MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
SnakeKeylogger
Vendor detections: 18
| SHA256 hash: | 5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341 |
|---|---|
| SHA3-384 hash: | 7b9fa1fb5e59eb88c303ba2257cb12a71cbb7eef6de03871184124cc8238559495e9b02dfefb197ae2522e528b8fec0a |
| SHA1 hash: | a7c5dc534f6732f3e5a753f689ef22073f1eef36 |
| MD5 hash: | b041ba4ce8dd12c9c1bbe5ca4e19f789 |
| humanhash: | september-vermont-missouri-jersey |
| File name: | 5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341 |
| Download: | download sample |
| Signature | SnakeKeylogger |
| File size: | 591'872 bytes |
| First seen: | 2025-11-06 10:31:14 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger) |
| ssdeep | 12288:cj7B2MWiel2NNCPg+pqhISBSBz15JbWbEjhWqbdvnJ5g:cj7B2M9Pu3XVhWqbFg |
| Threatray | 3'790 similar samples on MalwareBazaar |
| TLSH | T18CC40198360AD91BC66197704570F3B903B96EE8E111C392BFE83E9F78B9F105D84683 |
| TrID | 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | exe SnakeKeylogger |
Intelligence
File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341.exe
Verdict:
Malicious activity
Analysis date:
2025-11-06 10:48:20 UTC
Tags:
snake keylogger evasion
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Verdict:
Malicious
Score:
99.1%
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:
Behaviour
DNS request
Connection attempt
Creating a window
Restart of the analyzed sample
Running batch commands
Creating a process with a hidden window
Launching a process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T02:56:00Z UTC
Last seen:
2025-11-06T07:08:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.SnakeLogger.gen HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Agent.gen Trojan.Crypt.TCP.ServerRequest PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Agent.SMTP.C&C
Malware family:
Malicious Packer
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Verdict:
Malicious
Threat:
Family.SNAKE
Threat name:
Win32.Spyware.Snakekeylogger
Status:
Malicious
First seen:
2025-10-14 09:12:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
29 of 36 (80.56%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
404keylogger
unc_loader_037
Similar samples:
+ 3'780 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Score:
10/10
Tags:
family:snakekeylogger discovery keylogger stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
404Keylogger
YARA:
n/a
Unpacked files
SH256 hash:
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341
MD5 hash:
b041ba4ce8dd12c9c1bbe5ca4e19f789
SHA1 hash:
a7c5dc534f6732f3e5a753f689ef22073f1eef36
SH256 hash:
a3ed24a4eb91c11e9e2af34ea127fb9e68dffe6ceda8612751f7434bae4bb2ae
MD5 hash:
02167a951af6641d46d7332934d81a34
SHA1 hash:
23662971e7b6a4861ced789d87760872a2b382e0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
SUSP_OBF_NET_Reactor_Indicators_Jan24
SH256 hash:
b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511
MD5 hash:
2a576318d07470206dd7c45f7d896078
SHA1 hash:
3096b2a5ccd98583949a9f57842d5547b50bbc29
SH256 hash:
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
MD5 hash:
48e1fdaf7662517c4e0f968966d4d7b0
SHA1 hash:
6320e1973e714027f3d4280c125ff36f51848f81
Detections:
win_404keylogger_g1
snake_keylogger
MAL_Envrial_Jan18_1
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
MALWARE_Win_SnakeKeylogger
Parent samples :
2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341
Malware family:
SnakeKeylogger
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | crime_snake_keylogger |
|---|---|
| Author: | Rony (r0ny_123) |
| Description: | Detects Snake keylogger payload |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_DotNetProcHook |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables with potential process hoocking |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | MALWARE_Win_SnakeKeylogger |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Snake Keylogger |
| Rule name: | MAL_Envrial_Jan18_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | MAL_Envrial_Jan18_1_RID2D8C |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Windows_Trojan_SnakeKeylogger_af3faa65 |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.