MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
SHA3-384 hash: 50134f178dc5737f82778437b83ef0dab63d82bf5e202f806d436462da7ea744c9d7d8a3f3014efe30f7118fd853e0d4
SHA1 hash: 1ea1b13468e2b64f6ae972098a90dc1d4c041339
MD5 hash: 539d2672bce0e43de6c246a7cb734b6c
humanhash: diet-mars-north-pizza
File name:SPCC ENQ #1178.scr
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:752'648 bytes
First seen:2025-03-24 07:22:26 UTC
Last seen:2025-03-24 07:32:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:FscjvOn6nzxdKV/hh05P+9WbuR2XaTEl41xY74MPwHH+I4yISff5utxjnB/wQMTY:Nj2n6nKT05P+cnXaTEV5aH+I4brjBTQY
Threatray 1'618 similar samples on MalwareBazaar
TLSH T1EBF412A89759D203DAE15B705AB5F2B553792EDDA801D3139FECADDFBCA2F501C00282
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
390
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPCC ENQ #1178.scr
Verdict:
Malicious activity
Analysis date:
2025-03-25 04:54:06 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/3fe28c45-1f9f-4ce4-a829-bda8dd06dfcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e246c4bb84e066269ebaec
Tags:
snake virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67e1085d1ccf9586bbc51024/reports/9883667a-94a0-4607-9272-02cfa802dcb8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1646773
Behaviour
Behavior Graph:
n/a
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb/
Threat name:
Win32.Trojan.SnakeStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 07:02:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=le7hlzxijxxy3sap6dmicnw4aazvyrs3ifbfhpaz7golvxwxstvq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
3836ce299f388dc89bf532e146457a98c55e122c453643785b91b4ef6e04ea4c
SnakeKeylogger
48f1f3d8b15ea4297df16072fea427a8fadd695c47ea27c16d933a99deb4f2f3
SnakeKeylogger
4d4f4dd3dd03d3ff63689d10675978b1e232f7d1429eca28cd3d9525824817eb
SnakeKeylogger
593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
SnakeKeylogger
error
SnakeKeylogger
f0b92224a6c6d1b41423d500b1b008334416a0a8db4bacb8cd959e2c298df264
SnakeKeylogger
+ 1'608 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250324-h7lctawnw3/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/8051c1ee-4d0d-44f4-a7dc-204feb0d9989
Unpacked files
SH256 hash:
cf68f822581c977624b554e9669f1dacd3ea27da419ce7d922c4fd7159a37655
MD5 hash:
ef21daeeb39441e28b0cc86cc0e23235
SHA1 hash:
1297757d3382f98c8d391ee50d0dd892ab4f4440
Link:
https://www.unpac.me/results/c8e51ca1-c904-45c6-b4b4-6e58af8dfae5/
SH256 hash:
154eca60b75a080d4fc22c84f35d9c867b6c2a3ed608978529ff52c94e7eab4d
MD5 hash:
c31a766f09773c569b6fcaf26cc97a2a
SHA1 hash:
659cc61928fd675fa45a72361fec55b96bfec05a
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/c8e51ca1-c904-45c6-b4b4-6e58af8dfae5/
Parent samples :
e7fe1c2591b10ca2955cedfc436c2cbe554e7183160cd7d340688ea857fa27ae
96da4b8d14447d80f32748bfe57478b2aec51c8c2b4762d6934829a13040d97a
365a64d31e1b6981e3be8d9bae05ee95e3d0dd46e0329e1bff35c74c810111b0
1e2143b98df22081eccb57ead02a1cc5212aee0b51ac4ee89e858f4a62ddb3bb
cc40ff4d1e988abfed4e517c8505aad995cb8a3315ff1baa7ec6c352bc44983c
79c1989be0f722072b944cd12a158aa3c4cc59e482846bb3fbdbf5b6667840a9
a9d8843bb48d123d94742275be98648fee2262d2af1c4b987d46cf10c9ae4398
c822084a8f1aa34346264bea15d6af68a8c1bd85a3eb2a80b5cd00085da29f24
0c52e638e751092ae2eb5818e52929052a7d527d8be99f9a97bf783f648e2912
35423fe7c19b606f2b6d4aad403b2ed9aefafd2dc09ffcc1582acaaf71fb282f
593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
41090020877332eb428cba81fbbbc3686a8e12bf0cf499902a8a5d2f53c4caf5
5909e27a896820bada06d37fa535a94759f336c7f9b07cf5202346c2d6e0e5d9
caa56d33ca9d08ee531040d6e591b20a8f7bc671a02622ad6fa5f609af5f5a32
SH256 hash:
8157587e7e5fe2ad244a93cc16ca62c837805dde5ebb8d8726f0a586db8928ba
MD5 hash:
bd142f2b1db00d4b4f6e444e8f897565
SHA1 hash:
8a48c9a62aa449063a0eca29d3607a4427e8a5d0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c8e51ca1-c904-45c6-b4b4-6e58af8dfae5/
SH256 hash:
593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
MD5 hash:
539d2672bce0e43de6c246a7cb734b6c
SHA1 hash:
1ea1b13468e2b64f6ae972098a90dc1d4c041339
Link:
https://www.unpac.me/results/c8e51ca1-c904-45c6-b4b4-6e58af8dfae5/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/593e75e6e84d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments