MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
SHA3-384 hash: a180d4ce24324332344b75753e8cc621065b9459bc8bbd94e0fc0c43bfdeee67f508f7eb545b19f04abcf473f21cf896
SHA1 hash: 681bd0881afa6475e14dc47c4ae1b69b8fe3956a
MD5 hash: a81aa8a98fd78ab03964052379c6b987
humanhash: texas-undress-white-william
File name:KURUMSAL KREDİ ÖDEME HATIRLATMA.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:742'400 bytes
First seen:2025-08-22 15:08:49 UTC
Last seen:2025-09-05 13:08:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:u4kuFKG62Vmm9mXKh3lWd+BowuzeW/TV8biiItnng2tpA5mGgkOaEpN3Rhan2u9:uAkah3lWd8V5i5nnrpAnfCR
Threatray 515 similar samples on MalwareBazaar
TLSH T165F4F1893610F15FC453DA3189A5EE759A692DAA5707C20396E72DEFBC0C6D78E002F2
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bazaar.abuse.ch/browse/
Verdict:
Malicious activity
Analysis date:
2025-08-22 15:21:12 UTC
Tags:
evasion arch-exec snake keylogger telegram stealer smtp netreactor
Link:
https://app.any.run/tasks/62801c9e-14dd-4fbb-bc05-716b717b7ea1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22995/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a8880d6eed937d746d196d
Tags:
spawn shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68a889797137d68458380ca3/reports/ec47aa77-07c3-45ed-ad45-c1d6346a3b3c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-21T06:28:00Z UTC
Last seen:
2025-08-21T06:28:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8e251bd-f569-42b9-9979-9d614b79b95e
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763026
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763026 Sample: KURUMSAL KRED#U0130 #U00d6D... Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 25 reallyfreegeoip.org 2->25 27 api.telegram.org 2->27 29 3 other IPs or domains 2->29 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 55 11 other signatures 2->55 8 KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 51 Tries to detect the country of the analysis system (by using the IP) 25->51 53 Uses the Telegram API (likely for C&C communication) 27->53 process4 dnsIp5 23 KURUMSAL KRED#U013... HATIRLATMA.exe.log, ASCII 8->23 dropped 57 Adds a directory exclusion to Windows Defender 8->57 15 KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe 15 2 8->15         started        19 powershell.exe 22 8->19         started        31 127.0.0.1 unknown unknown 12->31 file6 signatures7 process8 dnsIp9 33 mail.proev.com.tr 178.210.170.120, 49701, 587 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 15->33 35 api.telegram.org 149.154.167.220, 443, 49696 TELEGRAMRU United Kingdom 15->35 37 2 other IPs or domains 15->37 39 Tries to steal Mail credentials (via file / registry access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Loading BitLocker PowerShell Module 19->43 21 conhost.exe 19->21         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.78 Win 32 Exe x86
Link:
https://app.malva.re/file/a81aa8a98fd78ab03964052379c6b987
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 13:02:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nc45u7l4laozfheevsujwdludddlfycknsj5cbc6lecsu67nw36q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
57ddc71d4ceabf26512f5bf88152f41b543de6cc7080b8d5660c43badd4dbd4d
SnakeKeylogger
96b5f548190e75840e623792ee01e9561d1f88a89c6fdce734a6cc9a038523ea
SnakeKeylogger
afafe9eb66c81266d5fc9353912a06f148afc49324605da77250642c9358afa2
SnakeKeylogger
c43e60dd4fe89c7a4927b13c24972ff021986196b1fafa40e9cdc5ce81b0db5b
SnakeKeylogger
+ 505 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250822-slh1nswlz4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/16633207-0df1-4a1b-bd10-30da45b892f2
Unpacked files
SH256 hash:
68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
MD5 hash:
a81aa8a98fd78ab03964052379c6b987
SHA1 hash:
681bd0881afa6475e14dc47c4ae1b69b8fe3956a
Link:
https://www.unpac.me/results/ae027af9-e259-4050-9152-b194950776db/
SH256 hash:
b03b5dd39dad606cbab3a162c7549b51f72299345a7245612a5ee86906544427
MD5 hash:
4ffe9f41c5036631545330c928734ce1
SHA1 hash:
4c35561e3d819b35b09e9534cd1a28b9dba84e60
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ae027af9-e259-4050-9152-b194950776db/
SH256 hash:
4ab124cc78da9a5b424af11ab3395fb0b68f5133071488128399b3391fcfdefc
MD5 hash:
17974a42d44f4b84c8ecdbad98dca0f4
SHA1 hash:
7fa2533d183a910eb3c391dfb873d1ac079311ef
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/ae027af9-e259-4050-9152-b194950776db/
Parent samples :
4c73f816972fa1cef7fa8c1d7cc9ca77e3e95e9c883942f159b3e041fe71ba0b
68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
44b569741123469cd19a343c8b33de6e24d77b26763d4692e070aa2b10a3a960
8317cc0a4d4b4c3776f6f572da2635063a6244f1d9846c8fa8754ab085c555c5
SH256 hash:
6f663c04d0d98abf75bd5202ffa408fa727502c199f42f5d9b8b3e50f4ac3781
MD5 hash:
3bcbe25f8ad2139c0bb3501fcf9afc5f
SHA1 hash:
a7a91c6b0fafeac319c6bf429fd8799f9670cba3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ae027af9-e259-4050-9152-b194950776db/
Parent samples :
a1a9a1eb021b4358e6585bd24332ec331ab91973b4286eee6f82f778997bfc33
dbc0e8b108b4e270877bd6bab0e90e45a206065733483d47481bd8f3638a3001
0ce45ef5e6b470b80e4c7079377953db80ecfc5393fb76ee4568fa334c613924
85743dccb07d50949999575c8fc62d04ffcabf8e15802f8c5c4d7e84243c846f
9538c650eee9f57c5927c90dbeb4e37b9b84ac157f49e2aebf182cb1258e3f5b
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27
0a4de4dddc2313587610dd1d69aaa99d8b350b5bb888dd54ffdd5bbb246e5a75
96b5f548190e75840e623792ee01e9561d1f88a89c6fdce734a6cc9a038523ea
ca5b85e2100535294f607ba63fa782b2652397c1c1258fb0d15ad256a6f779e5
66513d2b0ca211cd190997156119713b7b8704a49a28fb9a8328749b9dc2cd45
ed17eb2e83fcca67ba66de21c6357ed58d2c684793aa0e7364e120c189488a6e
632a938f27ff96c7c959eb321c05478cef7ac11fdd8db11eb22307d3fbe5fb35
dfb47b0d9362c1584332c02f37e614f8e54a3f9956cc3df38dbacd20c40c4db5
14fc010bba506071a73611d32fd83f0cb181f0ed6d7675f736000c7cd2c4b6cf
c43e60dd4fe89c7a4927b13c24972ff021986196b1fafa40e9cdc5ce81b0db5b
649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
57ddc71d4ceabf26512f5bf88152f41b543de6cc7080b8d5660c43badd4dbd4d
e2dc30f133c91cab67e24cebc23291f6953654e16d4ea2621dd64dd500c5cc9a
44125a5ef2f4e177d83ca26e4c8b0ec8fd228b393167e314d79de1de0eb7130e
68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
4a200b42ba8a718bb929d36b694cec5271310e0976b844fa2f97a6223384dad7
9f5e1c5ea05a6275d90bac217e0fd8061c7e87e174b69bcdd26625e873c7579b
4fd694eea69457f8141a22cdb979e68a321ddf53e74ea6f392360b86b12e9944
087a67230ac4ad7bcedcc58aadd2ad2c4a12590db99f4ee7f00dc299255faab6
aa8573d46623ece59532f343f470aaa82a28cee22f00ed2b9b004db3a7810e05
5078c343420073ff89ed24cf79285abacfe4701acd4e33ccdefebb923441d352
ad1ae745d835753f3536d17187afeaca8c6b4fa7741aa7442778de132c6bb0b3
517f289ea24bf5a5270a83308aff7b392fcd572daea4448978ef7001d53b4a73
544d7bd464f262cdfda14e6df09a8b4ba3210867c0955eebc4e86d757f861238
8c26e45232a6156e0aa26e97891c87be699e0790bdf3f048fb9fde6b9b94e794
73641bb814bd6e10ce0fa31212e08f24e705e5d4a67d4c5367a1d8331b55da0d
989abbc447fdf6d9082210d06760f3705c6f07b4020375b78640248fe5b49d14
6181588754a45750b20eee8e9d3844f14d85b0869bb860134cc240ac6f6d90dd
331b4062e2bd91848560e3d76e2ad7f34fec3be595f3925f9eb45326085966e7
9d868f31c6cc17e3c71942f41008ac4e91c9141f2a48570cde35dea5efc5115a
46411b8001c1bec2f2ef0b8e4ebebf0457ecc0eec2b4693e3e61f1986009320e
d78b1315a596c3424ed01722ea7d1370180affa97474a8a4fd55b1bb012c8411
94b39cc6fa738eb8a26185ee588d5998a7f82b39a67a7312f5202a3e4ee7af78
789217599c1f3acfa58bde73eca30d4f0bd9c8184fdfe37ffa7339d321cfe266
51b036522abdbc3cd223aaa8dde959ae3f02b80bd1955f61442fcc8e15696a88
f0e55b1274addd245c00942b61bb7e9f590fe64b9c216cf85dc0da1d0bcee069
3a882b870fce4e6cc303d89551e6b36741aedf2a97dc8a20163e964a0808f22b
44b569741123469cd19a343c8b33de6e24d77b26763d4692e070aa2b10a3a960
f1722328c89de2120f7cab86b9f88e4129fb7e419c8c0c699d43317553692de7
76cff505d993baaecd718a3b0de1814da0aef73ce932d95bacbc6d842db38807
8cafe02ae7050245022e1afdd9552286c7d3cf944d15cea2d4c7f74fe909e2ec
e15aad8afcd267221fefba1c7e17def943fe8f02bfa4295a45ba76a745d3556d
af3c9677ddb4f4989eefa3f4dbc7c2c61067adfde4203b106939e13def66ba22
007cd810db2b95805793f8b38d89946479092c54385a4e127bb9dfe5512ade1c
aa1badc8a65a7e941f3e9e9ed3e7ab9ff565900904e57bcd8e5428c6b900d522
374c0585a847123b53c6a0882073830abf04829ecb038e0bdad00cf458bd16ee
a44128afda43c52008225dda2f60357b13030df3f639e42cd83c3e35e0e8c09a
898fa5e7ec65acee299dca750e5369836bd3453aad9e7d5fe5e6061ee24e35d3
8317cc0a4d4b4c3776f6f572da2635063a6244f1d9846c8fa8754ab085c555c5
c6c671502b3a65de6a8ab2373fc24415cac444c4333203e47bd3598bd0104f4b
d431af117842085de4eab85ddc86bc5eeffa0130a55b9651aada9553b54d5e13
00476471d950178a2fb4725999ac7aa090424a08121fb10b202cbd51a57bb4b8
1f60712c0d173d50aba8f766c49d4c70588d3315b701756bbb785d7c513b1c78
35fb644ff75750a53c894f52fa160ca37af8370c99a2877d8e3d84f1ffae5b2f
31ee9e20db0bf4c49fa560640005056239d41f9349516ddada7fe5fec89e7060
ea71d7dc55ee33978d98af1897d65e9bd1fc48334d7fb405a3238e47d48a05dc
57ae7edf153dae62714e31efabe20bcd93fa7f69f9ffe3f69b6150ce0cc7e92c
27a028ec14e0d0a72a308a7bd7d46722d52bfd988e0776ceb0a60db751af7c3a
3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
2261076a897c78824d78af89c1a409308893eab0242e7e04399ed7b7b6c7d245
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68b9da7d7c58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:attack_India
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22995/

Comments