MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
SHA3-384 hash: 9c2e1834c534acacee4d9121c5f1544abf1526c5ba0d180ca751e0949de5bc63873b61dd54098cd671d7b5c6b68539be
SHA1 hash: 5380f02f0c4e694aa0d723117453e589d6e9d12a
MD5 hash: 78db6f5a671871b2355bf718aec7d7fd
humanhash: fix-undress-two-utah
File name:610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:635'076 bytes
First seen:2025-03-10 12:16:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:b9j2ddjxVbAcGCqhd9ozU62vN8ndgSRByjv2oi7Kf/MQCQNg:b9jY5xVEcGCccp2gKSRcvYKMQCP
TLSH T1F3D4020231902043DB774B76A69390A4E536FCA2D1F5CB872A7C7F2F7AF21A5070994E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e86cbeb058d22ccc (7 x VIPKeylogger, 6 x SnakeKeylogger, 1 x GuLoader)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
Verdict:
Suspicious activity
Analysis date:
2025-03-10 19:17:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2dce5007-26bf-4cc2-a393-b64ce481e7c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cee5470d1b39e3a208bba7
Tags:
injector uloader virus nsis
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67ced854e95d0f9029e6cd58/reports/2b9a9725-145e-4cf6-bbaf-7752965c27d6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/15b862b7-47dc-42e0-8996-290c96b38b8d
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1634524
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634524 Sample: QcFyYAdvys.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 4 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus detection for dropped file 2->48 54 6 other signatures 2->54 8 QcFyYAdvys.exe 1 36 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 30->50 52 Uses the Telegram API (likely for C&C communication) 32->52 process4 dnsIp5 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 14 powershell.exe 30 8->14         started        42 127.0.0.1 unknown unknown 11->42 file6 process7 file8 26 C:\Users\user\AppData\...\QcFyYAdvys.exe, PE32 14->26 dropped 28 C:\Users\...\QcFyYAdvys.exe:Zone.Identifier, ASCII 14->28 dropped 58 Early bird code injection technique detected 14->58 60 Writes to foreign memory regions 14->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 14->62 64 3 other signatures 14->64 18 msiexec.exe 15 8 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 36 checkip.dyndns.com 132.226.247.73, 49694, 49697, 49699 UTMEMUS United States 18->36 38 api.telegram.org 149.154.167.220, 443, 49711 TELEGRAMRU United Kingdom 18->38 40 3 other IPs or domains 18->40 56 Tries to harvest and steal browser information (history, passwords, etc) 18->56 signatures12
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 16:33:45 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mefctfawnep74yzagfrisbgyunkzrja6dqi4sv7nyjybsq4hfrdq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250310-pf69jatqy6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Blocklisted process makes network request
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/31606707-02ab-420a-a958-cb575483f65e
Unpacked files
SH256 hash:
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
MD5 hash:
78db6f5a671871b2355bf718aec7d7fd
SHA1 hash:
5380f02f0c4e694aa0d723117453e589d6e9d12a
Link:
https://www.unpac.me/results/999c4c64-b501-47ba-a542-5db8fe30da7c/
SH256 hash:
444362be5cb1c63231becb123033f87004e9b0d2d9d063ee1ebb5e19a3faba4c
MD5 hash:
9de93fb4da01310e55240f7c506794eb
SHA1 hash:
44187ed55c9c4e49eeacf63efe58b2bab1a1c46d
Link:
https://www.unpac.me/results/999c4c64-b501-47ba-a542-5db8fe30da7c/
SH256 hash:
1ee2a7f624300b44919fc9c9c3210e85b290e8d67af7aada4c7d5ad872b0a7cf
MD5 hash:
38426fb80294933b4162b5af73f5e55c
SHA1 hash:
0cb85f18ed67785787e14d1c2f4af74fb74ba257
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/999c4c64-b501-47ba-a542-5db8fe30da7c/
Parent samples :
0d9f53718f16418097acb807b8838d71e12c146fd56282e6af61ee619b13543f
b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401
0cb6636748ff6a60ebf1a4644a7b4c877f8a19edd8c7a2eac10b34d1bd7cbfbf
482f10e5f1825368c6cdacf482febf39ed6d035ce866aded813d18890cf86dca
199bd66bf9f7b299ebf9068feb2e8648404097e26f86cabc5462973769d24df5
f2a42302b9c4f3e6c1e2e5d15dfa09cb41aad80ebc13678c4a412f77d4141ca0
ea3c63e01dc18acb8940dbbe5bec6c3cdcb6c117b6a213b9e7e02c11caeabee0
dfee1fc781f6414edcd5fe23fd87e05ff7940ff6f02c409e5f8ba9bbd34b0c04
e67f384ddb1a0b165cbae4c93eec8eb1bd718e51a9ff5d24b0980d867b20c53c
924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
95323c9bb093c53279d123225ec3cc23fc4647123f5aa8e24165c0d786302918
3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba
884b8012c2cb8a230edc7b99dc6b3e345977421f5a2434b286ac70d2900de6f6
77c4f594258231719c09648471ba0285615444a0ad942b38384a0beac52003b3
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
148237f9c4b6906c80648e003ddacbf53aafcd9dc468d21c7513e217fdac0907
dbb1b72f8b5a3fa401efb17d845e493b38d9cfb6982043fb105911cf50ed2691
8fa0116efbd18a4d7be8be0aae4bdabae5934e86d923f5db6bb8ef3a916b3101
32fe770e37884a2ac6c7b1e58f7d201a74326bae4fd9be175a863d595d2b5e64
aac3fec4d80c553b1363368571f2a81eb024722e1ed15ea467b61114e4f41801
64d0d2e222aa3df131dec45f6b144eb84b53be1225d51d095d162e77ddf6b65e
0466bdb3e90fa7ebd14ce2fb273184ca7440870f95ac0a799a743068db287682
88506eb76f662586301e6ace5b67539d572db820a37a32a0caa86bc699b141de
09056dfe7f32e33b9cc197f32dc69a535172badab6bc3609dc9da6f550805ebe
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
fd798f121b63d34deb90349c1c3f5077b5784c6f6741c67f68076bb6521c823b
62d150df842ec71b2b753ea968e0ff12048563e6fb69f6319622c3579ac0384f
2870296df6458543b943f6fbb06d2ad5e45c37741f7520ec0b6c4a3effe2d7d2
32085187f12f0c5e7457941a15907deb585d546eb2ddb97dcae9cc49258f7fcd
SH256 hash:
7fafaf28fa6eb7604c61ef816cdd3e5097a0e17695bef0bf9116b6558aa68967
MD5 hash:
ae164b9dd3591a987b0d71dc255c4654
SHA1 hash:
41198cb28a31a0ffc3d14540e61a4840800681cc
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/999c4c64-b501-47ba-a542-5db8fe30da7c/
Parent samples :
0d9f53718f16418097acb807b8838d71e12c146fd56282e6af61ee619b13543f
b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401
0cb6636748ff6a60ebf1a4644a7b4c877f8a19edd8c7a2eac10b34d1bd7cbfbf
482f10e5f1825368c6cdacf482febf39ed6d035ce866aded813d18890cf86dca
199bd66bf9f7b299ebf9068feb2e8648404097e26f86cabc5462973769d24df5
f2a42302b9c4f3e6c1e2e5d15dfa09cb41aad80ebc13678c4a412f77d4141ca0
ea3c63e01dc18acb8940dbbe5bec6c3cdcb6c117b6a213b9e7e02c11caeabee0
dfee1fc781f6414edcd5fe23fd87e05ff7940ff6f02c409e5f8ba9bbd34b0c04
e67f384ddb1a0b165cbae4c93eec8eb1bd718e51a9ff5d24b0980d867b20c53c
924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
95323c9bb093c53279d123225ec3cc23fc4647123f5aa8e24165c0d786302918
3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba
884b8012c2cb8a230edc7b99dc6b3e345977421f5a2434b286ac70d2900de6f6
77c4f594258231719c09648471ba0285615444a0ad942b38384a0beac52003b3
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
148237f9c4b6906c80648e003ddacbf53aafcd9dc468d21c7513e217fdac0907
dbb1b72f8b5a3fa401efb17d845e493b38d9cfb6982043fb105911cf50ed2691
8fa0116efbd18a4d7be8be0aae4bdabae5934e86d923f5db6bb8ef3a916b3101
32fe770e37884a2ac6c7b1e58f7d201a74326bae4fd9be175a863d595d2b5e64
aac3fec4d80c553b1363368571f2a81eb024722e1ed15ea467b61114e4f41801
64d0d2e222aa3df131dec45f6b144eb84b53be1225d51d095d162e77ddf6b65e
0466bdb3e90fa7ebd14ce2fb273184ca7440870f95ac0a799a743068db287682
88506eb76f662586301e6ace5b67539d572db820a37a32a0caa86bc699b141de
09056dfe7f32e33b9cc197f32dc69a535172badab6bc3609dc9da6f550805ebe
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
fd798f121b63d34deb90349c1c3f5077b5784c6f6741c67f68076bb6521c823b
62d150df842ec71b2b753ea968e0ff12048563e6fb69f6319622c3579ac0384f
2870296df6458543b943f6fbb06d2ad5e45c37741f7520ec0b6c4a3effe2d7d2
32085187f12f0c5e7457941a15907deb585d546eb2ddb97dcae9cc49258f7fcd
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/610a29941669/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments