MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3
SHA3-384 hash: aa8459657d80c6c598560349e2c3519eb33b0b8f3f865e38fc3ec3dba84fbaea0b8eaa9f6b01c10bd61c0e9f6f23ea36
SHA1 hash: cc2eb61b2cb3c4799bb49843b8f2d542ce9e609b
MD5 hash: 5122009042becd3d3745739c5b134b3c
humanhash: september-yankee-spaghetti-ack
File name:kdv _ ISDEP 2 Programı Denetim Kurulunun Denetimi Hakkında_Ustyazi.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:773'120 bytes
First seen:2025-05-14 07:54:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:294H3KDqRpkVyOkqwnWxe6xaMQiMYMJIBWGlx/8B18yICcECwGbTy1F:u4XOqPakMaMQiGMJxkBmRdwkk
Threatray 3'241 similar samples on MalwareBazaar
TLSH T10EF4E0293E568703C56E0AB4B873D3B30E396F9A9651C24BAEE77D9B31E57305903342
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 20e631ec86b2b2cc (6 x SnakeKeylogger, 4 x MassLogger, 3 x Formbook)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kdv _ ISDEP 2 Programı Denetim Kurulunun Denetimi Hakkında_Ustyazi.exe
Verdict:
Malicious activity
Analysis date:
2025-05-14 07:57:51 UTC
Tags:
snake keylogger evasion telegram netreactor stealer smtp
Link:
https://app.any.run/tasks/d53676cf-24a1-49bf-bc62-81c0095f274f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.6.3074.31277.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68244dcbe16384d6a7044668
Tags:
keylog spawn spam msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68244c648bd61140fb6fa418/reports/a0c07082-a6eb-45c5-bd63-669cbfd0b1a1/overview
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04e9c385-eeeb-4adc-b5a4-abf9d01bd587
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689653
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1689653 Sample: kdv _ ISDEP 2 Program#U0131... Startdate: 14/05/2025 Architecture: WINDOWS Score: 100 25 reallyfreegeoip.org 2->25 27 api.telegram.org 2->27 29 2 other IPs or domains 2->29 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 55 10 other signatures 2->55 8 kdv _ ISDEP 2 Program#U0131 Denetim Kurulunun Denetimi Hakk#U0131nda_Ustyazi.exe 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 51 Tries to detect the country of the analysis system (by using the IP) 25->51 53 Uses the Telegram API (likely for C&C communication) 27->53 process4 dnsIp5 23 kdv _ ISDEP 2 Prog...nda_Ustyazi.exe.log, ASCII 8->23 dropped 57 Adds a directory exclusion to Windows Defender 8->57 59 Injects a PE file into a foreign processes 8->59 15 kdv _ ISDEP 2 Program#U0131 Denetim Kurulunun Denetimi Hakk#U0131nda_Ustyazi.exe 15 2 8->15         started        19 powershell.exe 23 8->19         started        31 127.0.0.1 unknown unknown 12->31 file6 signatures7 process8 dnsIp9 33 checkip.dyndns.com 132.226.247.73, 49710, 49712, 49716 UTMEMUS United States 15->33 35 api.telegram.org 149.154.167.220, 443, 49733 TELEGRAMRU United Kingdom 15->35 37 reallyfreegeoip.org 104.21.16.1, 443, 49711, 49715 CLOUDFLARENETUS United States 15->37 39 Tries to steal Mail credentials (via file / registry access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Loading BitLocker PowerShell Module 19->43 21 conhost.exe 19->21         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3/
Threat name:
Win32.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-05-14 05:17:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3prsalfq35hc66zlshnisa7b4x2v3yfkgcytysc55lm227oaczq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
41088186eed58ac236ab4c348e830c0cd33c23df294726a303cec26eec135505
SnakeKeylogger
66f078e58ebd64a0dc663e8b45e21469d9b7b020b130d7f4bd31de6de4a4ce7a
SnakeKeylogger
7a1af0954cd7db05725aaa1b43ae149bc9f7bb610305b216744f3863e5247663
SnakeKeylogger
e91f580c44b75485d8742039aa469e5c979e44db9d8fee5f2017e4f5c7cc0796
SnakeKeylogger
f0b92224a6c6d1b41423d500b1b008334416a0a8db4bacb8cd959e2c298df264
SnakeKeylogger
fef84d37b7a6401d86e58cbae5066ea24fa9e16fa44139db1d5c4c0a9df0bf2a
SnakeKeylogger
+ 3'231 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250514-jr73baer7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/09f3d52e-ba2b-4783-9379-15558be4e2ae
Unpacked files
SH256 hash:
6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3
MD5 hash:
5122009042becd3d3745739c5b134b3c
SHA1 hash:
cc2eb61b2cb3c4799bb49843b8f2d542ce9e609b
Link:
https://www.unpac.me/results/e84f2acd-43c6-4e1f-aa9a-fa20e41f54fa/
SH256 hash:
a5e8d7f0a7ae2d8d6228a817fc50999ed5da458a32b27e85afd93e0ea047e5fb
MD5 hash:
cc6e8553a331db8ff3b7a756e2f85480
SHA1 hash:
03613a5d6a0916562ce4ee5ae0f951eec54af3d2
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/e84f2acd-43c6-4e1f-aa9a-fa20e41f54fa/
Parent samples :
6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3
3961987dda53c630bbff8bca5d0ed8b6dae39c77a448aafda0a67c2db173e8c8
960e9c3e54dad1225bdbdf547efe031e0b45d5ecb7cff888a93001174161bfdc
14c1b644e15f38f65b958fa200c9e40c1012b506022acb628613a6cc82c6bbac
8d9e4cdc23217573230ac18c77993958b28794bec8d2ab4acbb624030d50faad
69f958086b834153340519f2fbccc2b3abf5513e632d59a63ef0f9b0af284c1b
4bbe72086cc4dc5233eb93b1fae05c4cc0b0b85305e30249b58f2aaec11494c1
SH256 hash:
22a03f25544fecf96ca7f38781824e302238529b6e59cc10cfecf240043bd294
MD5 hash:
bee219cadf5a780865c3548d9936bc38
SHA1 hash:
077405987d76832010142540e3f9c5fc1f1c314a
Link:
https://www.unpac.me/results/e84f2acd-43c6-4e1f-aa9a-fa20e41f54fa/
SH256 hash:
7bb6f0c6799781a702bb0f6b2abfeead71740ac43682966323f2ae03a7527264
MD5 hash:
de66d681547901be1ef059ff48c19a80
SHA1 hash:
4b8504bea2034594f3ee21c4b5afe776fbc3fa8c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e84f2acd-43c6-4e1f-aa9a-fa20e41f54fa/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6edf19016586/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 6edf19016586fa717bd95c8ed4481f0f2faaef05518589e242ef56cd6bee00b3

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments