MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc
SHA3-384 hash:	fd01160f31343554d8e05d29ceab66f8f3d3b35f8426c91589679d88690c26be67842c0dfe2391365e34dcadc6ec12d8
SHA1 hash:	05ee9e6d57214a9a037c9ee32c09b1d256c0a640
MD5 hash:	650178721d4c8c501395884cc160def3
humanhash:	nuts-winner-bravo-leopard
File name:	5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	861'696 bytes
First seen:	2025-08-12 15:01:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:ARFKV/Ag3DtMkKbR65taPxRoI1bOLsTU:SFC/AmFP2Pv5bOI
Threatray	3'209 similar samples on MalwareBazaar
TLSH	T1EC05E10CBE7DBB2AC61D0FB6C413514482D1569BE236F2AB48D998D22F3CBD5848F617
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	d8d8dadad9d999d8 (8 x Formbook, 4 x AgentTesla, 3 x SnakeKeylogger)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc.exe

Verdict:

Malicious activity

Analysis date:

2025-08-12 17:24:52 UTC

Tags:

evasion snake keylogger telegram stealer

Link:

https://app.any.run/tasks/9a897e4f-31fe-4c87-8e29-708d1a6cf7cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20916/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.49939.22843.15621.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b5c45fca70bd90e8f20cb

Tags:

phishing spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 confuserex crypt fingerprint lolbin msbuild obfuscated obfuscated packed reconnaissance regsvcs roboski schtasks snakestealer vbc

Link:

https://www.filescan.io/uploads/689b79769ef4d2ff7cf8dca3/reports/bcad7832-cfe6-45b6-8e21-0df5ccfee3f4/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b69222f9-54e2-48ff-8bf7-094644dc2fef

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc

Gathering data

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2025-07-31 22:14:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=llj7cx5pqdreu3aaf5lxwkyawibz53andh4ert6p52u5jfhpqpoa._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

SnakeKeylogger

af6e3afe54776fbfcfd18d707576ea0ae9504da1d53f7af1ae41fd71408816d4

SnakeKeylogger

c53170393e7825648709b042f54ff764a4228f38b31ecf29b7e7d971b4e42b56

SnakeKeylogger

c8b76fc09a283dae6e7ed2f6cae8e31d0b4038abf3f851da15672110b99fd23e

SnakeKeylogger

+ 3'199 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/250812-vxfqssfq9v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

VIPKeylogger

Vipkeylogger family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bc2bb946-3231-48e2-b67b-3b56b782d8e0

Unpacked files

SH256 hash:

5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc

MD5 hash:

650178721d4c8c501395884cc160def3

SHA1 hash:

05ee9e6d57214a9a037c9ee32c09b1d256c0a640

Link:

https://www.unpac.me/results/49f48c16-3c34-489e-8dff-a9ecb0dd706b/

SH256 hash:

47365131f8f53714ef1ff7f1b9b9338c0b33802e137cdb7de9f437bfd7a2ff12

MD5 hash:

59e9416505ada9574cb81c4b52f09e26

SHA1 hash:

b637e174f3ee0392680ab5843e5f845d21ba7ea6

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/49f48c16-3c34-489e-8dff-a9ecb0dd706b/

SH256 hash:

35e7225fea67de12a03b13bd25124d173d66d882f5d68b59eb8455c9f16e546a

MD5 hash:

bdd7858efac937a99b1acc590d63ef5d

SHA1 hash:

b7411666cfee1439abba8b46959031a70203f344

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/49f48c16-3c34-489e-8dff-a9ecb0dd706b/

Parent samples :

8b11fcca89381e3f89964db156074fb4d4a00a5b0963010fd9396a2463e84034
f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc
2b2ae966d34a67db06f6538a4f9c0b091899546beabbc4f28bbb23e5de7b9c69
593b2dd3e7a1806f5f97341c297792834c28f57fb95e33c4528c733a9fed4c73

SH256 hash:

6005f0e4563fef5e8abfdb88cacd5b3d8fd4cff04b1af93e8e01a9990f46d5c0

MD5 hash:

3f17ed370489371093c2a3d768cb6b07

SHA1 hash:

fb4f0ddcaf872e4c7850e4cefad59a2c62f54424

Link:

https://www.unpac.me/results/49f48c16-3c34-489e-8dff-a9ecb0dd706b/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5ad3f15faf80/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20916/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample