MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 19


Intelligence 19 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
SHA3-384 hash: 450695b8b6c4d25a05ac98dff2c40d3b70671798b2ecc908ec42a7dc63253276904cba5bdcfdaa21142983075af2a9b8
SHA1 hash: 146f04baa63fc96c4280aa6de02384f6d8cf5eba
MD5 hash: af26c57bb788fdab33813f656b634452
humanhash: muppet-earth-kansas-mars
File name:Request for Quotation – CT-2501.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'100'288 bytes
First seen:2026-02-04 08:16:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'663 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 24576:u11ddpQ/l8GJLjDE2o4/OqRcxQNTGh65GyaozZ2wyJ:uBQ/XE2pOq76hryao92wy
TLSH T1373512A431958A12D5BA47F919B2E33007F92D9FA851D303CEEEDCEB3811B5619493B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/19ec1215-a323-41b4-a9a9-d90330975767/
Malware family:
n/a
ID:
1
File name:
_823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 08:17:29 UTC
Tags:
auto-startup evasion snake keylogger telegram stealer susp-lnk
Link:
https://app.any.run/tasks/03226e0f-2c37-41fe-a4c5-c0efc831025a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51620/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6983008e9a60ec70d92cab3b
Tags:
autorun spam
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context krypt obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/69830088930564ff3c88f6b4/reports/5f142a2d-093e-46d8-980f-a8e8d8109568/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Spy.Agent.SMTP.C&C Trojan.Taskun.TCP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5931df9-7cc3-4a60-a41b-e07b78c76223
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863076
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863076 Sample: Request for Quotation #U201... Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 36 reallyfreegeoip.org 2->36 38 api.telegram.org 2->38 40 2 other IPs or domains 2->40 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 70 14 other signatures 2->70 8 Request for Quotation #U2013 CT-2501.exe 7 2->8         started        13 powershell.exe 15 2->13         started        signatures3 66 Tries to detect the country of the analysis system (by using the IP) 36->66 68 Uses the Telegram API (likely for C&C communication) 38->68 process4 dnsIp5 42 192.168.2.4, 138, 443, 49710 unknown unknown 8->42 30 C:\Users\user\AppData\Roaming\tFObTVHa.exe, PE32 8->30 dropped 32 C:\Users\...\tFObTVHa.exe:Zone.Identifier, ASCII 8->32 dropped 34 Request for Quotat...013 CT-2501.exe.log, ASCII 8->34 dropped 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 15 Request for Quotation #U2013 CT-2501.exe 15 2 8->15         started        19 powershell.exe 23 8->19         started        21 tFObTVHa.exe 5 13->21         started        23 conhost.exe 1 13->23         started        file6 signatures7 process8 dnsIp9 44 checkip.dyndns.com 132.226.8.169, 49724, 49729, 49731 UTMEMUS United States 15->44 46 api.telegram.org 149.154.166.110, 443, 49743, 49762 TELEGRAMRU United Kingdom 15->46 48 reallyfreegeoip.org 172.67.177.134, 443, 49727, 49730 CLOUDFLARENETUS United States 15->48 50 Tries to steal Mail credentials (via file / registry access) 15->50 52 Loading BitLocker PowerShell Module 19->52 25 conhost.exe 19->25         started        54 Antivirus detection for dropped file 21->54 56 Multi AV Scanner detection for dropped file 21->56 58 Injects a PE file into a foreign processes 21->58 27 tFObTVHa.exe 21->27         started        signatures10 process11 signatures12 76 Tries to steal Mail credentials (via file / registry access) 27->76 78 Tries to harvest and steal browser information (history, passwords, etc) 27->78
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.38 Win 32 Exe x86
Link:
https://app.malva.re/file/af26c57bb788fdab33813f656b634452
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
Threat name:
ByteCode-MSIL.Trojan.Xworm
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 08:17:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qi7afppivswx7wh3es6q6vri7t47vlf6mhx62hkh3uiv5rr3kx4q._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
error
SnakeKeylogger
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/260204-j6swyaaw7e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Unpacked files
SH256 hash:
823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
MD5 hash:
af26c57bb788fdab33813f656b634452
SHA1 hash:
146f04baa63fc96c4280aa6de02384f6d8cf5eba
Link:
https://www.unpac.me/results/be86ca81-c569-472f-9816-fbbb44bbcd4c/
SH256 hash:
7d275fc770abe73a59441dae206b95455c5d56ff998b9688e5c1b71e4c8fc92e
MD5 hash:
291851caa7a8f194783c68ad06f695c9
SHA1 hash:
26905685b548aca046b75a5129a3a005d5a0a88c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/be86ca81-c569-472f-9816-fbbb44bbcd4c/
Parent samples :
77e10fce419cf22127e04f301914bf28f0511a23380221059522d06d15007d90
aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f
823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
aaefbeec8082e0205165604275b5f7fd9e5d9c75de06e97ec157a081fed3b57a
086a8fb7b92306c495fc562bff32642b856edfc1077ed7c00956ae59363a0fb1
046c2cefcb304a84206b4d598b07b947ffbe7786d6df1048750c2fb08f224352
7f9d39908a024cc37cdece4ecc8aa724695ee2873d80ed4b1e7f8f8f3ee7ed5d
SH256 hash:
f65496080d7d4e9dbae42d5546668c4d6554a3ee9bdc2233daa3cbe54eb39050
MD5 hash:
8c15eaef560d14a47b508cdecdcc1348
SHA1 hash:
db5846f5b2f36460596c103b4173eb94d69dc588
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/be86ca81-c569-472f-9816-fbbb44bbcd4c/
Parent samples :
7516a2c38161d81247ae0b24808252f1a28b8fad712b59362573ff9810b1f423
823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
SH256 hash:
fd56bbaa5e6b757b7327feeb79bb65438cfd7b43e858df67215d0e90ff0d945a
MD5 hash:
3a37a1e6d864c01f47aeabeaba7fc1d4
SHA1 hash:
e31f92efaf5a4b93339462d1d996c29dcc85b07f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/be86ca81-c569-472f-9816-fbbb44bbcd4c/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/823e02bde8ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:VIPKeyLogger
Create hunting rule
Author:kevoreilly
Description:Detects VIPKeyLogger Keylogger
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51620/

Comments