnit53z7x32ef3tb7qvzs3wc5uheqyy7onx4r4t3q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
41088186eed58ac236ab4c348e830c0cd33c23df294726a303cec26eec135505
SnakeKeylogger
66f078e58ebd64a0dc663e8b45e21469d9b7b020b130d7f4bd31de6de4a4ce7a
SnakeKeylogger
7a1af0954cd7db05725aaa1b43ae149bc9f7bb610305b216744f3863e5247663
SnakeKeylogger
e91f580c44b75485d8742039aa469e5c979e44db9d8fee5f2017e4f5c7cc0796
SnakeKeylogger
f0b92224a6c6d1b41423d500b1b008334416a0a8db4bacb8cd959e2c298df264
SnakeKeylogger
fef84d37b7a6401d86e58cbae5066ea24fa9e16fa44139db1d5c4c0a9df0bf2a
SnakeKeylogger
+ 3'769 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250506-g55s1aak5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2074c6e6-3920-42b8-a32d-a0fe83ac9f26
Unpacked files
SH256 hash:
5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7
MD5 hash:
0016a687be1fcb3f02e3db1b977302bb
SHA1 hash:
9494d0542f7c84704a07256f495334c06ab13941
Link:
https://www.unpac.me/results/a69aea14-dfc1-4f24-a3b1-4a5d58c6d8d5/
SH256 hash:
667083d1cb2823e28c43e3086ffd3ffe60f4c57b7b79daa313fd838b09942498
MD5 hash:
6da2a800ef156900f359b3fddc96c61d
SHA1 hash:
3ca283137915cfd65d053c02d6e71bed099dfc74
Link:
https://www.unpac.me/results/a69aea14-dfc1-4f24-a3b1-4a5d58c6d8d5/
SH256 hash:
8d3f4014e28bf6a6368c8ebf2148f35bd501d42e8f694a1d6a438a60f1e72f3c
MD5 hash:
ee4a7c54c4f69b008c2e1363d00b7396
SHA1 hash:
4e2c111d7ce5a29c4a2e08d7ca040dbc86d48d34
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a69aea14-dfc1-4f24-a3b1-4a5d58c6d8d5/
SH256 hash:
69a4e3feb8bfd2e513703c80b740f07b013b96287aef1d9002d1ae82b83ef6d4
MD5 hash:
2f09099424b145ae48915ed8d4990223
SHA1 hash:
5f7ca57ea7eb97a621901dd9414dfe986ffc6140
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/a69aea14-dfc1-4f24-a3b1-4a5d58c6d8d5/
Parent samples :
5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7
ba9856286b079931468e0a80830ae8855efdf38462f467dc7bc91f8a0ccd39e5
2a7986c20b18385a77d818638e7022c4c6a4f6ec1adc8ace5e2e3a8d59c3a392
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5351d0c3f9af2306a27dde7f7de885dcc3f85732dd85da1c90c63ee6df91e4f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments