MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7
SHA3-384 hash: 7003918b6f813da2fd567cc13fa116a17810c96cda8950da359252dc08a7e6c788d87301453a712144d16dbcd93540e2
SHA1 hash: d5522400aaf9b52eeb53c272c750bf86d49819b1
MD5 hash: be5440c77ab948e18b7e89f05a407fc4
humanhash: tennis-pluto-illinois-cat
File name:Hesap Hareketleri.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:886'280 bytes
First seen:2025-10-14 13:42:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:vg+WCseDeFuNkyV53gkSx0abEAUZQyM5tbdvnJ5ikR:vg+dsLuNrV5QkSxH5UbQtbFR
Threatray 3'820 similar samples on MalwareBazaar
TLSH T125154CD1B150C89AED6B06F16D3AE53024A77E9C94A4810D56EDBF1B76F3342209FE0E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7.exe
Verdict:
Malicious activity
Analysis date:
2025-10-14 13:50:24 UTC
Tags:
snake keylogger evasion stealer ims-api generic
Link:
https://app.any.run/tasks/6fb7eef8-ca35-4011-9bed-c4cd35944653

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32724/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee536304e22ce9acda021f
Tags:
injection obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/68ee548271883144ef367078/reports/049b0778-0d6b-4447-8bc7-8eae00bd6f4d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T03:46:00Z UTC
Last seen:
2025-10-16T10:43:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Agensla.gen BSS:Trojan.Win32.Generic Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Taskun.sb
Link:
https://opentip.kaspersky.com/6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7056fba9-dabe-43da-bbc0-81d6bd6a24b7
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794936
Signature
.NET source code contains potential unpacker
AI detected suspicious PE digital signature
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 06:43:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
30 of 38 (78.95%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nyjqddo4eml4k3wqjbsq3ybx7ailqsur32vckqdjehxuwy6hxtlq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
404keylogger
Create hunting rule
Similar samples:
1a3b0673ca0264f6306fd9ef59ebf3e6b62d75def5f689eb8bd02f6a222a1e5d
SnakeKeylogger
543b0d455d409155d088d96f0ea8ec6ae11edd0d18d5c39e949d4557b9cdca5d
SnakeKeylogger
67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0
SnakeKeylogger
9b82825864714597159caad95b64b68cbb976756b1989d4d38e782858e510589
SnakeKeylogger
cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6
SnakeKeylogger
error
SnakeKeylogger
+ 3'810 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/251014-q3znmszygs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8454226619:AAH_-4nsHFPdN_JrUCTakTI1K0HXllhDhu8/sendMessage?chat_id=7584924098
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/14526095-2023-4bb4-8522-79eca2e79964
Unpacked files
SH256 hash:
6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7
MD5 hash:
be5440c77ab948e18b7e89f05a407fc4
SHA1 hash:
d5522400aaf9b52eeb53c272c750bf86d49819b1
Link:
https://www.unpac.me/results/927c7f64-4b41-4618-86fe-d69d6c121359/
SH256 hash:
b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511
MD5 hash:
2a576318d07470206dd7c45f7d896078
SHA1 hash:
3096b2a5ccd98583949a9f57842d5547b50bbc29
Link:
https://www.unpac.me/results/927c7f64-4b41-4618-86fe-d69d6c121359/
SH256 hash:
d05e9eb236570a0dde9adb3c558740558c368517938abc13f5b4605770f65277
MD5 hash:
bf0349b45afdf50ad9c4c95f1335cce7
SHA1 hash:
d0597553951c49e4efc48cbf3c46c6c693b6ef1d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/927c7f64-4b41-4618-86fe-d69d6c121359/
SH256 hash:
5bc6566b0849da3d988a213c7e18a0ab40c42dd0c3d2b99f2dd893db4cc72042
MD5 hash:
bdfe5e448a46cb5420fc2d8de0860949
SHA1 hash:
e0ae7daac5f647fff260850b09187d7ab98f6e98
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/927c7f64-4b41-4618-86fe-d69d6c121359/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6e13018ddc23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/6e13018ddc2317c56ed048650de037f810b84a91deaa25406921ef4b63c7bcd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32724/

Comments