MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 16 File information Comments

SHA256 hash:	6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
SHA3-384 hash:	c607a5a42def1f2b0e5c1099d1ac567ff29fee41f22e6498cc3064a04df6d36a485c4f3afd4115ce92effb6de9a1c63b
SHA1 hash:	bf1e7be7d44cf1f7499ee43d35aad3d9f8684b28
MD5 hash:	8a51bda9c0cd3d8519c1156dfa39426b
humanhash:	carolina-artist-oregon-seven
File name:	6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	781'312 bytes
First seen:	2025-01-06 06:39:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:fnM1cUoV+I4MVKWuLLFB5X/40NCrOtMPDREd1DfhI1RH4JBqMoEEF5LZ4HrYNrbC:fnMuRg7LSQQOCPdEd1GnH43qWEF5O0lO
Threatray	4'801 similar samples on MalwareBazaar
TLSH	T1A1F4F1593368EA06C19647F55470E3F8077A9E8EA911E3038FFEBDEB39387016914297
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	b2495557158902a2 (3 x Formbook, 1 x SnakeKeylogger, 1 x RemcosRAT)
Reporter	zhuzhu0009
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

406

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

VBC_VS03706971011.exe

Verdict:

Malicious activity

Analysis date:

2025-01-06 05:54:16 UTC

Tags:

evasion snake keylogger telegram netreactor stealer

Link:

https://app.any.run/tasks/d5859283-2589-4c8a-90cf-ac52d2b1bf43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan-Spy.AgentTesla.29792.32296.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=677b7bfbffdcee13ec840e59

Tags:

snake virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/677b7aceb5d42d92056810a4/reports/29555ede-9057-4f7c-a0e1-2ce7f2cf4046/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ef06210-c2e4-44cc-ba97-5d5923a18aa1

Result

Threat name:

PureLog Stealer, Snake Keylogger, VIP Ke

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1584668

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-01-06 02:04:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nce5assry6twwkvrwqlbwk26lul5yj4a4ko4y6fucrqptauym6da._file

Verdict:

malicious

Label(s):

vipkeylogger

unknown_loader_037

SnakeKeylogger

956d35ea5fc53269ca00d84d9f765ca6e7bb33e30eb376c54c94eebc4f5b7ef9

SnakeKeylogger

bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a

SnakeKeylogger

c081714907fc943cff0b637123039aff0237a226de4fb171cf430ed7c1da1163

SnakeKeylogger

d398e0aca4c50720e795a3a819cb9f690060fd3dc214ac5b29b4f030392fcd69

SnakeKeylogger

error

SnakeKeylogger

+ 4'791 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/250106-he7qca1pcn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

VIPKeylogger

Vipkeylogger family

Verdict:

Suspicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/c3fdf3b2-68a8-4f3e-95af-6d00a9290681

Unpacked files

SH256 hash:

a9b9ec85f4127f66ecfcc1a26bc60f13e11a40abfaaeafbf6a7e9dabc273c9aa

MD5 hash:

4fab1b60520d914018cb44cb94836e89

SHA1 hash:

de4f906bbceb52f426682dc6fb6185ced794962d

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e13a1810-9280-4bac-bf20-0c3fe67bec86/

SH256 hash:

168b6065d141a70c80f8c09204fd7252eb104de2e450599fc5896c1439322f6e

MD5 hash:

96858749c6f54f23560dc6a5aef2c32b

SHA1 hash:

861a04be243f05efe28e6d5dd5409ed56ff64476

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e13a1810-9280-4bac-bf20-0c3fe67bec86/

Parent samples :

6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
ea2305b81698e84ea423f196cbea17b3eddc98c57d5f53342f5ba82fb5ea3856
8515cd8f15f1b16373993dfb77427a0fe071abb0384f9bfe55f14adc4ff5d30a
cbae135ce99b7218f36189a750bca0868612e0c2ba0ab5fed90a32bc123d989d
87c6bd3556e570f5c0acb04c5286da5b222d6f4e2105827ccde74e4123ee55aa
67cc97b2f5e9d35039589c92c7f6fda7831af0f259ddf248fb166664e4027b91
24777f80f39fba9da6a66bb0804bd3c3a510126f583eefb8918e24fa5fdeb69b
c024729558cdf11515cc4024d0f3118d8313a86c68d48846376c55b8ec97c0e4
3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53
9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
1787fd4fd81dca24ca10625e93d43168eea906184da17183ba53a306856c0f28
31a2ec31c4722d3011b75595c76e677aba7e5bc164c667d709943893ebea4f97
31dd67c25cb99830d6df7e63abee058598eed026076acd4a659fed12fd8647ef
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f

SH256 hash:

a8e195ab2134e85724c9fcddf4a8259fd0123d478015174be2338522eff4ae2c

MD5 hash:

d3ed8f538922ebad0f96fba670eee3a8

SHA1 hash:

6d25914f1ae4705f22dda290c5418c19f25dcb06

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/e13a1810-9280-4bac-bf20-0c3fe67bec86/

Parent samples :

49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
effc68899a8894822054617b45d79a9b94f7b756c6ce55d0682c1c7ed7f52e60

SH256 hash:

6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786

MD5 hash:

8a51bda9c0cd3d8519c1156dfa39426b

SHA1 hash:

bf1e7be7d44cf1f7499ee43d35aad3d9f8684b28

Link:

https://www.unpac.me/results/e13a1810-9280-4bac-bf20-0c3fe67bec86/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6889d04a51c7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample