MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 16 File information Comments

SHA256 hash:	6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610
SHA3-384 hash:	d90e76ac9e36fa54c453e57085e77544a220e960e889e423584ef985d30193c79fe6aa179816303d29c70d3a19a28dee
SHA1 hash:	7cb1d6231f267416a828c637c1b794016a753f5a
MD5 hash:	15784664c5c3fdefcb75962540a81463
humanhash:	hamper-sodium-mirror-table
File name:	Teklif Alma-Elekt Malz. sip. AMP282104-2 DİŞİ 2P() 2000 adet.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	733'696 bytes
First seen:	2025-05-07 09:31:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:phc51OhUWRzS+lQO/zvz9DJD3rhGiu/FoPY20DGcbBJhmDpWTi:jcv8UWbQo/dJD3rfViGWE
Threatray	2'415 similar samples on MalwareBazaar
TLSH	T17FF402585A99CD13C8A71B7807A1E3312BB66ECCE802E7179FE92CE77C67B245D14381
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe geo SnakeKeylogger TUR

Intelligence

File Origin

# of uploads :

# of downloads :

425

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Teklif Alma-Elekt Malz. sip. AMP282104-2 DÄ°ÅÄ° 2P() 2000 adet.exe

Verdict:

No threats detected

Analysis date:

2025-05-07 10:06:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9db4520b-bd2e-4376-8b1b-e016760dd3de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.16482.10471.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681b28e66c95617a27b5b71e

Tags:

keylog micro word

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/681b289abab2591d06548332/reports/b93fea31-51cf-4fa5-8860-75ac4b7c5a5c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99a1dc1b-d0fd-4d6e-9963-af4cd45e141d

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1683077

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-05-07 09:32:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mzmtody52outqgwf4lapynpxbyp2bx45tk4353fe3pragovkyyia._file

Verdict:

malicious

Label(s):

unc_loader_037

vipkeylogger

SnakeKeylogger

84715f7375086ffb94dc811eafd66ffaea10c0307337dfb454f1badd0986c0f9

SnakeKeylogger

d3f111a50b8066dd7375a2fb8c8a06a732b48883fda4657063af671d1051f19b

SnakeKeylogger

d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3

SnakeKeylogger

+ 2'405 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250507-lhnnesztds/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/01fa06bb-f2a1-4ac3-9209-bb7f6ba5f861

Unpacked files

SH256 hash:

3dab29378320d697c7efbd212bafb4df8cea6b7192704eb0cfd83d2f40808fcd

MD5 hash:

2fce3c42df098866647df49b0692e0af

SHA1 hash:

0f7507479030a687e07927c8c6db1292d3c914de

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/3e7435e9-5364-459b-a549-c9270fc906da/

SH256 hash:

b3b58660609999d68a6de918c55c7daf57a903aa445b4799cd083e2fc772c86a

MD5 hash:

ff2632d9344db260170dc5a375072f42

SHA1 hash:

45113417f5cb49a7e5ab9e1ca50b9925472363fc

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/3e7435e9-5364-459b-a549-c9270fc906da/

Parent samples :

224a983cf39f1db150d2407badf54a922ee2ea9984cb369cc99bacfda1513378
6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610
5ef95c3663a29a53b561f1d43601ed50ca0c6a356a0f36425580bf4bb37fa7e1
248a93b3cfc25af81319f5e6d71ee24c98cf535eb3b99f1090d1061246990da7
c0affc728572d1e897d2869bd72b870bbe6851423e77f4b026306ade7d978e25
ba1b869e5e44cc25d8128cd5f25bf37b3bdfc986b1d74cbc506b2cc129f308a1
ff6edcc147feec275212bac7ea6120938e1fcb3f08a2228a1d22544ee1a7cf5a
4939389065fc2a29f48c0fa96199456b8e030bf997b89dce60c2702e706fa692

SH256 hash:

05255375285e6d3f3aec9dc521516c5d382e1dbf312fa2957596a2d2795de89b

MD5 hash:

0dab2528d4f158ce481c36defd57de96

SHA1 hash:

bcd7f10706c52160ac04d908571cfdaffcec426d

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/3e7435e9-5364-459b-a549-c9270fc906da/

Parent samples :

6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610
d4020dbe1d51f7f27e253deeb65f1fed6b788091f5adad460f035256ae198a81
1cd78b97b2f8e944dc6273a6df40f2e619985c0e0fe2a550abdc1af79cf7a105
09b8f5086105916ba4705a1b64c8e4d4e0e3a6146928eabdd355f6d595f2a97c
0aba07d01429aed2703c4045ef036dcad9b7f93ab2eb9f8f416f940934fa970b
83a13fc360142a9ff6cef0334ef32f4413fd83ca44664fd3f1bfac32d400fe81
73e372310d115ab293bd376484a4a83c4d4b6a5936c922a75ae4fda5ab3b7219
2f853fc6240da7009e8c4759a9a6281c02f635dafb83872de2fee28776b9c671

SH256 hash:

6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610

MD5 hash:

15784664c5c3fdefcb75962540a81463

SHA1 hash:

7cb1d6231f267416a828c637c1b794016a753f5a

Link:

https://www.unpac.me/results/3e7435e9-5364-459b-a549-c9270fc906da/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6659370f1dd3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6659370f1dd3a9381ac5e2c0fc35f70e1fa0df9d9ab9beeca4dbe2033aaac610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample