MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 16 File information Comments

SHA256 hash:	79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a
SHA3-384 hash:	2d3a80928b4e13283c67304c012acc7ee6006ab73c38f2294bff34b4f5732bdea4717e283d5c46e03ec3097df7490bf8
SHA1 hash:	3396916e397d9b8683ea18842ef7074c38a668be
MD5 hash:	9ad4759bb1d70d4ad48fdf827407c2bb
humanhash:	ceiling-double-failed-autumn
File name:	79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	770'048 bytes
First seen:	2025-04-08 08:17:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:HXvBT9rcKL4eh8t0yr/djjalXtx+Ch9T/++9DRDcUd6bCLMCLVGmSLQ0bRVnuS9T:JTGaSt0yr1jjOXtUCh9z+41oGvLMCKLO
Threatray	2'514 similar samples on MalwareBazaar
TLSH	T157F4225E7B1599A8CE0E067FC933B2588732C197E632F18E24CD0DEB9DB6B044692D53
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	14f0ccced6cce971 (11 x SnakeKeylogger, 9 x Formbook, 5 x MassLogger)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

26032025_0112_24032025_PINVOICEDraftTTAndDocumentsofBalancePayment.pdf.z

Verdict:

Malicious activity

Analysis date:

2025-03-26 01:21:58 UTC

Tags:

arch-exec snake keylogger evasion telegram stealer smtp

Link:

https://app.any.run/tasks/eb816774-6863-4f54-baf7-b006371a9946

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e356b6cb6d38a89f3e3820

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67f4dba89a455902911545a7/reports/4361f194-303a-4d93-80bf-2dbc00d90f47/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6e4e791-79a7-4d88-ad99-30736236e4dc

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1659859

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a/

Threat name:

Win32.Trojan.Jalapeno

Status:

Malicious

First seen:

2025-03-25 07:10:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pgme6olnq5vdg4lxmzunlono74rxkjpix5hgas6xgjcvd23cbr5a._file

Verdict:

malicious

Label(s):

unc_loader_037

vipkeylogger

SnakeKeylogger

52e613978faf4b534d0864a6125d73767b06319e9adaf7d42075527e2b52b3fe

SnakeKeylogger

6516870967d34590a4024eb8577dec672505ed990a540639293f9f61a82f5683

SnakeKeylogger

b8df5ca9ec2fbb02bebddb499f4c1a966bf9da4581e68eeca99a195dbd94f4fb

SnakeKeylogger

ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c

SnakeKeylogger

e8e945d0e6a01338aac7ba7c8b5d19bf4ad27824cd328d833a764d4b24ed7d0c

SnakeKeylogger

+ 2'504 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger stealer

Link:

https://tria.ge/reports/250408-j632xa1zay/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7191250169:AAFkvmV4xhcZoEl641qiQbJXLazzcaj6fVA/sendMessage?chat_id=5828071914

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/4395dab6-eb1c-425a-988c-b63f4974e0cb

Unpacked files

SH256 hash:

79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a

MD5 hash:

9ad4759bb1d70d4ad48fdf827407c2bb

SHA1 hash:

3396916e397d9b8683ea18842ef7074c38a668be

Link:

https://www.unpac.me/results/98d70784-e795-41c8-b9fe-78e0e504ce79/

SH256 hash:

8a4af055476bf7d4c08cd9aeb593fe057f90fc394c63e8e5ee9eb36e68fe82d7

MD5 hash:

f729f231da43da3c048cb1b085b1db83

SHA1 hash:

2cfeca5b74d4c8dce0ff88d4f957f2d1b4874783

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/98d70784-e795-41c8-b9fe-78e0e504ce79/

SH256 hash:

479b2b88236dc456b9c9dfcff8ee9e70c80d12c0f7b02b3090a9fe55f772b689

MD5 hash:

e3f6e491829c48e1ba0709f786109cef

SHA1 hash:

3e300dbb2a18a38cfcfdcdc2a71b47fada2b73a2

Link:

https://www.unpac.me/results/98d70784-e795-41c8-b9fe-78e0e504ce79/

SH256 hash:

4ce0109fe108afb9c0e4be6332696785d13f326b41ff31345eefa523ec724528

MD5 hash:

5360e48d913abc1401e7560f773ddb8e

SHA1 hash:

d6c339077e2a659e38048b9d2462db8ee61c14f0

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/98d70784-e795-41c8-b9fe-78e0e504ce79/

Parent samples :

79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a
37e27a0462419710caf95a47873733568335ae8ca92c0545ecbd2dfc0f15be4e
1d4d4a04ebb0a47819dc106dfdca0737e776eed60e83a2f8d236c5db1ec00324
3d894b815ffa7c6d6b086b32d01a2868fe51ca1a01beee54825e17eb632e0827

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/79984f396d87/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/79984f396d876a3371776668d5b9aeff237525e8bf4e604bd7324551eb620c7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample