MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa
SHA3-384 hash: 261fb7cbf37581ed903f99f56c83d3b7412c355abb6900c0930f46bcdb37b06b83c1119c1b694fdf36a572fc90c70a4c
SHA1 hash: a88f97767871d335b00d8accc691c279b7826b5b
MD5 hash: 001b91d6dbf7cf14f79eb9e706aaace5
humanhash: arkansas-virginia-spring-oregon
File name:SecuriteInfo.com.BackDoor.AgentTeslaNET.29.12112.25323
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:788'992 bytes
First seen:2025-05-27 20:17:52 UTC
Last seen:2025-06-10 09:34:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:+vMhbzd8hpABZozk3H0fF4agV/t4aIWm6De9A0kusTLm+2PVBXsJiUKbKtSsnD4Q:+vGzd8EMzAu4aqXNDcAvVK+2hbp
Threatray 3'759 similar samples on MalwareBazaar
TLSH T16EF4CFAD3250B6DFC867C976DAA81C64FB6074BB430BD203A01316ADAA0D997CF155F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70f8d4d6cc683058 (25 x SnakeKeylogger, 8 x Formbook, 6 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
521
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BackDoor.AgentTeslaNET.29.12112.25323
Verdict:
Malicious activity
Analysis date:
2025-05-27 20:22:26 UTC
Tags:
snake keylogger evasion stealer ims-api generic
Link:
https://app.any.run/tasks/641d19a4-a587-43fb-8370-50fd1e91dbe5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5944/
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.29.12112.25323.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683620bf668438e362e780e6
Tags:
backdoor micro hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68361e18171e01f9592ec073/reports/43e78a18-eee6-4521-bd06-f2c7c62caa2a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b72e1b9-a64a-455a-a24d-ec8f8ce9d3ee
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1700286
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1700286 Sample: SecuriteInfo.com.BackDoor.A... Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 19 reallyfreegeoip.org 2->19 21 checkip.dyndns.org 2->21 23 checkip.dyndns.com 2->23 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 37 6 other signatures 2->37 7 SecuriteInfo.com.BackDoor.AgentTeslaNET.29.12112.25323.exe 3 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 19->35 process4 file5 17 SecuriteInfo.com.B...12112.25323.exe.log, ASCII 7->17 dropped 39 Detected unpacking (changes PE section rights) 7->39 41 Detected unpacking (overwrites its own PE header) 7->41 43 Injects a PE file into a foreign processes 7->43 45 Uses threadpools to delay analysis 7->45 11 SecuriteInfo.com.BackDoor.AgentTeslaNET.29.12112.25323.exe 15 2 7->11         started        15 SecuriteInfo.com.BackDoor.AgentTeslaNET.29.12112.25323.exe 7->15         started        signatures6 process7 dnsIp8 25 checkip.dyndns.com 193.122.130.0, 49722, 49725, 49726 ORACLE-BMC-31898US United States 11->25 27 reallyfreegeoip.org 104.21.32.1, 443, 49724, 49727 CLOUDFLARENETUS United States 11->27 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-05-26 18:30:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lb4s6kzm4r7zxvwt6x35grinntvzqkbw5qaewgbpomvqpuqlusva._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
068e05c944faf172cf83584b995dd98b6ad77a42df01e0bda06cec52eebc3074
SnakeKeylogger
7b2118ed1133b43f2521509f4eac9e89b89cdfc389208099cc6e601aaf95c836
SnakeKeylogger
832c9fff9119971e24be408c892db66a20202af2089d4693047b8e785ebc08dc
SnakeKeylogger
b1bd96341b2c06cf1ea7a1a9026222f1a85d8605798be6f7809100b3e0bd11dc
SnakeKeylogger
b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1
SnakeKeylogger
+ 3'749 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250527-y3fjrsypw8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58db7d2b-cb74-4d4a-b0a2-d1b04e20e093
Unpacked files
SH256 hash:
58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa
MD5 hash:
001b91d6dbf7cf14f79eb9e706aaace5
SHA1 hash:
a88f97767871d335b00d8accc691c279b7826b5b
Link:
https://www.unpac.me/results/5e27ce19-0096-4ca5-8c9e-594c7b747532/
SH256 hash:
40821f2c5247a234030a44871d4d62035044e2d486432b81e06880213c6fa912
MD5 hash:
c98557f7f6d853d88f1704eeacf3f39d
SHA1 hash:
01fb8c8b57fe8e19022f3fe0ac882c4e9cd9c69c
Link:
https://www.unpac.me/results/5e27ce19-0096-4ca5-8c9e-594c7b747532/
SH256 hash:
9e83dbba091289882c9836ae470877df51cc6eb47e3c2c1699e83410e14f8493
MD5 hash:
e8f5ace1cb1838c33a8f800e68a6ef43
SHA1 hash:
4762946230d70f95f4ae44c85bc303fa553ca037
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5e27ce19-0096-4ca5-8c9e-594c7b747532/
SH256 hash:
f210e3d4efd3fe140d27c33169b21df09de3dfec657e4f2ae29c5e3b2a4ad9f8
MD5 hash:
fc5a17c355f0fa12c27dfdfa135f42f3
SHA1 hash:
b5ec68230770d777e43552be50d8d25ef0e04b6b
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/5e27ce19-0096-4ca5-8c9e-594c7b747532/
Parent samples :
7b62e2e0e51bc3923d80d98a074afdc84c8435c602f7d419c785d1907252312d
58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa
b123d66d76053e9370b833030e14cabe3570a8d312514560a6d3a9102c341c53
e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
5fff2b1da9f0c16196866c52606a2fd33ea685e67bea490057724bcec780e131
75d436daf3a4884c7ac1e12650cc105232a2778f769028e50a837ef14034ddab
ae0d463b6861b38c1050a55ad8fc4a111922e42c96f85df47053dcf838db07ad
46606eb69b6c1fd22b96ca8f40813375c6e208bd7d9c37e18129b88ae338ce2e
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58792f2b2ce4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5944/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments