MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d
SHA3-384 hash: f73e2551eaad3b979352d5b0c608c551574215ec9aed1556be1e1e51b2ad4840f8642af42e4a924a7a7751711ab2ebd3
SHA1 hash: c60c2abf158cc15b775d147b3daeffe7ca620d66
MD5 hash: fd7634082a916c3bd8c94c8493fc83e2
humanhash: vegan-bluebird-wyoming-jersey
File name:ZAMDOST_230-ZT-2025_Oryginał_4_pdf .exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:10'240 bytes
First seen:2025-02-05 16:46:57 UTC
Last seen:2025-02-05 17:47:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 192:S+SaZG1g6f0CX6I8VBoTruapz7as7wl5N+2:pSaZFyL6I8VAt7alQ
Threatray 6'106 similar samples on MalwareBazaar
TLSH T1EB22C71197984362DEFA0732A8326A61017BBE85FC76BB4C5D92B15B3F732844B12F25
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 1737332925330b21 (2 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
505
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.8827.3769.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a3972b2dcee78dd819978f
Tags:
backdoor virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Launching a process
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4d87222c-abc9-4e7a-9c10-51e4e04744e2
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1607549
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607549 Sample: ZAMDOST_230-ZT-2025_Orygina... Startdate: 05/02/2025 Architecture: WINDOWS Score: 100 15 reallyfreegeoip.org 2->15 17 api.telegram.org 2->17 19 2 other IPs or domains 2->19 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 39 9 other signatures 2->39 7 ZAMDOST_230-ZT-2025_Orygina#U0142_4_pdf .exe 14 2 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 15->35 37 Uses the Telegram API (likely for C&C communication) 17->37 process4 dnsIp5 21 103.72.56.30, 49732, 80 NETEASE-ASGuangzhouNetEaseComputerSystemCoLtdCN India 7->21 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->41 43 Writes to foreign memory regions 7->43 45 Modifies the context of a thread in another process (thread injection) 7->45 47 Injects a PE file into a foreign processes 7->47 11 InstallUtil.exe 14 2 7->11         started        signatures6 process7 dnsIp8 23 api.telegram.org 149.154.167.220, 443, 49966 TELEGRAMRU United Kingdom 11->23 25 checkip.dyndns.com 193.122.130.0, 49860, 49879, 49886 ORACLE-BMC-31898US United States 11->25 27 reallyfreegeoip.org 104.21.80.1, 443, 49864, 49873 CLOUDFLARENETUS United States 11->27 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d/
Threat name:
Win64.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-02-05 08:10:22 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjnbsw7edvurraw2ayilcqvlb6blntgpuw3g3m4llisbn5pewywq._file
Verdict:
malicious
Label(s):
snakekeylogger
Create hunting rule
Similar samples:
2aaec088fcb6aad10489c469a1808dade264b9b19f0654fc82a37ec9af36b266
SnakeKeylogger
3c2457e6b7ddd7106766490a9b89a3fbda7bdc73b92d8402a92606d079995a20
SnakeKeylogger
5896f3cc514c97f058e0bcfcd0c119d51c4a1b385bd0d1e37e52fcfc83f9992e
SnakeKeylogger
76930f5752402bbffccf8edeb6b07cd1ccf925c8c34853650e367cb2e0bc3e8a
SnakeKeylogger
871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb
SnakeKeylogger
d438bd2936d8564a021b534873b9bb3a34d421fa9bd442fcc1453892887849d6
SnakeKeylogger
+ 6'096 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/250205-val93axkbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://api.telegram.org/bot7719158406:AAGxGMuZ_5NEFP89HZrIghiOEjJFOaEE7ds/sendMessage?chat_id=1018401531
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b5acc37-d314-41d3-81a5-507ba4aaecdf
Unpacked files
SH256 hash:
7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d
MD5 hash:
fd7634082a916c3bd8c94c8493fc83e2
SHA1 hash:
c60c2abf158cc15b775d147b3daeffe7ca620d66
Link:
https://www.unpac.me/results/2ac09add-c52a-4208-b602-75f7dc5d7618/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a5a195be41d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a5a195be41d691882da0610b142ab0f82b6cccfa5b66db38b5a2416f5e4b62d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments